阅读说明：本技术 运算装置、判定方法 (Arithmetic device and determination method ) 是由 寺冈秀敏 矢野正 于 2020-02-21 设计创作，主要内容包括：本发明的运算装置与多个电子控制装置连接,多个电子控制装置由1个以上的电子控制装置构成各自的功能,该运算装置具备：外部通信部,其按每一功能接收包含构成功能的1个以上的电子控制装置的第1识别信息及第1验证信息的功能构成信息；获取部,其从多个电子控制装置各方获取电子控制装置中搭载的软件的版本信息以及电子控制装置的第2识别信息；算出部,其按每一功能而使用版本信息和第2识别信息来制作第2验证信息,该版本信息是构成功能的所有电子控制装置的版本信息而且是获取部所获取到的版本信息,该第2识别信息是构成功能的所有电子控制装置的识别信息；以及判定部,其按每一功能判定第1验证信息及第2验证信息的匹配。(An arithmetic device according to the present invention is connected to a plurality of electronic control devices, each of which is constituted by 1 or more electronic control devices, and includes: an external communication unit that receives function configuration information including 1 st identification information and 1 st authentication information of 1 or more electronic control devices configuring a function for each function; an acquisition unit that acquires, from each of the plurality of electronic control devices, version information of software installed in the electronic control device and 2 nd identification information of the electronic control device; a calculation unit that creates, for each function, 2 nd authentication information using version information of all electronic control devices constituting the function and version information acquired by the acquisition unit, and 2 nd identification information of all electronic control devices constituting the function; and a determination unit that determines matching of the 1 st authentication information and the 2 nd authentication information for each function.)

1. An arithmetic device connected with a plurality of electronic control devices,

The plurality of electronic control devices each function as one of 1 or more electronic control devices, and the arithmetic device includes:

an external communication unit that receives, for each of the functions, function configuration information including 1 st identification information and 1 st authentication information of 1 or more of the electronic control apparatuses that constitute the function;

an acquisition unit that acquires version information of software installed in the electronic control devices and 2 nd identification information of the electronic control devices from each of the plurality of electronic control devices;

a calculation unit that calculates, for each of the functions, 2 nd authentication information that is version information of all the electronic control apparatuses that constitute the function and is the version information acquired by the acquisition unit, using version information and the 2 nd identification information, the 2 nd identification information being identification information of all the electronic control apparatuses that constitute the function; and

and a determination unit that determines matching between the 1 st authentication information and the 2 nd authentication information for each of the functions.

2. The arithmetic device of claim 1,

the 1 st identification information is an identifier of the electronic control apparatus on the network,

The 2 nd identification information is an identifier indicating a kind of the electronic control apparatus.

3. The arithmetic device of claim 1,

the 1 st identification information and the 2 nd identification information are identifiers indicating the types of the electronic control apparatuses.

4. The arithmetic device of claim 1,

further, the authentication device may further include a stop control unit configured to stop or limit the function related to the 2 nd authentication information determined as not matching when the determination unit determines that the 1 st authentication information and the 2 nd authentication information do not match.

5. The arithmetic device of claim 1,

the function configuration information includes a flag indicating execution at the time of permission or rejection of mismatch for each of the functions,

the arithmetic device further includes a stop control unit configured to stop the function related to the 2 nd authentication information determined as being unmatched when the determination unit determines that the 1 st authentication information and the 2 nd authentication information are unmatched, the function having a flag indicating that execution of the function is rejected at the time of mismatch in the function configuration information.

6. The computing device of claim 5,

when the judging section judges that the 1 st authentication information does not match the 2 nd authentication information, the stop control section decides whether or not to restrict the function based on the 2 nd identification information whose version information does not match, for the function related to the 2 nd authentication information judged as not matching and a function having a flag indicating that execution of the content is permitted at the time of mismatch.

7. The arithmetic device of claim 1,

further, the electronic control apparatus may further include an update control unit that updates at least one of the function configuration information and the software of the electronic control apparatus in accordance with a command received from the external communication unit when the determination unit determines that the 1 st authentication information does not match the 2 nd authentication information.

8. The arithmetic device of claim 1,

further, the authentication device may further include a control unit that records, in a storage unit, that the 1 st authentication information and the 2 nd authentication information do not match, when the determination unit determines that the mismatch occurs.

