Search

EP-4474982-B1 - IN-VEHICLE SYSTEM WITH A PLURALITY OF CONTROL DEVICES

EP4474982B1EP 4474982 B1EP4474982 B1EP 4474982B1EP-4474982-B1

Inventors

  • SHIOHARA, KAZUYOSHI
  • MIYAKE, MASAKI
  • FUJIMOTO, TAKAYUKI

Dates

Publication Date
20260513
Application Date
20230323

Claims (7)

  1. A control device (200) comprising one or more processors configured to: transmit, upon receiving update information from an external management server indicating that software stored in a first control device (210A) among a plurality of control devices is updated, to a second control device (210B) among the plurality of control devices, a switching instruction for setting a storage area thereof that stores the updated software as a start storage area, receive, at every start of the second control device (210B), a request for execution of a consistency determination processing for determining whether pieces of identification information of the updated software stored in the start storage area of each control device among the plurality of control devices are consistent, and execute, when receiving the request for the execution of the consistency determination processing from the second control device (210B), the consistency determination processing, wherein when determining that the pieces of identification information of the software stored in each start storage area are not consistent between the control devices, prohibit execution of a function implemented by the software.
  2. The control device (200) according to claim 1, being configured to transmit a completion notification to the second control device (210B) after completion of the consistency determination processing.
  3. The control device according to claim 1 or 2, wherein: when receiving the request for a determination of the executability from the first control device (210A) in a case where the request for the determination of the executability is not received from the second control device (210B) before the first control device (210A), transmit, to the first control device (210A), a determination result indicating the executability of the consistency determination processing.
  4. The control device according to claim 3, being configured to, when receiving the request for the determination of the executability from the second control device (210B) after the request for the determination of the executability from the first control device (210A), prohibit a transmission of the determination result to the second control device (210B).
  5. The control device according to any one of claims 1 to 4, being configured to transmit, to the other control device (210), a first completion notification of the consistency determination processing that is executed at a time of a start and a second completion notification of the consistency determination processing that is executed when the execution of the consistency determination processing is requested from said other control device (210).
  6. A control method performed by a control device, the method comprising: - transmitting, upon receiving update information from an external management server indicating that software stored in a first control device among a plurality of control devices is updated, to a second control device among the plurality of control devices, a switching instruction for setting a storage area that stores the updated software as a start storage area; - receiving, at every start of the second control device, a request for execution of a consistency determination processing for determining whether pieces of identification information of the updated software stored in the start storage area of each control device among the plurality of control devices are consistent, - executing, when receiving the request for the execution of the consistency determination processing from the second control device, the consistency determination processing, and - when determining that the pieces of identification information of the software stored in each start storage area are not consistent between the control devices, prohibiting execution of a function implemented by the software.
  7. A non-transitory computer readable medium that stores a program that causes one or more processors of a control device to execute the steps of the control method according to claim 6.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention The present disclosure relates to an in-vehicle system and a control device. 2. Description of Related Art A vehicle has an in-vehicle system that includes a plurality of actuators and a plurality of control devices that controls each of the actuators. Functions of the control devices may be realized by software. By being realized by software, it is possible to correct or add functions by receiving provision of update programs even after they are put on the market. Further, for the correction or addition of the functions that are executed in cooperation with the control devices, such as various pieces of driving assistance, such as autonomous driving, it is required to update software of all target control devices and to confirm whether the update in each control device has been appropriately executed. For example, Japanese Unexamined Patent Application Publication No. 2020-123253 discloses a technology for determining whether a combination of each software of the ECUs is consistent by comparing identification information of a list stored in a storage unit of each ECU at a time of a start of the in-vehicle system Document US 2016/170775 A1 relates to ensuring software compatibility of software updates to a vehicle component with software versions installed to other vehicle components. SUMMARY OF THE INVENTION The execution of the updated software may be executed at the time of the next start of the in-vehicle system in order to simultaneously switch from pre-updated software in the ECUs. In that case, whether the software has been appropriately updated is also confirmed at the time of a next start of the in-vehicle system. However, when only some of the control devices from among the control devices are restarted due to some trouble, such as momentary failure of a power source, before the time of the next start of the in-vehicle system, the updated software is executed only in the some part of the control devices that are restarted and an inconsistent state of a combination of software identification information in the control devices is continued at least until the in-vehicle system is started next time, such that a correction or an addition of a function may not be appropriately implemented. The present disclosure provides an in-vehicle system and a control device that early detect inconsistency in a combination of software identification information in the control devices. An in-vehicle system according to a first aspect of the present disclosure includes a control device in accordance with claim 1. In this manner, the master control device is requested to execute the consistency determination processing and executes the consistency determination processing at every start of the slave control device. For this reason, in the case where the storage area that stores the updated software is set as the start storage area at the time of the next start, even when only the slave control device is restarted due to trouble or the like, the master control device is requested to execute the consistency determination processing at the time of the restart. As such, it is possible to early detect inconsistency in a combination of the identification information of the software in the control devices. In the first aspect, the master control device is configured to prohibit, when determining that the pieces of identification information of the software stored in the start storage area are not consistent between the control devices, execution of a function implemented by the software. In this manner, it is possible to restrict the function to be realized by the software from being executed in a state where the combination of the identification information of the software is not consistent in the control devices. In the first aspect, the master control device may be configured to transmit a completion notification to the slave control device after completion of the consistency determination processing. The slave control device may be configured to determine, using the completion notification, to determine whether to request the execution of the consistency determination processing. In this manner, when, for example, there is a plurality of requests for the execution of the consistency determination processing for the master control device, it is possible to restrict the consistency determination processing from being unnecessarily executed. In the first aspect, the slave control device may be configured to request the master control device to determine executability of the consistency determination processing at a time of the start, and determine, using a determination result of the executability and the completion notification from the master control device, whether to request the execution of the consistency determination processing. In this manner, by requesting for the determination of the executability before requesting for the execution of the consistency determina