WO2024070483A1 - Système de commande - Google Patents

Système de commande Download PDF

Info

Publication number
WO2024070483A1
WO2024070483A1 PCT/JP2023/031869 JP2023031869W WO2024070483A1 WO 2024070483 A1 WO2024070483 A1 WO 2024070483A1 JP 2023031869 W JP2023031869 W JP 2023031869W WO 2024070483 A1 WO2024070483 A1 WO 2024070483A1
Authority
WO
WIPO (PCT)
Prior art keywords
update
software
execution
divided
electronic control
Prior art date
Application number
PCT/JP2023/031869
Other languages
English (en)
Japanese (ja)
Inventor
僚一朗 矢船
肇 小堀
Original Assignee
株式会社アドヴィックス
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社アドヴィックス filed Critical 株式会社アドヴィックス
Publication of WO2024070483A1 publication Critical patent/WO2024070483A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • G06F8/65Updates

Definitions

  • the present invention relates to a control system installed in a vehicle.
  • Patent Document 1 discloses a system that has the function of updating software in a storage device provided in an in-vehicle electronic control device.
  • a Tester when updating software, a Tester is connected to an in-vehicle network to which multiple electronic control devices are connected.
  • the Tester pre-stores update software for the electronic control device to be updated. Therefore, when the Tester is connected to the in-vehicle network, the Tester transmits the update software to the electronic control device to be updated via the in-vehicle network.
  • the software in the storage device in the electronic control device is rewritten with the update software.
  • the system includes an information processing device that acquires the update software transmitted to the vehicle from the data center.
  • the information processing device transmits the update software to the electronic control device to be updated via an in-vehicle network.
  • the information processing device transmits encrypted update software to the electronic control device to increase the confidentiality of the information. Therefore, the execution device of the electronic control device decrypts the received update software and writes the decrypted update software to the storage device.
  • the object of the present invention is to prevent the time required for software update from increasing when the information processing device transmits encrypted update software to the electronic control device via an in-vehicle network to update the software in the storage device of the electronic control device.
  • a control system for solving the above problem includes an information processing device that acquires update software transmitted to the vehicle from outside the vehicle by wireless communication, and a global network that communicatively connects a plurality of electronic control devices to the information processing device, and is configured to be able to update software in a storage device provided in a first electronic control device among the plurality of electronic control devices.
  • the control system includes a first execution device and a second execution device.
  • the first execution device decrypts the first divided update software, which is one of the pieces of update software divided and transmitted by the information processing device to the global network.
  • the second execution device decrypts the second divided update software, which is one of the pieces of update software divided and transmitted by the information processing device to the global network.
  • the first update divided software decrypted by the first execution device and the second update divided software decrypted by the second execution device are each written to the storage device of the first electronic control device.
  • the information processing device divides the update software acquired by the information processing device into multiple pieces, and transmits the divided update software, which is the update split software, to the first electronic control device via a global network.
  • the execution device decrypts the first update split software.
  • the execution device then writes the decrypted first update split software to the storage device.
  • the information processing device cannot transmit the second update split software.
  • the information processing device goes into a standby state. The longer the information processing device goes into a standby state in this way, the longer it takes to update the software in the storage device of the first electronic control device.
  • the first execution device decrypts the first update divided software. While the first execution device is decrypting the first update divided software in this manner, the second execution device waits for the second update divided software from the information processing device. Therefore, while the first execution device is decrypting the first update divided software, the second execution device can decrypt the second update divided software transmitted from the information processing device. As a result, the time that the information processing device is in the above-mentioned standby state can be shortened.
  • the control system described above can prevent the time required for software update from becoming long.
  • FIG. 1 is a schematic configuration diagram showing a vehicle equipped with a control system according to a first embodiment and a data center provided outside the vehicle.
  • FIG. 2 (A) is a diagram showing the first half of the processing flow executed by the information processing device of the control system of the first embodiment, (B) is a diagram showing the first half of the processing flow executed by the first electronic control device of the control system, and (C) is a diagram showing the first half of the processing flow executed by the second electronic control device of the control system.
  • FIG. 3 (A) is a diagram showing the latter half of the processing flow executed by the information processing device, (B) is a diagram showing the latter half of the processing flow executed by the first electronic control device, and (C) is a diagram showing the latter half of the processing flow executed by the second electronic control device.
  • FIG. 4 (A) to (D) are timing charts showing how software in a storage device included in a first brake ECU corresponding to the first electronic control device is updated.
  • FIG. 5 is a schematic diagram showing the configuration of a control system according to the third embodiment.
  • FIG. 7 is a diagram showing the processing flow executed by the information processing device of the control system of the third embodiment
  • (B) is a diagram showing the processing flow executed by the first execution device of the first electronic control device of the control system
  • (C) is a diagram showing the processing flow executed by the second execution device of the first electronic control device.
  • FIG. 8 is a schematic diagram showing the configuration of a control system according to the fourth embodiment.
  • FIG. 9 (A) is a diagram showing a part of the processing flow executed by an information processing device of the control system of the fourth embodiment, (B) is a diagram showing a part of the processing flow executed by a first electronic control device of the control system, and (C) is a diagram showing a part of the processing flow executed by a second electronic control device of the control system.
  • ECU electronice control unit
  • ECU Electronice Control Unit
  • FIG. 1 illustrates a vehicle 10 and a data center 100 provided outside the vehicle 10 .
  • the data center 100 is configured to be able to transmit and receive various types of information to and from the vehicle 10 via the external vehicle network 200. That is, the data center 100 transmits and receives various types of information to and from the vehicle 10 by wireless communication.
  • the vehicle 10 is equipped with multiple ECUs, which will be described in more detail later.
  • update software is prepared to update the software in the storage device of one of the multiple ECUs
  • the data center 100 transmits the update software to the vehicle 10 via the external vehicle network 200.
  • the ECU to be updated the ECU whose software is to be updated.
  • the vehicle 10 includes a control system 15 and an actuator.
  • the actuators of the vehicle 10 include a first actuator 11 and a second actuator 12.
  • the first actuator 11 and the second actuator 12 operate to adjust the braking force generated in the vehicle 10.
  • the control system 15 includes a communication device 20 and an information processing device 30.
  • the communication device 20 is an interface on the vehicle side for transmitting and receiving information to and from the data center 100.
  • the information processing device 30 is configured to be able to communicate with the communication device 20 via the local network 41.
  • the local network 41 is a network for transmitting and receiving information only between the information processing device 30 and the communication device 20.
  • the information processing device 30 acquires the update software transmitted from the data center 100 to the vehicle 10 by wireless communication.
  • the information processing device 30 includes an execution device 31, a storage device 32, and a storage device 33.
  • the execution device 31 is a CPU
  • the storage device 32 is a non-volatile memory
  • the storage device 33 is a volatile memory.
  • the storage device 32 stores the software executed by the execution device 31.
  • the storage device 33 temporarily stores the information transmitted from the communication device 20 via the local network 41. That is, when the data center 100 transmits information identifying the ECU to be updated and the update software to the vehicle 10, the communication device 20 receives the information transmitted by the data center 100. The communication device 20 then transmits the received information to the information processing device 30 via the local network 41. Then, the execution device 31 of the information processing device 30 stores the information received via the local network 41, i.e., the information identifying the ECU to be updated and the update software, in the storage device 33.
  • the control system 15 includes a global network 42 and multiple ECUs.
  • the global network 42 is an in-vehicle network that connects the information processing device 30 and the multiple ECUs so that they can communicate with each other.
  • the global network 42 is a CAN bus.
  • CAN is an abbreviation for "Controller Area Network.”
  • the multiple ECUs include a first braking ECU 60 and a second braking ECU 70.
  • the first braking ECU 60 and the second braking ECU 70 are ECUs that adjust the braking force generated in the vehicle 10.
  • the first braking ECU 60 operates the first actuator 11.
  • the second braking ECU 70 operates the second actuator 12.