9. The arithmetic device of claim 1,

Further, the authentication device may further include a control unit configured to display, on a display unit, the fact that the authentication information 1 is mismatched with the authentication information 2 when the determination unit determines that the authentication information 1 is mismatched.

10. The arithmetic device of claim 1,

the computing device is mounted on a vehicle,

when the ignition switch of the vehicle is turned on, the acquisition unit, the calculation unit, and the determination unit start operating.

11. The arithmetic device of claim 1,

when an operation command is received from the outside, the acquisition unit, the calculation unit, and the determination unit start operating.

12. A determination method executed by an arithmetic device connected to a plurality of electronic control devices,

the method for determining the function of the electronic control devices includes the steps of:

receiving 1 st identification information and 1 st authentication information of 1 or more electronic control devices constituting the function for each of the functions;

acquiring version information of software loaded in the electronic control device and 2 nd identification information of the electronic control device from each of the plurality of electronic control devices;

Creating 2 nd authentication information for each of the functions, using version information of all the electronic control apparatuses constituting the function and acquired version information, and the 2 nd identification information of all the electronic control apparatuses constituting the function; and

and determining the matching of the 1 st authentication information and the 2 nd authentication information for each function.

Technical Field

The present invention relates to an arithmetic device and a determination method.

Background

In recent years, the size of software installed in an Electronic Control Unit (ECU) for an automobile has been increasing due to the progress of a driving assistance function and an automatic driving technique. Further, as the software scale increases, not only the number of recalls due to software defects increases, but also the number of units that need to be dealt with per 1 time increases. Therefore, there is an increasing demand for a technology for remotely updating software installed in the ECU. Since software update is easy, management of hardware and software components corresponding to each function constituting an automobile becomes a problem. Patent document 1 discloses a vehicle specifying system that specifies a vehicle equipped with a plurality of electronic control devices, the vehicle specifying system including: a pattern storage unit that stores, in a pattern form, identification data of each electronic control device mounted on each vehicle and connection data indicating a connection state between each electronic control device; and a matching unit that matches the pattern of the arbitrary vehicle with the pattern stored in the pattern storage unit, and specifies the arbitrary vehicle based on the identity of the pattern of the arbitrary vehicle with the stored pattern.

Documents of the prior art

Patent document

Patent document 1: japanese patent laid-open No. 2004-276828

Disclosure of Invention

Problems to be solved by the invention

In the invention described in patent document 1, the configuration information of each function cannot be confirmed.

Means for solving the problems

An arithmetic device according to a 1 st aspect of the present invention is an arithmetic device connected to a plurality of electronic control devices, wherein each of the plurality of electronic control devices has a function constituted by 1 or more of the electronic control devices, and the arithmetic device includes: an external communication unit that receives, for each of the functions, function configuration information including 1 st identification information and 1 st authentication information of 1 or more of the electronic control apparatuses that constitute the function; an acquisition unit that acquires version information of software installed in the electronic control devices and 2 nd identification information of the electronic control devices from each of the plurality of electronic control devices; a calculation unit that generates, for each of the functions, 2 nd authentication information that is version information of all the electronic control apparatuses that constitute the function and is the version information acquired by the acquisition unit, using version information and the 2 nd identification information, the 2 nd identification information being identification information of all the electronic control apparatuses that constitute the function; and a determination unit that determines matching between the 1 st authentication information and the 2 nd authentication information for each of the functions.

A determination method according to a second aspect of the present invention is a determination method executed by an arithmetic device connected to a plurality of electronic control devices, each of which has a function constituted by at least 1 of the electronic control devices, the determination method including: receiving 1 st identification information and 1 st authentication information of 1 or more electronic control devices constituting the function for each of the functions; acquiring version information of software loaded in the electronic control device and 2 nd identification information of the electronic control device from each of the plurality of electronic control devices; creating 2 nd authentication information for each of the functions, using version information of all the electronic control apparatuses constituting the function and acquired version information, and the 2 nd identification information of all the electronic control apparatuses constituting the function; and determining matching of the 1 st authentication information and the 2 nd authentication information for each of the functions.

ADVANTAGEOUS EFFECTS OF INVENTION

According to the present invention, the configuration information of each function can be confirmed.

