The present disclosure relates to an update management system and an update management method.
Among services and functions provided by a vehicle, some are realized not by a single Electronic Control Unit (ECU) but by a plurality of ECUs. For example, an Advanced Driving Assistant System (ADAS) function is realized through control by a driving control ECU, a front camera, and sensors. When the ADAS function is added, corrected, or deleted by using an Over The Air (OTA) update function, the software versions (hereinafter, SW versions) of ECUs related to the ADAS function need to be updated with a correct combination, of SW versions registered in an OTA server, that realizes the ADAS function. Thus, there is a known technology as below. That is, in a case where software of an on-vehicle ECU is to be updated by an OTA update function, even when a part of the update process is suspended, the amount of update data having been written until the occurrence of the suspension is stored, and when a rewriting process of the program is resumed, a vehicle master device is requested to transmit remaining update data in accordance with the stored amount of the update data having been written (see Patent Document 1, for example).
However, at the time of OTA update, if even a single one of a plurality of ECUs has failed in update of the SW version thereof due to abnormality of the system or the like, a correct combination of SW versions that realizes the ADAS function is not obtained, whereby the ADAS function is not realized. Therefore, conventionally, a process (rollback) of restoring all the SW versions to the states before the update is performed, whereby operation of the vehicle is guaranteed and safety is ensured. Thus, even when the state of the SW versions at the time of the update failure is not the newest versions on the server side but is newer than the versions before the update and matches an existing vehicle version, rollback is executed. Therefore, when update to the newest SW versions is performed, all of the update process needs to be executed from the beginning, which poses a problem that the update process requires a long time.
The present disclosure has been made in order to solve the above-described problem. An object of the present disclosure is to provide an update management system and an update management method that can reduce the time required for an OTA update process at the time of update failure.
An update management system according to the present disclosure includes: a software update management device for managing update of software of a plurality of update target devices installed in a vehicle; and a server provided outside the vehicle and being for managing, in time series, a set of update software versions of the plurality of update target devices, as a vehicle version. When update of software of at least one update target device out of the plurality of update target devices is not able to be performed, information of software versions of the plurality of update target devices at a time point when the update is not able to be performed is transmitted to the server, and when there is a vehicle version that matches a set of the transmitted software versions, the software update management device withholds a process of restoring the software versions of the plurality of update target devices to a state before the update.
In an update management method according to the present disclosure, when update of software of at least one update target device out of a plurality of update target devices installed in a vehicle is not able to be performed, and software versions of the plurality of update target devices at a time point when the update is not able to be performed match one of vehicle versions being a set of update software versions managed in time series, a process of restoring the software versions of the plurality of update target devices to a state before the update is withheld.
According to the update management system and the update management method according to the present disclosure, the time required for an OTA update process at the time of update failure can be reduced.
Hereinafter, a preferred embodiment of an update management system according to the present disclosure will be described with reference to the drawings. The same components and corresponding parts are denoted by the same reference characters, and detailed descriptions thereof will be omitted.
In A of
The SW versions of the ECUs 1 to 3 of the vehicle are to be updated such that the vehicle version is updated from v1.0 to v3.0 (procedure 1 in
In this case, as described above, in a case were OTA update of a plurality of ECUs is to be performed, unless all of the update target ECUs have been updated, the function is not realized. Therefore, in accordance with procedure 2 of the comparative example, the update work is rolled back to A of
In this manner, whether or not the state of update failure on the vehicle side matches the SW versions in any of the existing vehicle versions on the OTA server side is searched, and when there is a match, rollback is not executed and the matched vehicle version is maintained. Accordingly, in the next OTA update, the size of difference data corresponding to the difference between the SW versions of old programs and the SW versions of new programs can be reduced when compared with that when rollback is executed. Therefore, the time required for the OTA update process can be reduced.
An example of the configuration of such an update management system will be described in detail with reference to a function block diagram in
The vehicle 10 includes: an external communication device 11 for performing wireless communication such as mobile communication with the OTA server 20; an SW update management device 12 having a function regarding a software update process according to OTA; an SW update information display device 13 for displaying update information according to OTA; and update target devices 1 to 3 of which software is to be updated with update data. Here, description will be given assuming that the update target devices 1 to 3 are the ECUs 1 to 3.
Results of rewriting of the software of the target ECUs 1 to 3 by the software update process are returned to the OTA server 20, whereby the status of software update according to OTA of each vehicle is collectively managed by the OTA server 20.
Next, a vehicle state management device 22, the SW update management device 12, and the SW update information display device 13, which are characteristic functions of the present embodiment, will each be described with reference to
<SW update management device 12>
The SW update management device 12 has a rollback control unit 121, a server notification unit 122, a search result acquisition unit 123, a display notification unit 124, and a user input acquisition unit 125.
(1) The rollback control unit 121, in a state where even a single one of the ECUs 1 to 3 has failed in software update due to system abnormality or the like in the SW update management device 12, withholds execution of rollback and acquires update result information of the SW versions of the respective ECUs 1 to 3 at the time of the update failure. When the update result of the SW versions of the respective ECUs 1 to 3 at the time of the update failure does not match the SW versions of the respective ECUs in any of the vehicle versions in the OTA server, the rollback control unit 121 executes rollback. When there is a match in the search result of the SW versions in the vehicle versions, the rollback control unit 121 performs control corresponding to either “execute rollback” or “do not execute rollback”, in accordance with a user input.