  • the multiple ECUs also include ECUs 50 other than the braking ECU 60.
  • the control system 15 is equipped with a local network 43 for transmitting and receiving information only between the first brake ECU 60 and the second brake ECU 70.
  • the local network 43 is configured so that its communication speed is higher than the communication speed of the global network 42. Therefore, when transmitting and receiving information between the first brake ECU 60 and the second brake ECU 70, the control system 15 can use either the global network 42 or the local network 43.
  • Each of the ECUs includes an execution device, a storage device, and a storage unit.
  • the execution device is a CPU
  • the storage device is a non-volatile memory
  • the storage device is a volatile memory.
  • the storage device stores software executed by the execution device.
  • the storage device temporarily stores the results of calculations by the execution device, etc.
  • the execution device 61 of the first brake ECU 60 controls the first actuator 11 by executing software in the memory device 62.
  • the execution device 61 temporarily stores the results of calculations performed to control the first actuator 11 in the storage device 63.
  • the execution device 71 of the second brake ECU 70 controls the second actuator 12 by executing software in the memory device 72.
  • the execution device 71 temporarily stores the results of calculations performed to control the second actuator 12 in the storage device 73.
  • ⁇ Software update process> a method of updating software in a storage device provided in a brake ECU will be described.
  • the ECU to be updated is the first brake ECU 60
  • the first brake ECU 60 corresponds to the "first electronic control device”
  • the second brake ECU 70 corresponds to the "second electronic control device.”
  • the execution device 61 of the first brake ECU 60 corresponds to the "first execution device”
  • the execution device 71 of the second brake ECU 70 corresponds to the "second execution device.”
  • Figures 2(A) and 3(A) show the processing routine executed by the execution device 31 of the information processing device 30.
  • Figures 2(B) and 3(B) show the processing routine executed by the execution device 61 of the first brake ECU 60.
  • Figures 2(C) and 3(C) show the processing routine executed by the execution device 71 of the second brake ECU 70.
  • the processing routine shown in Figures 2(B) and 3(B) is the processing routine executed by the first electronic control device
  • the processing routine shown in Figures 2(C) and 3(C) is the processing routine executed by the second electronic control device.
  • the execution unit 31 of the information processing device 30 acquires the update software for the first brake ECU 60, it starts executing the processing routine shown in FIG. 2(A) and FIG. 3(A).
  • the execution unit 31 requests both the first brake ECU 60 and the second brake ECU 70 to change the control mode of the execution unit from normal mode to update mode.
  • the normal mode is the control mode when controlling the actuator.
  • the update mode is the control mode when updating the software of the storage device.
  • step S13 the execution device 31 of the information processing device 30 determines whether or not it has received a notification from both the first brake ECU 60 and the second brake ECU 70 that the mode change has been completed. If the execution device 31 has received the notification from both the first brake ECU 60 and the second brake ECU 70 (S13: YES), the process proceeds to step S15. On the other hand, if the execution device 31 has not received the notification from at least one of the first brake ECU 60 and the second brake ECU 70 (S13: NO), the process returns to step S11. In other words, the execution device 31 continues to request the first brake ECU 60 and the second brake ECU 70 to change the mode until it receives the notification from both the first brake ECU 60 and the second brake ECU 70.
  • step S101 the execution device 61 of the first brake ECU 60 judges whether or not a mode change request has been received from the information processing device 30. If the execution device 61 receives a mode change request (S101: YES), the process proceeds to step S103. On the other hand, if the execution device 61 has not received a mode change request (S101: NO), the execution device 61 repeats the judgment of step S101 until the request is received. In step S103, the execution device 61 resets itself, changes the control mode to the update mode, and restarts. Then, in step S105, the execution device 61 transmits a notification to the information processing device 30 that the change from the normal mode to the update mode has been completed.
  • the execution device 61 transmits the notification to the information processing device 30 via the global network 42.
  • the execution device 61 starts erasing the pre-update software from the storage device 62.
  • the execution device 61 then transitions to step S109.
  • step S201 the execution device 71 of the second brake ECU 70 judges whether or not a mode change request has been received from the information processing device 30. If the execution device 71 receives a mode change request (S201: YES), the process proceeds to step S203. On the other hand, if the execution device 71 has not received a mode change request (S201: NO), the execution device 71 repeats the judgment of step S201 until the request is received. In step S203, the execution device 71 resets itself, changes the control mode to the update mode, and restarts. Next, in step S205, the execution device 71 transmits a notification to the information processing device 30 that the change from the normal mode to the update mode has been completed. Specifically, the execution device 71 transmits the notification to the information processing device 30 via the global network 42. Then, the execution device 71 transitions the process to step S207.
  • step S15 the execution unit 31 of the information processing device 30 sets a count M to 1.
  • the execution unit 31 then divides the update software for the first brake ECU 60 into N pieces, where "N" is an integer equal to or greater than 3.
  • step S17 the execution unit 31 transmits the Mth update split software, which is one of the N pieces of update software, to the first brake ECU 60 via the global network 42.
  • the execution unit 31 transmits the encrypted Mth update split software to the first brake ECU 60 via the global network 42. Note that if the count M is 1, the execution unit 31 transmits the encrypted first update split software to the first brake ECU 60.
  • step S19 the execution unit 31 of the information processing device 30 increments the count M by 1.
  • the execution unit 31 transmits the Mth update split software, which is one of the N pieces of divided update software, to the second brake ECU 70 via the global network 42.
  • the execution unit 31 transmits the encrypted Mth update split software to the second brake ECU 70 via the global network 42.
  • the update split software transmitted to the second brake ECU 70 here is different from the update split software transmitted to the first brake ECU 60 in step S17. Note that if the count M is 2, the execution unit 31 transmits the encrypted second update split software to the second brake ECU 70.
  • step S23 the execution unit 31 of the information processing device 30 increments the count M by 1.
  • step S25 the execution unit 31 determines whether the transmission of the update divided software has been completed. In this embodiment, if the count M is greater than the number of divisions N, the execution unit 31 determines that the transmission of N pieces of update divided software has been completed. On the other hand, if the count M is equal to or less than the number of divisions N, the execution unit 31 determines that the transmission of the update divided software has not been completed because there is update divided software among the N pieces of update divided software that has not yet been transmitted. Then, if the execution unit 31 has completed the transmission of the update divided software (S25: YES), the processing proceeds to step S27. On the other hand, if the execution unit 31 has not completed the transmission of the update divided software (S25: NO), the processing returns to step S17. That is, the execution unit 31 continues the transmission of the update divided software.
  • step S109 the execution unit 61 of the first brake ECU 60 determines whether or not it has received the Mth update divided software from the global network 42. If the count M is 1, the execution unit 61 determines whether or not it has received the first update divided software. If the execution unit 61 has received the Mth update divided software (S109: YES), it transitions to step S111. On the other hand, if the execution unit 61 has not received the Mth update divided software (S109: NO), it repeats the determination in step S109 until it receives the Mth update divided software.
  • step S111 the execution device 61 of the first brake ECU 60 decrypts the Mth update split software received from the information processing device 30. Then, in step S113, the execution device 61 writes the Mth update split software that it has decrypted into the storage device 62. For example, if the count M is 1, the execution device 61 decrypts the first update split software and writes the decrypted first update split software into the storage device 62. The execution device 61 then transitions to step S115.
  • step S207 the execution unit 71 of the second brake ECU 70 determines whether or not it has received the Mth update divided software from the global network 42. If the count M is 2, the execution unit 71 determines whether or not it has received the second update divided software. If the execution unit 71 has received the Mth update divided software (S207: YES), the process proceeds to step S209. On the other hand, if the execution unit 71 has not received the Mth update divided software (S207: NO), the execution unit 71 repeatedly executes the determination in step S207 until it receives the Mth update divided software.
  • step S209 the execution unit 71 of the second brake ECU 70 decrypts the Mth update split software received from the information processing device 30. Then, in step S211, the execution unit 71 transmits the decrypted Mth update split software to the first brake ECU 60 via the local network 43. For example, when the count M is 2, the execution unit 71 decrypts the second update split software and transmits the decrypted second update split software to the first brake ECU 60 via the local network 43. The execution unit 71 then transitions to step S213.