Drawings

Fig. 1 is a diagram showing a configuration of a function configuration information management system S according to embodiment 1.

Fig. 2 is a block diagram showing a hardware configuration of the gateway 10.

Fig. 3 is a block diagram showing an example of the hardware configuration of the engine control ECU 13.

Fig. 4 is a block diagram showing a configuration of a control program 130 operating on the engine control ECU 13.

Fig. 5 is a block diagram showing an example of the configuration of the server 2.

Fig. 6 is a diagram showing an example of the function configuration information 61.

Fig. 7 is a block diagram showing a configuration of a gateway program 100 operating in the gateway 10.

Fig. 8 is a conceptual diagram illustrating verification of the table verification information 604 in the present embodiment.

Fig. 9 is a diagram showing an example of a display screen displayed on the HMI 12.

Fig. 10 is a flowchart showing authentication processing in the gateway 10.

Fig. 11 is a flowchart showing the repair process in the gateway 10.

Fig. 12 is a sequence diagram showing the sequence of software update of the ECU.

Fig. 13 is a diagram showing an example of a registration screen of the function configuration information 61 in the server 2.

Fig. 14 is a diagram showing the configuration of the function configuration information management system Sa in modification 1.

Fig. 15 is a block diagram showing an example of the configuration of the diagnostic device 5 in modification 1.

Fig. 16 is a diagram showing an example of the function configuration information 64 in the modification 2.

Fig. 17 is a diagram showing an example of the function configuration information 65 in modification 3.

Fig. 18 is a diagram showing an example of per-function version information 951 in embodiment 2.

Fig. 19 is a diagram showing an example of function configuration information 62 in embodiment 2.

Fig. 20 is a diagram showing an example of per-function version information 952 in embodiment 3.

Fig. 21 is a diagram showing an example of the function configuration information 63 according to embodiment 3.

Fig. 22 is a diagram showing function configuration information 61c of the function D in embodiment 4.

Fig. 23 is a diagram showing an example of function restriction information 91 according to embodiment 4.

Fig. 24 is a flowchart showing a function restriction process in the gateway 10 according to embodiment 4.

Detailed Description

Embodiment 1

Next, a functional configuration information management system according to embodiment 1 of the gateway as an arithmetic device according to the present invention will be described with reference to fig. 1 to 13.

(System constitution)

Fig. 1 is a diagram showing a configuration of a function configuration information management system S according to embodiment 1. The functional configuration information management system S includes a vehicle 1 and a server 2. The vehicle 1 and the server 2 are connected via an internet 3 connecting access networks or sites and an access network 4 provided by a communication service provider.

The vehicle 1 includes a gateway 10, a communication module 11, a Human Machine Interface (HMI)12, and a plurality of ECUs (electronic control units). The gateway 10, the communication module 11, and the HMI 12 are connected via an in-vehicle network 10 a.

The ECU provided in the vehicle 1 is not particularly limited, and in the present embodiment, for example, an engine control ECU 13, a brake control ECU 14, an automatic drive ECU 15, and an Advanced Drive Assist System (ADAS) ECU 16 are provided. The gateway 10 and these ECUs are connected via an in-vehicle network 10 b. Hereinafter, these ECUs connected to the gateway 10 will be collectively referred to as "subordinate ECUs".

The in-vehicle Network 10a and the in-vehicle Network 10b use any one of known communication specifications such as Control Area Network (CAN) (registered trademark), Local Interconnect Network (LIN), FlexRay, and Ethernet (registered trademark). In the present embodiment, the in-vehicle network 10b is configured by CAN, and the in-vehicle network 10a is configured by Ethernet. However, the in-vehicle network 10a and the in-vehicle network 10b may use the same communication standard. Although not shown in fig. 1, various components in the vehicle, such as the ECU, are connected to the battery via an electric power line to be supplied with electric power.

The gateway 10 relays communication data between subordinate ECUs, updates software of the subordinate ECUs, and confirms the compatibility of software installed in the subordinate ECUs. However, the verification of the matching of the software is also referred to as "verification" or "verification processing" hereinafter. In the present embodiment, the gateway 10 does not update the software of the gateway 10 itself and confirm the suitability, but the gateway 10 may update the software of the gateway 10 itself and confirm the suitability. In this embodiment, the "verification" and the "matching" are used in the same sense.