(2) The server notification unit 122 notifies the OTA server 20 of information (i) and (ii) below from the vehicle 10 via the external communication devices 11, 23.
(3) The search result acquisition unit 123 acquires information (iii) and (iv) below from the OTA server 20 to the vehicle 10 via the external communication devices 23, 11.
(4) The display notification unit 124 notifies the SW update information display device 13 of information below.
(5) The user input acquisition unit 125 acquires information below from the SW update information display device 13.
<Vehicle State Management Device 22>
The vehicle state management device 22 has a vehicle information acquisition unit 221, a vehicle version search unit 222, and a vehicle notification unit 223.
(1) The vehicle information acquisition unit 221 acquires information below from the vehicle 10 via the external communication devices 11, 23.
(2) The vehicle version search unit 222 searches whether or not there is a match between the SW versions of the respective ECUs 1 to 3 at the time of the update failure and the SW versions of the respective ECUs in any of the vehicle versions of the OTA target vehicle registered in an OTA database 21 (hereinafter, OTA DB 21) of the OTA server 20. It should be noted that when the SW versions of the respective ECUs at the time of the update failure is the same as the SW versions in the vehicle version before the update, it is not considered that “there is a match” here.
(3) The vehicle notification unit 223 makes a notification of information below from the OTA server 20 to the vehicle 10 via the external communication devices 23, 11.
<SW Update Information Display Device 13>
The SW update information display device 13 has a search result acquisition unit 131, a rollback information display unit 132, and a user input notification unit 133.
(1) The search result acquisition unit 131 acquires information below from the SW update management device 12.
(2) The rollback information display unit 132 displays the matched vehicle version and the update contents of the SW versions in the vehicle version to the user. In addition, the rollback information display unit 132 displays “execute rollback, or do not execute rollback”, and receives, as a user input, a selection result of either “execute rollback” or “do not execute rollback” selected by the user.
(3) The user input notification unit 133 notifies the SW update management device 12 of information below.
When update has been suspended due to system abnormality, it is determined that an update failure has occurred, and the rollback control unit 121 withholds execution of rollback after the SW update failure (step S1). Then, the rollback control unit 121 acquires update result information of the SW versions of the respective ECUs 1 to 3 at the time of the update failure (hereinafter, update result information) (step S2), and transmits the update result information to the server notification unit 122.
The server notification unit 122 transfers the update result information to the OTA server 20 via the external communication devices 11, 23 (step S3).
The vehicle version search unit 222 searches whether the SW versions, in an existing vehicle version, that match the update result information transferred to the OTA server 20 are included in the OTA DB 21 (step S4).
The search result by the vehicle version search unit 222 is transferred to the vehicle 10 via the vehicle notification unit 223 and the external communication devices 23, 11 (step S5).
As the search result by the vehicle version search unit 222, when an existing vehicle version that has the SW versions that match the update result information is included in the OTA DB 21 (step S6), this information is inputted from the vehicle notification unit 223 to the search result acquisition unit 123 via the external communication devices 23, 11. Information inputted from the search result acquisition unit 123 to the display notification unit 124 is transmitted to the search result acquisition unit 131 of the SW update information display device 13, and the rollback information display unit 132 displays, to the user, the vehicle version and information regarding the update contents of the SW versions in the vehicle version (step S7). Then, selection by the user as to whether or not to allow execution of rollback is received as a user input (step S9).
When there is no existing vehicle version that has the SW versions that match the update result information, information is inputted from the search result acquisition unit 123 to the rollback control unit 121, to execute rollback (step S8). Meanwhile, when the user wishes execution of rollback, an input indicating execution is transmitted from the user input notification unit 133 to the rollback control unit 121 via the user input acquisition unit 125, and the rollback control unit 121 executes rollback (step S8).
When the user does not wish rollback, an input indicating no-execution is transmitted from the user input notification unit 133 to the user input acquisition unit 125, and based on this, the rollback control unit 121 does not execute rollback (step S10).
A rollback control result is transferred to the OTA server (step S11). When rollback has not been executed, a result indicating that rollback has not been executed, and the matched vehicle version as the search result, are registered in the OTA DB 21.
When rollback has been executed, the result of the execution and the updated vehicle version information are registered in the OTA DB 21 (step S12). It should be noted that whether or not to execute rollback may be determined only by the vehicle, without using a user operation.
As described above, according to the SW update management device 12, whether or not the state of the update failure on the vehicle side matches the SW versions in any of the existing vehicle versions on the OTA server side is searched, and when there is a match, rollback is not executed and the matched vehicle version can be maintained. In addition, since the SW update information display device 13 notifies the user whether or not execution of rollback is possible, whether or not to allow execution of rollback can be selected in accordance with needs of the user or the circumstances. Further, in the vehicle state management device 22, it is possible to search a vehicle version on the basis of which determination as to whether or not to allow execution of rollback is made. When these devices are used in combination, the time required in the OTA update process can be reduced in accordance with the circumstances and needs.
Although the disclosure is described above in terms of an exemplary embodiment, it should be understood that the various features, aspects, and functionality described in the embodiment are not limited in their applicability to the particular embodiment with which they are described, but instead can be applied, alone or in various combinations to the embodiment of the disclosure.
It is therefore understood that numerous modifications which have not been exemplified can be devised without departing from the scope of the present disclosure. For example, at least one of the constituent components may be modified, added, or eliminated.
Number | Date | Country | Kind |
---|---|---|---|
2022-080002 | May 2022 | JP | national |