  • step S213 the execution unit 71 of the second brake ECU 70 determines whether the software update of the storage device 62 of the first brake ECU 60 has been completed. If the update has been completed (S213: YES), the execution unit 71 proceeds to step S215. On the other hand, if the update has not been completed (S213: NO), the execution unit 71 returns the process to step S207. In other words, the execution unit 71 repeatedly executes the processes from step S207 to step S211 until the software update of the storage device 62 has been completed.
  • step S115 the execution device 61 of the first brake ECU 60 determines whether or not it has received the decrypted Mth update split software from the second brake ECU 70 via the local network 43. If the execution device 61 has received the Mth update split software from the second brake ECU 70 (S115: YES), the processing proceeds to step S117. On the other hand, if the execution device 61 has not received the Mth update split software from the second brake ECU 70 (S115: NO), the execution device 61 repeatedly executes the determination of step S115 until it receives the Mth update split software from the second brake ECU 70.
  • step S117 the execution device 61 writes the decrypted Mth update split software received from the second brake ECU 70 to the storage device 62. For example, if the count M is 2, when the execution device 61 receives the decrypted second update divided software from the second brake ECU 70 via the local network 43, it writes the second update divided software to the storage device 62. After that, the execution device 61 transitions the process to step S119.
  • step S119 the execution unit 61 of the first brake ECU 60 determines whether the software update of the storage device 62 has been completed. If the update has been completed (S119: YES), the execution unit 61 proceeds to step S121. On the other hand, if the update has not been completed (S119: NO), the execution unit 61 returns the process to step S109. In other words, the execution unit 61 repeatedly executes the processes from step S109 to step S117 until the software update of the storage device 62 is completed.
  • step S27 the execution device 31 of the information processing device 30 requests both the first brake ECU 60 and the second brake ECU 70 to change the control mode of the execution device from the update mode to the normal mode.
  • step S29 the execution device 31 determines whether or not it has received a notification from both the first brake ECU 60 and the second brake ECU 70 that the mode change has been completed. If the execution device 31 has received the above notification from both the first brake ECU 60 and the second brake ECU 70 (S29: YES), it ends the processing routine shown in Figures 2(A) and 3(A).
  • the execution device 31 determines whether the execution device 31 has received the above notification from at least one of the first brake ECU 60 and the second brake ECU 70 (S29: NO). If the execution device 31 has not received the above notification from at least one of the first brake ECU 60 and the second brake ECU 70 (S29: NO), it returns the processing to step S27. That is, the execution device 31 continues to request the first brake ECU 60 and the second brake ECU 70 to change modes until the execution device 31 receives the above notification from both the first brake ECU 60 and the second brake ECU 70.
  • step S121 the execution device 61 of the first brake ECU 60 judges whether or not a mode change request has been received from the information processing device 30. If the execution device 61 receives a mode change request (S121: YES), the process proceeds to step S123. On the other hand, if the execution device 61 has not received a mode change request (S121: NO), the execution device 61 repeats the judgment of step S121 until a request is received. In step S123, the execution device 61 resets itself, changes the control mode from the update mode to the normal mode, and restarts. Next, in step S125, the execution device 61 transmits a notification to the information processing device 30 that the change from the update mode to the normal mode has been completed. Thereafter, the execution device 61 ends the processing routine shown in FIG. 2(B) and FIG. 3(B).
  • step S215 the execution device 71 of the second brake ECU 70 determines whether or not a mode change request has been received from the information processing device 30. If the execution device 71 receives a mode change request (S215: YES), the process proceeds to step S217. On the other hand, if the execution device 71 has not received a mode change request (S215: NO), the execution device 71 repeats the determination in step S215 until a request is received. In step S217, the execution device 71 resets itself, changes the control mode from the update mode to the normal mode, and restarts.
  • step S219 the execution device 71 transmits a notification to the information processing device 30 that the change from the update mode to the normal mode has been completed. Thereafter, the execution device 71 ends the processing routine shown in FIG. 2(C) and FIG. 3(C).
  • the software of the storage device 72 of the second brake ECU 70 may be updated.
  • the second brake ECU 70 since the second brake ECU 70 is the ECU to be updated, the second brake ECU 70 corresponds to the "first electronic control device” and the first brake ECU 60 corresponds to the "second electronic control device.”
  • the execution device 71 of the second brake ECU 70 corresponds to the "first execution device” and the execution device 61 of the first brake ECU 60 corresponds to the "second execution device.” Therefore, the execution device 71 of the second brake ECU 70 executes the processing routines shown in Figures 2(B) and 3(B), and the execution device 61 of the first brake ECU 60 executes the processing routines shown in Figures 2(C) and 3(C).
  • the pre-update software begins to be erased from the storage device 62.
  • the update software is divided into six pieces. That is, six pieces of update divided software A1 to A6 are generated.
  • the encrypted first update divided software A1 is transmitted to the first brake ECU 60 via the global network 42.
  • the encrypted second update divided software A2 is transmitted to the second brake ECU 70 via the global network 42.
  • the first brake ECU 60 When the first brake ECU 60 receives the first update divided software A1, the first update divided software A1 is decrypted. In the example shown in FIG. 4, the process of deleting the update divided software is executed until timing t15. Therefore, from timing t15, writing of the decrypted first update divided software A1 to the storage device 62 begins.
  • the second brake ECU 70 when the second brake ECU 70 receives the second update divided software A2 via the global network 42, the second brake ECU 70 decodes the second update divided software A2. That is, even while the first brake ECU 60 is decoding the first update divided software A1, the second brake ECU 70 can decode the second update divided software A2.
  • the second brake ECU 70 decodes the second update divided software A2, as shown in FIGS. 4(B) and (D), the decoded second update divided software A2 is transmitted to the first brake ECU 60 via the local network 43 from timing t14.
  • the first brake ECU 60 writes the first update divided software A1 to the storage device 62, and then starts writing the second update divided software A2 to the storage device 62.
  • the information processing device 30 transmits the encrypted third update divided software A3 to the first brake ECU 60. At this time, the third update divided software A3 is also transmitted to the first brake ECU 60 via the global network 42. Next, the information processing device 30 transmits the encrypted fourth update divided software A4 to the second brake ECU 70. At this time, the fourth update divided software A4 is also transmitted to the second brake ECU 70 via the global network 42.
  • the third update divided software A3 is decrypted. Then, the decrypted third update divided software A3 is written to the storage device 62.
  • the second brake ECU 70 When the second brake ECU 70 receives the fourth update divided software A4, it decodes the fourth update divided software A4. That is, even while the first brake ECU 60 is decoded the third update divided software A3, the second brake ECU 70 can decode the fourth update divided software A4.
  • the decoded fourth update divided software A4 is transmitted to the first brake ECU 60 via the local network 43.
  • the third update divided software A3 is written to the storage device 62
  • the fourth update divided software A4 is written to the storage device 62.
  • the information processing device 30 transmits the encrypted fifth update divided software A5 to the first brake ECU 60. At this time, the fifth update divided software A5 is also transmitted to the first brake ECU 60 via the global network 42. After the fifth update divided software A5 is transmitted, the information processing device 30 transmits the encrypted sixth update divided software A6 to the second brake ECU 70. At this time, the sixth update divided software A6 is also transmitted to the second brake ECU 70 via the global network 42.
  • the fifth update divided software A5 is decrypted. Then, the decrypted fifth update divided software A5 is written to the storage device 62.
  • the second brake ECU 70 When the second brake ECU 70 receives the sixth update divided software A6, it decodes the sixth update divided software A6. That is, even while the first brake ECU 60 is decoded the fifth update divided software A5, the second brake ECU 70 can decode the sixth update divided software A6.
  • the decoded sixth update divided software A6 is transmitted to the first brake ECU 60 via the local network 43.
  • the fifth update divided software A5 is written to the storage device 62
  • the sixth update divided software A6 is written to the storage device 62. This completes the software update of the storage device 62.
  • the information processing device 30 transmits the first update divided software A1 to the first brake ECU 60, it transmits the next update divided software (in this case, the second update divided software A2) to the second brake ECU 70. Then, while the execution device 61 of the first brake ECU 60 is decrypting the first update divided software A1, the execution device 71 of the second brake ECU 70 can decrypt the second update divided software A2. That is, the information processing device 30 does not need to wait for the transmission of the second update divided software A2 until the decoding of the first update divided software A1 is completed. That is, the time during which the information processing device 30 is in a state of waiting for the transmission of the update divided software can be shortened. Therefore, when updating the software of the storage device 62 of the first brake ECU 60, the control system 15 can suppress the time required for updating the software from becoming long.