The communication module 11 relays communication of the gateway 10, HMI 12, and subordinate ECUs with the server 2. The HMI 12 is a device for receiving information presentation to a user who is an occupant of the vehicle 1 or an input from the user. The HMI 12 is constituted by a display device for displaying a screen, an input device such as various switches, or a touch panel or the like formed by combining these devices. The engine control ECU 13 performs control of the engine. The brake control ECU 14 performs control of braking. The automated driving ECU 15 recognizes the environment, instructs the vehicle to start, and the like during automated driving. The ADAS ECU 16 performs driving assistance control such as automatic braking.

The server 2 transmits the function configuration information 61 to the gateway 10. The gateway 10 manages the function configuration of the vehicle 1 based on the function configuration information 61.

(hardware configuration of gateway)

Fig. 2 is a block diagram showing a hardware configuration of the gateway 10. The gateway 10 includes a microcomputer 101, a from (flash rom)102, a CAN communication I/F (interface) 104, and an Ethernet communication I/F105.

The microcomputer 101 includes a CPU 1011, an SRAM 1012, a FROM 1013, a CAN communication controller 1014, and an Ether communication controller 1015. The CPU 1011 of the microcomputer 101 executes a program stored in the FROM 1013, controls other components in the gateway 10, and causes the gateway 10 to function by giving instructions for data transmission and reception to and FROM other devices connected via the in-vehicle network. In addition, an asic (application Specific Integrated circuit) or fpga (field Programmable Gate array) may be used instead of the CPU 1011.

The FROM 102 is a nonvolatile memory and stores information received FROM the server 2. The CAN communication controller 1014 is an interface for CAN communication, and transmits and receives data to and from subordinate ECUs connected to the in-vehicle network 10b via the in-vehicle network 10b in response to an instruction from the microcomputer 101. The Ethernet communication controller 1015 is an interface for Ethernet communication, and performs data transmission and reception with devices connected to the in-vehicle network 10a via the in-vehicle network 10a in response to an instruction from the microcomputer 101.

(constitution of ECU)

Fig. 3 is a block diagram showing an example of the hardware configuration of the engine control ECU 13. However, the ECU to be updated with software in the present embodiment has at least the hardware configuration shown in fig. 3. The engine control ECU 13 includes a microcomputer 131 and a CAN communication I/F133.

The microcomputer 131 includes a CPU 1311, an SRAM 1312, a FROM 1313, a communication controller 1314, and an I/O controller 1315. The microcomputer 131 executes a control program stored in the FROM 1313, controls other components in the engine control ECU 13 and the sensors and actuators 132 connected via the I/O, and performs engine control such as data transmission/reception instructions to and FROM other devices connected via the in-vehicle network. The sensor/actuator 132 acquires data required for engine control on the one hand and executes engine control on the other hand in accordance with the instruction of the microcomputer 131.

The FROM 1313 also stores version information of the control program stored therein. The FROM 1313 also stores an ECU ID, which is identification information for identifying the type and function of the ECU. Further, the ECU ID is also referred to as "part number" or "model". The ECU ID is not a so-called manufacturing number for identifying each product, and may be replaced with another product having the same ECU ID when the ECU malfunctions.

Fig. 4 is a block diagram showing a configuration of a control program 130 operating on the engine control ECU 13. However, the ECUs to be software updated in the present embodiment each have at least the same configuration as the control program 130 shown in fig. 4.

The control program 130 for realizing the functions of the ECU 13 is stored in the FROM 1313 of the microcomputer 131 and executed by the CPU 1311. The set of functionalities shown in fig. 4 may be in the form of function blocks, which may be divided into multiple function blocks or may be integrated into several function blocks. The control program may be implemented by 1 piece of software, or may be implemented by a combination of 2 or more pieces of software.

The control program 130 includes a control processing unit 13001, an update control unit 13003, an information management unit 13004, and a communication control unit 13005. The control processing unit 13001 controls the I/O controller 1315, and controls the sensor/actuator 132 to perform engine control. The stop unit 130011 receives a stop command and a resume command from the gateway 10 via the communication control unit 13005, and performs stop/resume control of the functions.