  • the next update divided software in this case, the second update divided software A2
  • the execution device 71 of the second brake ECU 70 can decrypt the second update divided software A2. That is, the information
  • the second brake ECU 70 transmits the decrypted divided update software to the first brake ECU 60 via the local network 43. This reduces the time required for transmission compared to transmitting the divided update software between the second brake ECU 70 and the first brake ECU 60 via the global network 42. This contributes to reducing the time required for software updates.
  • Second Embodiment A second embodiment of the control system will be described with reference to Fig. 5.
  • the second embodiment differs from the first embodiment in that the update division software is not directly transmitted from the information processing device to the second electronic control unit.
  • the differences from the first embodiment will be mainly described, and the same reference numerals will be used to designate the same components as those in the first embodiment, and duplicated description will be omitted.
  • Figure 5(A) shows a portion of the processing routine executed by the execution device 31 of the information processing device 30.
  • Figure 5(B) shows a portion of the processing routine executed by the execution device 61 of the first brake ECU 60.
  • Figure 5(C) shows a portion of the processing routine executed by the execution device 71 of the second brake ECU 70.
  • the processing routine shown in Figure 5(B) is a portion of the processing routine executed by the first electronic control device
  • the processing routine shown in Figure 5(C) is a portion of the processing routine executed by the second electronic control device.
  • step S15A the execution device 31 of the information processing device 30 sets a count M to 1.
  • the execution device 31 divides the update software for the first brake ECU 60 into N pieces.
  • N is an integer equal to or greater than 3.
  • step S17A the execution device 31 transmits the Mth update divided software, which is one of the N pieces of update software, to the first brake ECU 60 via the global network 42.
  • the execution device 31 transmits the encrypted Mth update divided software to the first brake ECU 60 via the global network 42. Note that if the count M is 1, the execution device 31 transmits the encrypted first update divided software to the first brake ECU 60.
  • step S19A the execution unit 31 of the information processing device 30 increments the count M by 1.
  • the execution unit 31 transmits the Mth update split software, which is one of the divided update software, to the first brake ECU 60 via the global network 42.
  • the execution unit 31 transmits the encrypted Mth update split software to the first brake ECU 60 via the global network 42.
  • the update split software transmitted to the first brake ECU 60 here is different from the update split software transmitted to the first brake ECU 60 in step S17A. Note that if the count M is 2, the execution unit 31 transmits the encrypted second update split software to the second brake ECU 70.
  • step S23A the execution unit 31 of the information processing device 30 increments the counter M by 1.
  • step S25A the execution unit 31 determines whether or not the transmission of the N pieces of update divided software has been completed, similar to step S25 shown in FIG. 2(A) and FIG. 3(A). If there is any update divided software among the N pieces of update divided software that has not yet been transmitted (S25A: NO), the execution unit 31 returns the process to step S17A. That is, the execution unit 31 continues transmitting the update divided software. On the other hand, if the execution unit 31 has completed the transmission of the N pieces of update divided software (S25A: YES), the process proceeds to step S27 shown in FIG. 2(A) and FIG. 3(A). The process flow from step S27 onwards is the same as in the first embodiment.
  • the execution device 61 of the first brake ECU 60 sequentially executes the processes from step S101 to step S107 shown in FIG. 2(B) and FIG. 3(B). Then, in step S131 as shown in FIG. 5(B), the execution device 61 judges whether or not the Mth update divided software transmitted by the information processing device 30 in step S17A has been received from the global network 42. If the count M is 1, the execution device 61 judges whether or not the first update divided software A1 has been received. If the execution device 61 has received the Mth update divided software (S131: YES), the process proceeds to step S133. On the other hand, if the execution device 61 has not received the Mth update divided software (S131: NO), the execution device 61 repeatedly executes the judgment of step S131 until the Mth update divided software is received.
  • step S133 the execution unit 61 of the first brake ECU 60 determines whether or not it has received the Mth update divided software transmitted by the information processing unit 30 in step S21A from the global network 42. If the count M is 2, the execution unit 61 determines whether or not it has received the second update divided software A2. If the execution unit 61 has received the Mth update divided software (S133: YES), it transitions to step S135. On the other hand, if the execution unit 61 has not received the Mth update divided software (S133: NO), it repeats the determination of step S133 until it receives the Mth update divided software.
  • step S135 the execution device 61 of the first brake ECU 60 transmits the Mth update divided software received in step S133 to the second brake ECU 70 via the local network 43. For example, if the first brake ECU 60 receives the first update divided software A1 and the second update divided software A2, the execution device 61 transmits only the second update divided software A2 of the first update divided software A1 and the second update divided software A2 to the second brake ECU 70 via the local network 43.
  • step S137 the execution device 61 of the first brake ECU 60 decrypts the Mth update split software received in step S131. That is, of the two update split software received from the information processing device 30, the execution device 61 decrypts the update split software that has not been transmitted to the second brake ECU 70.
  • step S139 the execution device 61 writes the Mth update split software that it has decrypted into the storage device 62. The execution device 61 then transitions to step S141.
  • the execution unit 71 of the second brake ECU 70 sequentially executes the processes from step S201 to S205 shown in FIG. 2(C) and FIG. 3(C). Then, in step S231 as shown in FIG. 5(C), the execution unit 71 judges whether or not the Mth update divided software has been received via the local network 43. If the count M is 2, the execution unit 71 judges whether or not the second update divided software A2 has been received.
  • the update divided software received here is the update divided software transmitted by the information processing device 30 in step S21A. If the execution unit 71 receives the Mth update divided software (S231: YES), the process proceeds to step S233. On the other hand, if the execution unit 71 has not received the Mth update divided software (S231: NO), the execution unit 71 repeatedly executes the judgment of step S231 until the Mth update divided software is received.
  • step S233 the execution device 71 of the second brake ECU 70 decrypts the received Mth update split software. Then, in step S235, the execution device 71 transmits the decrypted Mth update split software to the first brake ECU 60 via the local network 43. For example, if the count M is 2, the execution device 71 decrypts the second update split software A2 and transmits the decrypted second update split software A2 to the first brake ECU 60 via the local network 43. The execution device 71 then transitions to step S237.
  • step S237 the execution unit 71 of the second brake ECU 70 determines whether the software update of the storage device 62 of the first brake ECU 60 has been completed. If the update has not been completed (S237: NO), the execution unit 71 returns the process to step S231. That is, the execution unit 71 repeatedly executes the processes from step S231 to step S235 until the software update of the storage device 62 is completed. On the other hand, if the update has been completed (S237: YES), the execution unit 71 transitions the process to step S215 shown in FIG. 2(C) and FIG. 3(C). The process flow from step S215 onwards is the same as in the first embodiment.
  • step S141 the execution device 61 of the first brake ECU 60 determines whether or not it has received the Mth update divided software from the second brake ECU 70 via the local network 43. If the execution device 61 has received the Mth update divided software (S141: YES), the process proceeds to step S143. On the other hand, if the execution device 61 has not received the Mth update divided software (S141: NO), the execution device 61 repeatedly executes the determination of step S141 until it receives the Mth update divided software.
  • step S143 the execution device 61 of the first brake ECU 60 writes the Mth update divided software received in step S141 to the storage device 62. That is, the execution device 61 writes the decoded Mth update divided software transmitted from the second brake ECU 70 to the storage device 62.
  • step S145 the execution device 61 determines whether the software update of the storage device 62 is complete. If the update is not complete (S145: NO), the execution device 61 returns the process to step S131. That is, the execution device 61 repeatedly executes the processes from step S131 to step S143 until the software update of the storage device 62 is complete. On the other hand, if the update is complete (S145: YES), the execution device 61 transitions the process to step S121 shown in FIG. 2(B) and FIG. 3(B). The process flow from step S121 onwards is the same as that in the first embodiment.
  • the information processing device 30 When updating the software in the storage device 62 of the first brake ECU 60, the information processing device 30 divides the update software into N pieces. The information processing device 30 transmits the N pieces of update divided software to the first brake ECU 60, which is the ECU to be updated, via the global network 42. In this embodiment, two pieces of update divided software are transmitted to the first brake ECU 60 via the global network 42.
  • the first brake ECU 60 transmits one of the two pieces of update split software received to the second brake ECU 70 via the local network 43.
  • the first brake ECU 60 also decrypts the update split software that was not transmitted to the second brake ECU 70.
  • the update split software decrypted by the execution device 61 is then written to the storage device 62.
  • the second brake ECU 70 decodes the update split software received via the local network 43.
  • the decoded update split software is then sent to the first brake ECU 60 via the local network 43.
  • the first brake ECU 60 writes the decoded update split software received via the local network 43 to the storage device 62.
  • the software in the storage device 62 of the first brake ECU 60 is updated.
  • the second update divided software A2 can also be decoded in the second brake ECU 70. That is, the information processing device 30 does not need to wait for the transmission of the second update divided software A2 until the decoding of the first update divided software A1 is completed. That is, the time during which the information processing device 30 is in a state of waiting for the transmission of update divided software can be shortened. Therefore, when updating the software of the storage device 62 of the first brake ECU 60, the control system 15 can prevent the time required for the software update from becoming long.
  • the information processing device 30 does not need to directly transmit some of the N pieces of divided software updates to the second brake ECU 70 that is not the ECU to be updated. Furthermore, in this embodiment, it is possible to obtain effects equivalent to the effects (1-2) and (1-3) of the first embodiment.
  • the third embodiment differs from the first embodiment in that the ECU to be updated is a multi-core processor equipped with multiple execution devices.
  • the ECU to be updated is a multi-core processor equipped with multiple execution devices.
  • the control system 15B of this embodiment will be described with reference to FIG.
  • the control system 15B includes a communication device 20, an information processing device 30, and a plurality of ECUs.
  • the plurality of ECUs are configured to be able to communicate with the information processing device 30 via a global network 42.
  • the plurality of ECUs include an ECU 80 and an ECU 50.
  • the ECU 80 is a braking ECU that controls an actuator to adjust the braking force generated in the vehicle 10.
  • the ECU 80 is a multi-core processor.
  • the ECU 80 includes a first execution unit 81A, a second execution unit 81B, a memory device 82, and a storage unit 83.
  • the first execution unit 81A and the second execution unit 81B are CPUs
  • the memory device 82 is a non-volatile memory
  • the storage device 83 is a volatile memory.
  • the storage unit 82 stores software executed by the first execution unit 81A and the second execution unit 81B.
  • Fig. 7(A) shows a processing routine executed by the execution unit 31 of the information processing device 30.
  • Fig. 7(B) shows a processing routine executed by the first execution unit 81A of the ECU 80.
  • Fig. 7(C) shows a processing routine executed by the second execution unit 81B of the ECU 80.
  • step S41 the execution unit 31 requests the ECU 80 to change the control mode of the execution unit from the normal mode to the update mode.
  • step S43 the execution unit 31 determines whether it has received both a first notification that the control mode of the first execution unit 81A has been changed to the update mode and a second notification that the control mode of the second execution unit 81B has been changed to the update mode. If the execution unit 31 has received both the first notification and the second notification (S43: YES), it proceeds to step S45.
  • the execution unit 31 determines whether the execution unit 31 has not received at least one of the first notification and the second notification (S43: NO). If the execution unit 31 has not received at least one of the first notification and the second notification (S43: NO), it returns the processing to step S41. That is, the execution unit 31 continues to request the ECU 80 to change the mode until it receives both the first notification and the second notification.
  • step S151A the first execution unit 81A of the ECU 80 judges whether the ECU 80 has received a mode change request from the information processing device 30. If the ECU 80 has received a mode change request (S151A: YES), the first execution unit 81A shifts the process to step S153A. On the other hand, if the ECU 80 has not received a mode change request (S151A: NO), the first execution unit 81A repeats the judgment of step S151A until the ECU 80 receives the request. In step S153A, the first execution unit 81A resets itself, changes the control mode to the update mode, and restarts.
  • step S155A the first execution unit 81A transmits a first notification to the information processing device 30 indicating that the change from the normal mode to the update mode has been completed.
  • step S157A the first execution unit 81A starts erasing the pre-update software from the storage device 82. The first execution unit 81A then transitions to step S159A.
  • step S151B the second execution unit 81B of the ECU 80 judges whether the ECU 80 has received a mode change request from the information processing device 30. If the ECU 80 has received a mode change request (S151B: YES), the second execution unit 81B shifts the process to step S153B. On the other hand, if the ECU 80 has not received a mode change request (S151B: NO), the second execution unit 81B repeats the judgment of step S151B until the ECU 80 receives the request. In step S153B, the second execution unit 81B resets itself, changes the control mode to the update mode, and restarts.
  • step S155B the second execution unit 81B transmits a second notification to the information processing device 30 indicating that the change from the normal mode to the update mode has been completed. Then, the second execution unit 81B shifts the process to step S159B.
  • step S45 the execution unit 31 of the information processing device 30 sets a count M to 1.
  • the execution unit 31 then divides the update software for the ECU 80 into N pieces, where "N" is an integer equal to or greater than 3.
  • step S47 the execution unit 31 transmits the Mth update divided software, which is one of the divided update software, to the ECU 80 via the global network 42.
  • the execution unit 31 transmits the encrypted Mth update divided software to the ECU 80 via the global network 42. Note that if the count M is 1, the execution unit 31 transmits the encrypted first update divided software A1 to the ECU 80.
  • step S49 the execution unit 31 of the information processing device 30 increments the count M by 1.
  • the execution unit 31 transmits the Mth update split software, which is one of the divided update software, to the ECU 80 via the global network 42.
  • the execution unit 31 transmits the encrypted Mth update split software to the ECU 80 via the global network 42.
  • the update split software transmitted to the ECU 80 here is different from the update split software transmitted to the ECU 80 in step S47. Note that if the count M is 2, the execution unit 31 transmits the encrypted second update split software A2 to the ECU 80.
  • step S53 the execution unit 31 of the information processing device 30 increments the counter M by 1.
  • step S55 the execution unit 31 determines whether or not the transmission of the update split software has been completed, similar to step S25 shown in Figures 2 (A) and 3 (A). If the transmission of the update split software has been completed (S55: YES), the execution unit 31 proceeds to step S57. On the other hand, if the transmission of the update split software has not been completed (S55: NO), the execution unit 31 returns the process to step S47. That is, the execution unit 31 continues transmitting the update split software to the ECU 80.
  • step S159A the first execution unit 81A of the ECU 80 determines whether the ECU 80 has received the Mth update divided software.
  • the update divided software received here is the Mth update divided software transmitted by the information processing device 30 in step S47. If the count M is 1, the first execution unit 81A determines whether the first update divided software has been received. If the ECU 80 has received the Mth update divided software (S159A: YES), the first execution unit 81A transitions the process to step S161A. On the other hand, if the ECU 80 has not received the Mth update divided software (S159A: NO), the first execution unit 81A repeats the determination of step S159A until the Mth update divided software is received.
  • step S161A the first execution unit 81A of the ECU 80 decrypts the Mth update split software received by the ECU 80 in step S159A. Then, in step S163A, the first execution unit 81A writes the Mth update split software that it has decrypted to the storage device 82. For example, if the count M is 1, the first execution unit 81A decrypts the first update split software A1 and writes the decrypted first update split software A1 to the storage device 82.
  • step S165A the first execution unit 81A of the ECU 80 determines whether the software update of the storage device 82 is complete. If the update is complete (S165A: YES), the first execution unit 81A proceeds to step S167A. On the other hand, if the update is not complete (S165A: NO), the first execution unit 81A returns to step S159A. In other words, the first execution unit 81A repeatedly executes steps S159A to S163A until the software update of the storage device 82 is complete.
  • step S159B the second execution unit 81B of the ECU 80 determines whether the ECU 80 has received the Mth update split software.
  • the update split software received here is the Mth update split software transmitted by the information processing device 30 in step S51. If the count M is 2, the second execution unit 81B determines whether the ECU 80 has received the second update split software. If the ECU 80 has received the Mth update split software (S159B: YES), the second execution unit 81B transitions the process to step S161B. On the other hand, if the ECU 80 has not received the Mth update split software (S159B: NO), the second execution unit 81B repeatedly executes the determination of step S159B until the ECU 80 receives the Mth update split software.
  • step S161B the second execution unit 81B of the ECU 80 decrypts the Mth update split software received in step S159B. Then, in step S161B, the second execution unit 81B writes the Mth update split software that it has decrypted to the storage device 62. For example, if the count M is 2, the second execution unit 81B decrypts the second update split software A2 and writes the decrypted second update split software A2 to the storage device 62.
  • step S165B the second execution unit 81B of the ECU 80 determines whether the software update of the storage device 82 has been completed. If the update has been completed (S165B: YES), the second execution unit 81B proceeds to step S167B. On the other hand, if the update has not been completed (S165B: NO), the second execution unit 81B returns the process to step S159B. In other words, the second execution unit 81B repeatedly executes the processes from step S159B to step S163B until the software update of the storage device 82 is completed.
  • step S57 the execution unit 31 of the information processing device 30 requests the ECU 80 to change the control mode of the execution unit from the update mode to the normal mode.
  • step S59 the execution unit 31 determines whether or not it has received both the third notification that the control mode of the first execution unit 81A has been changed to the normal mode and the fourth notification that the control mode of the second execution unit 81B has been changed to the normal mode. If the execution unit 31 has received both the third notification and the fourth notification from the ECU 80 (S59: YES), it ends the processing routine shown in FIG. 7(A). On the other hand, if the execution unit 31 has not received at least one of the third notification and the fourth notification (S59: NO), it returns the processing to step S57. That is, the execution unit 31 continues to request the ECU 80 to change the mode until it receives both the third notification and the fourth notification.
  • step S167A the first execution unit 81A resets itself, changes the control mode from update mode to normal mode, and restarts.
  • step S169A the first execution unit 81A transmits a third notification to the information processing device 30 indicating that the change from update mode to normal mode has been completed. Thereafter, the first execution unit 81A ends the processing routine shown in FIG. 7(B).
  • step S167B the second execution unit 81B resets itself, changes the control mode from the update mode to the normal mode, and restarts.
  • step S169B the second execution unit 81B transmits a fourth notification to the information processing device 30 indicating that the change from the update mode to the normal mode has been completed. Thereafter, the second execution unit 81B ends the processing routine shown in FIG. 7(C).
  • the information processing device 30 When updating software in the storage device 82 of the ECU 80, the information processing device 30 divides the update software into N pieces. The information processing device 30 transmits the N pieces of update divided software to the ECU 80 via the global network 42. In this embodiment, two pieces of update divided software are transmitted to the ECU 80 via the global network 42.
  • one of the two received update split software is processed by the first execution unit 81A, while the remaining one is processed by the second execution unit 81B. That is, the first execution unit 81A decrypts one of the two update split software and writes it to the storage device 82. The second execution unit 81B decrypts the other of the two update split software and writes it to the storage device 82. By repeating this series of processes, the software in the storage device 82 of the ECU 80 is updated.
  • the ECU 80 which is the ECU to be updated, is a multi-core processor. Therefore, for example, while the first execution unit 81A is decrypting the first update divided software A1, the second execution unit 81B can update the second update divided software A2. Therefore, the information processing device 30 does not have to wait for the transmission of the second update divided software A2 until the decryption of the first update divided software A1 is complete. In other words, the time that the information processing device 30 is in a state waiting for the transmission of update divided software can be shortened. Therefore, when updating software in the storage device 82 of the ECU 80, the control system 15B can prevent the time required for the software update from becoming long.
  • the control system 15C includes a communication device 20, an information processing device 30, and a plurality of ECUs.
  • the plurality of ECUs are configured to be able to communicate with the information processing device 30 via a global network 42.
  • the plurality of ECUs include a first braking ECU 60 and a second braking ECU 90.
  • the first braking ECU 60 operates the first actuator 11.
  • the second braking ECU 90 operates the second actuator 12.
  • the plurality of ECUs may include ECUs other than the first braking ECU 60 and the second braking ECU 90.
  • the first brake ECU 60 and the second brake ECU 90 can transmit and receive various information via the local network 43C.
  • the communication speed of the local network 43C is higher than the communication speed of the global network 42.
  • the first brake ECU 60 includes an execution device 61 , a memory device 62 , and a storage device 63 .
  • the second brake ECU 90 includes an execution device 91, a storage device 92, and a storage device 93.
  • the execution device 91 is a CPU
  • the storage device 92 is a non-volatile memory
  • the storage device 93 is a volatile memory.
  • the storage device 92 is divided into a first storage unit 921 and a second storage unit 922.
  • the first storage unit 921 stores software executed by the execution device 91.
  • the second storage unit 922 does not store software executed by the execution device 91.
  • ⁇ Software update process> a method of updating software in a storage device provided in a brake ECU will be described.
  • the ECU to be updated is the first brake ECU 60
  • the first brake ECU 60 corresponds to the "first electronic control device”
  • the second brake ECU 90 corresponds to the "second electronic control device”.
  • the execution device 61 of the first brake ECU 60 corresponds to the "first execution device”
  • the execution device 91 of the second brake ECU 90 corresponds to the "second execution device”.
  • Figure 9 (A) shows a part of the processing routine executed by the execution device 31 of the information processing device 30.
  • Figure 9 (B) shows a part of the processing routine executed by the execution device 61 of the first brake ECU 60.
  • Figure 9 (C) shows a part of the processing routine executed by the execution device 91 of the second brake ECU 90.
  • the processing routine shown in Figure 9 (B) is a part of the processing routine executed by the first electronic control device
  • the processing routine shown in Figure 9 (C) is a part of the processing routine executed by the second electronic control device.
  • step S81 the execution unit 31 requests both the first brake ECU 60 and the second brake ECU 90 to change the control mode of the execution unit from the normal mode to the update mode.
  • step S83 the execution device 31 of the information processing device 30 determines whether or not it has received a notification from both the first brake ECU 60 and the second brake ECU 90 that the mode change has been completed. If the execution device 31 has received the notification from both the first brake ECU 60 and the second brake ECU 90 (S83: YES), the process proceeds to step S85. On the other hand, if the execution device 31 has not received the notification from at least one of the first brake ECU 60 and the second brake ECU 90 (S83: NO), the process returns to step S81. In other words, the execution device 31 continues to request the first brake ECU 60 and the second brake ECU 90 to change the mode until it receives the notification from both the first brake ECU 60 and the second brake ECU 90.
  • step S181 the execution device 61 of the first brake ECU 60 judges whether or not a mode change request has been received from the information processing device 30. If the execution device 61 receives a mode change request (S181: YES), the process proceeds to step S183. On the other hand, if the execution device 61 has not received a mode change request (S181: NO), the execution device 61 repeats the judgment of step S181 until a request is received. In step S183, the execution device 61 resets itself, changes the control mode to the update mode, and restarts. Then, in step S185, the execution device 61 transmits a notification to the information processing device 30 that the change from the normal mode to the update mode has been completed. In the next step S187, the execution device 61 starts erasing the pre-update software from the storage device 62. After that, the execution device 61 proceeds to step S189.
  • step S281 the execution device 91 of the second brake ECU 90 determines whether or not a mode change request has been received from the information processing device 30. If the execution device 91 receives a mode change request (S281: YES), the process proceeds to step S283. On the other hand, if the execution device 91 has not received a mode change request (S281: NO), the execution device 91 repeatedly executes the determination of step S281 until a request is received. In step S283, the execution device 91 resets itself, changes the control mode to the update mode, and restarts. Next, in step S285, the execution device 91 transmits a notification to the information processing device 30 that the change from normal mode to update mode has been completed. Then, the execution device 91 proceeds to step S287.
  • step S85 the execution unit 31 of the information processing device 30 sets a counter M to 1.
  • the execution unit 31 then divides the update software for the first brake ECU 60 into N pieces, where "N" is an integer equal to or greater than 3.
  • step S87 the execution unit 31 transmits the Mth update divided software, which is one of the N pieces of update software, to the second brake ECU 90 via the global network 42.
  • the execution unit 31 transmits the encrypted Mth update divided software to the second brake ECU 90 via the global network 42.
  • step S89 the execution unit 31 of the information processing device 30 increments the counter M by 1.
  • step S91 the execution unit 31 determines whether the transmission of the update split software has been completed, similar to step S25 shown in FIG. 2(A) and FIG. 3(A). If the transmission of the update split software has been completed (S91: YES), the execution unit 31 proceeds to step S27 shown in FIG. 2(A) and FIG. 3(A). The flow of processing from step S27 onwards is the same as in the first embodiment. On the other hand, if the transmission of the update split software has not been completed (S91: NO), the execution unit 31 returns the processing to step S87. That is, the execution unit 31 continues transmitting the update split software to the second brake ECU 90.
  • step S287 the execution device 91 of the second brake ECU 90 determines whether or not the Mth update divided software has been received from the global network 42. If the execution device 91 has received the Mth update divided software (S287: YES), the execution device 91 writes the Mth update divided software to the second storage unit 922 and proceeds to step S289. On the other hand, if the execution device 91 has not received the Mth update divided software (S287: NO), the execution device 91 repeatedly executes the determination of step S287 until the Mth update divided software is received.
  • step S289 the execution device 91 of the second brake ECU 90 decrypts the Mth update divided software stored in the second storage unit 922. Then, in step S291, the execution device 91 transmits the decrypted Mth update divided software to the first brake ECU 60 via the local network 43. Then, the execution device 91 transitions the process to step S293.
  • step S293 the execution unit 91 of the second brake ECU 90 determines whether the software update of the storage device 62 of the first brake ECU 60 has been completed. If the update has not been completed (S293: NO), the execution unit 91 returns the process to step S287. That is, the execution unit 91 repeatedly executes the processes from step S287 to step S291 until the software update of the storage device 62 is completed. On the other hand, if the update has been completed (S293: YES), the execution unit 91 proceeds to step S215 shown in Figures 2 (C) and 3 (C). The process flow from step S215 onwards is the same as in the first embodiment.
  • step S189 the execution device 61 of the first brake ECU 60 determines whether or not it has received the decoded Mth update divided software from the second brake ECU 90 via the local network 43. If the execution device 61 has received the Mth update divided software from the second brake ECU 90 (S189: YES), the process proceeds to step S191. On the other hand, if the execution device 61 has not received the Mth update divided software from the second brake ECU 90 (S189: NO), the execution device 61 repeats the determination of step S189 until it receives the Mth update divided software from the second brake ECU 90. In step S191, the execution device 61 writes the decoded Mth update divided software received from the second brake ECU 90 to the storage device 62. Then, the execution device 61 proceeds to step S193.
  • step S193 the execution unit 61 of the first brake ECU 60 determines whether the software update of the storage device 62 has been completed. If the update has not been completed (S193: NO), the execution unit 61 returns the process to step S189. That is, the execution unit 61 repeatedly executes the processes of steps S189 and S191 until the software update of the storage device 62 is completed. On the other hand, if the update has been completed (S193: YES), the execution unit 61 proceeds to step S121 shown in Figures 2 (B) and 3 (B). The process flow from step S121 onwards is the same as in the first embodiment.
  • the second brake ECU 90 corresponding to the second electronic control device includes not only the first storage unit 921 but also the second storage unit 922 as a storage unit. Therefore, the information processing device 30 transmits the encrypted update software to the second brake ECU 90 via the global network 42. In the second brake ECU 90, the received update software is stored in the second storage unit 922. When updating the software of the storage unit 62 of the first brake ECU 60, the execution device 91 of the second brake ECU 90 decrypts the update software stored in the second storage unit 922 and transmits the decrypted update software to the first brake ECU 60 via the local network 43C. In the first brake ECU 60, the decrypted update software received via the local network 43C is written to the storage unit 62.
  • the communication speed of the local network 43C is higher than the communication speed of the global network 42. Therefore, the time required to update the software in the storage device 62 of the first brake ECU 60 can be shortened by the time required to transmit the update software to the first brake ECU 60 via the local network 43 .
  • the information processing device 30 may transmit the update software to the second brake ECU 90 without dividing it.
  • the division number N which is the number into which the information processing device 30 divides the update software, may be any even number other than 2 as long as it is equal to or greater than 2. In the above embodiments, the division number N, which is the number into which the information processing device 30 divides the update software, may be an odd number equal to or greater than 2.
  • the execution device 71 of the second brake ECU 70 may complete transmission of N pieces of update divided software. In such a case, the execution device 71 of the second brake ECU 70 may transition to step S215 in response to a request from the information processing device 30 to return the control mode to the normal mode.
  • the number of execution devices provided in the ECU 80 may be three or more.
  • the ECU 80 also includes a third execution device, while the first execution device 81A is decrypting the first update divided software A1 and the second execution device 81B is decrypting the second update divided software A2, the third execution device can also decrypt the third update divided software A3.
  • the number of ECUs that can communicate with the ECU to be updated (first ECU) via the local network is only one.
  • the number of ECUs that can communicate with the first ECU via the local network may be two or more.
  • the information processing device 30 can also transmit three pieces of update split software to the ECU to be updated. Then, of the three pieces of update split software, the ECU to be updated transmits the second update split software A2 to the second ECU via the local network, and transmits the third update split software A3 to the third ECU via the local network.
  • the second ECU and the third ECU decrypt the update split software received via the local network, and transmit the decrypted update split software to the first ECU via the local network.
  • the first ECU decrypts the first update split software A1 of the three pieces of update split software, and writes the first update split software A1 to its own storage device. Additionally, the first ECU writes the decrypted update split software received via the local network to its own storage device.
  • the number of ECUs that can communicate with the ECU to be updated (first ECU) via the local network is only one.
  • the number of ECUs that can communicate with the first ECU via the local network may be two or more.
  • the information processing device 30 transmits the first update divided software A1 to the first ECU, transmits the second update divided software A2 to the second ECU, and transmits the third update divided software A3 to the third ECU.
  • the first update divided software A1 is decrypted and the first update divided software A1 is written to its own storage device.
  • the update divided software received via the global network 42 is decrypted, and the decrypted update divided software is sent to the first ECU via the local network. Then, in the first ECU, the decrypted update divided software received via the local network is also written to its own storage device.
  • the ECU to be updated is a braking ECU that adjusts the braking force generated by the vehicle 10, but this is not limited to the above.
  • Any ECU other than a braking ECU may be the ECU to be updated as long as it is capable of communicating with the information processing device 30 via the global network 42.
  • a drive ECU that controls the power source of the vehicle 10, such as an engine or a driving motor may be the ECU to be updated, or an ECU that controls an actuator that adjusts the steering angle of the wheels may be the ECU to be updated.
  • an ADASECU may be the ECU to be updated.
  • ADAS stands for "Advanced Driver Assistance System.”
  • the information processing device 30 and ECU that make up the control system are not limited to those equipped with a CPU and ROM and that execute software processing.
  • the information processing device 30 and ECU may have any of the following configurations (a) to (c).
  • the processor includes a CPU and memory such as RAM and ROM.
  • the memory stores program code or instructions configured to cause the CPU to execute processes.
  • Memory i.e., computer-readable media, includes any available media that can be accessed by a general-purpose or special-purpose computer.
  • ASIC Application Specific Integrated Circuit
  • FPGA Field Programmable Gate Array
  • (c) Equipped with a processor that executes part of the various processes in accordance with a computer program, and a dedicated hardware circuit that executes the remaining part of the various processes.
  • the term "at least one” used in this specification means “one or more” of the desired options.
  • the term “at least one” used in this specification means “only one option” or “both of two options” if the number of options is two.
  • the term “at least one” used in this specification means “only one option” or “any combination of two or more options” if the number of options is three or more.
  • An information processing device that acquires update software transmitted to the vehicle from outside the vehicle via wireless communication; A plurality of electronic control units; a global network that connects the plurality of electronic control devices and the information processing device in a communicable state; a local network for transmitting and receiving information only between a first electronic control unit and a second electronic control unit among the plurality of electronic control units, the communication speed of the local network is faster than the communication speed of the global network;
  • the first electronic control unit has a first execution device and a storage device in which software executed by the first execution device is written
  • the second electronic control unit has a second execution device, a first storage unit in which software to be executed by the second execution device is written, and a second storage unit in which the software to be executed by the second execution device is not written,
  • the second electronic control device has not only a first memory unit but also a second memory unit as a memory unit. Therefore, the information processing device transmits the encrypted update software to the second electronic control device via the global network.
  • the received update software is stored in the second memory unit.
  • the execution device of the second electronic control device decrypts the update software stored in the second memory unit and transmits the decrypted update software to the first electronic control device via the local network.
  • the communication speed of the local network is higher than the communication speed of the global network. Therefore, the time required to update the software in the memory device of the first electronic control device can be shortened by the amount of time required to transmit the update software to the first electronic control device via the local network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Stored Programmes (AREA)

Abstract

L'invention concerne un système de commande (15) comprenant un dispositif de traitement d'informations (30), une pluralité d'ECU (50, 60, 70) et un réseau global (42). Lors de la mise à jour d'un logiciel dans un dispositif de stockage (62) d'une première ECU de commande (60), le dispositif de traitement d'informations (30) divise un logiciel de mise à jour en une pluralité d'éléments et transmet les éléments divisés du logiciel de mise à jour au réseau global (42). Un premier élément divisé du logiciel de mise à jour, qui est l'un des éléments du logiciel de mise à jour divisés et transmis par le dispositif de traitement d'informations (30), est décodé par un dispositif d'exécution (61). Un second élément divisé du logiciel de mise à jour, qui est l'un des éléments de logiciel du mise à jour divisés et transmis par le dispositif de traitement d'informations (30), est décodé par le dispositif d'exécution (71). Chacun des premier et second éléments décodés et divisés du logiciel de mise à jour est écrit dans le dispositif de stockage (62).
PCT/JP2023/031869 2022-09-27 2023-08-31 Système de commande WO2024070483A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2022153828A JP2024048009A (ja) 2022-09-27 2022-09-27 制御システム
JP2022-153828 2022-09-27

Publications (1)

Publication Number Publication Date
WO2024070483A1 true WO2024070483A1 (fr) 2024-04-04

Family

ID=90477359

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2023/031869 WO2024070483A1 (fr) 2022-09-27 2023-08-31 Système de commande

Country Status (2)

Country Link
JP (1) JP2024048009A (fr)
WO (1) WO2024070483A1 (fr)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015146520A (ja) * 2014-02-03 2015-08-13 株式会社デンソー 中継システム
WO2022130700A1 (fr) * 2020-12-16 2022-06-23 日立Astemo株式会社 Dispositif de commande électronique

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2015146520A (ja) * 2014-02-03 2015-08-13 株式会社デンソー 中継システム
WO2022130700A1 (fr) * 2020-12-16 2022-06-23 日立Astemo株式会社 Dispositif de commande électronique

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TAKESHI FUKUNAGA, KEI HIRAKI: "Fast single stream secure transport using AES-CTR mode", IEICE TECHNICAL REPORT, CPSY, IEICE, JP, vol. 115, no. 174 (CPSY2015-27), 11 September 2015 (2015-09-11), JP, pages 137 - 142, XP009553843 *

Also Published As

Publication number Publication date
JP2024048009A (ja) 2024-04-08

Similar Documents

Publication Publication Date Title
US20180341476A1 (en) Software updating device, software updating system, and software updating method
JP2022550446A (ja) 個々のアプリケーション用のカスタマイズされたルートプロセス
JP2024015111A (ja) ソフトウェア更新装置、更新制御方法、更新制御プログラム及びotaマスタ
WO2024070483A1 (fr) Système de commande
US11281455B2 (en) Apparatus for over the air update for vehicle and method therefor
US11995429B2 (en) Software update device, update control method, non-transitory storage medium, and server
JP2022187646A (ja) Otaマスタ、システム、方法、プログラム、及び車両
JP2022187189A (ja) Otaマスタ、センタ、システム、方法、プログラム、及び車両
WO2024062897A1 (fr) Système de commande et procédé de mise à jour de logiciel
JP7380468B2 (ja) ソフトウェア更新装置、更新制御方法、更新制御プログラム、サーバ、otaマスタ及びセンタ
US11972248B2 (en) Controlling software update of electronic control units mounted on a vehicle
WO2024062898A1 (fr) Dispositif de commande de frein et procédé de mise à jour de logiciel
US11947950B2 (en) Center, OTA master, method, non-transitory storage medium, and vehicle
US20220405083A1 (en) Ota master, system, method, non-transitory storage medium, and vehicle
US20220391193A1 (en) Ota master, system, method, non-transitory storage medium, and vehicle
US11954480B2 (en) Center, OTA master, system, method, non-transitory storage medium, and vehicle
US11947951B2 (en) Center, distribution control method, and non-transitory storage medium
JP7355061B2 (ja) センタ、otaマスタ、システム、配信方法、配信プログラム、及び車両
JP2023001993A (ja) Otaマスタ、システム、方法、プログラム、及び車両
JP2022170949A (ja) 制御装置およびデータ書き換え方法
JP2022163396A (ja) Otaマスタ、更新制御方法、更新制御プログラム及びotaセンタ
JP2024048008A (ja) 電子制御装置及びソフトウェア更新方法
JP2022126194A (ja) Otaマスタ、センタ、システム、方法、プログラム、及び車両
JP2024005741A (ja) 電子制御装置、車両制御システム、及び車両制御方法
JP2023028412A (ja) ソフトウェアの更新を制御するセンタ

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23871723

Country of ref document: EP

Kind code of ref document: A1