The update control unit 13003 receives an operation command and data for software update from the gateway 10 via the communication control unit 13005 and controls the update of software. The information management unit 13004 reads the version information of the software and the ECU ID stored in the FROM 1313 and rewrites the version information accompanying the software update.

The communication control unit 13005 controls the communication controller 1314 to communicate with the devices connected to the in-vehicle network 10b in accordance with an instruction from the update control unit 13003 or the like. During communication, the CAN frame is analyzed and constructed. The communication control unit 13005 also generates and analyzes a command conforming to a diagnostic communication protocol such as UDS.

(function and constitution)

In the present embodiment, the functions of the vehicle 1 are realized by one of the ECUs 1 or by cooperation of a plurality of ECUs. The cooperation means a cooperative operation, but each ECU does not necessarily need to recognize other ECUs that cooperate, and a plurality of ECUs may participate in the realization of the function as a result. For example, when a certain function X is realized by the cooperation of the engine control ECU 13 and the automated driving ECU 15, the functions X are "configured" by the engine control ECU 13 and the automated driving ECU 15 in the present embodiment. The engine control ECU 13 and the automated driving ECU 15 are also referred to as "realizing" the function X.

(construction of Server)

Fig. 5 is a block diagram showing an example of the configuration of the server 2. The server 2 includes a CPU 201, a main storage unit 202, an auxiliary storage unit 203, a communication unit 204, an input unit 205, and a display unit 206. The CPU 201 executes a server program stored in the auxiliary storage unit 203 and the like on the main storage unit 202 to control registration and delivery of the functional configuration management information. The auxiliary storage unit 203 stores function configuration management information and data for updating ECU software delivered to the vehicle.

The communication unit 204 transmits and receives data to and from the vehicle 1 via the internet. The input unit 205 receives an operation and input information from an operator operating the server 2. The display unit 206 provides information related to the registration of the function configuration management information to the operator who operates the server 2.

(function composition management information)

Fig. 6 is a diagram showing an example of the function configuration information 61 generated in the server 2 and managed by the table management unit 10001 of the diagnostic device 5 or the gateway 10. Fig. 6 (a) shows function configuration information 61a as function configuration information 61 before the change, and fig. 6 (b) shows function configuration information 61b as function configuration information 61 after the change.

Fig. 6 shows an example of a case where the function configuration information 61 is managed in a table format and the configuration information of each function is recorded. The function configuration information 61 has a plurality of records. Each record of the function configuration information 61 includes a function identification ID 601, function identification verification information 602, a combination table 603, combination table verification information 604, and a mark 605. In the example shown in fig. 6, the function configuration information 61 has 3 records of R11, R21, and R31, but there is no upper limit to the number of records of the function configuration information 61, and it is sufficient if it is 1 or more. Further, the fields of the function identification verification information 602 and the table verification information 604 store the calculation results of the CPU 201 of the server 2. The information of the other columns is input by the operator.

The function ID 601 is a field storing identification information for identifying a combination of hardware and software of an ECU constituting a function. The term "software" as used herein also includes version numbers. Therefore, not only when the ECU ID registered in the combination table 603 is changed, but also when the version of the software is changed, the value of the function identification ID 601 is changed. The function identification ID 601 is, for example, a combination of a character string identifying a function and a number corresponding to a change in the ECU ID or version.

The function identification verification information 602 is an area in which integrity verification information of the function identification ID 601 is stored. The integrity verification information of the function ID 601 is, for example, a digital signature of the function ID 601.

The combination table 603 is composed of NET ID6031, ECU ID 6032, and software version 6033. The combination table 603 stores information of a combination of hardware and software of the ECU relating to the function indicated by the function identification ID 601. NET ID6031 stores an ID indicating identification information of the ECU on the vehicle-mounted network. When the in-vehicle network 10b is CAN, the NET ID6031 stores CAN ID, and when the in-vehicle network 10b is Ethernet, the NET ID6031 stores IP address or MAC address. NET ID6031 may include information not shown, such as a network type and a tunnel number.

The ECU ID 6032 stores information for identifying the kind and function of the ECU. The ECU ID 6032 stores, for example, "engine" as identification information indicating the type and function of the engine control ECU 13. As the identification information of the ECU, a part number or the like may be used. That is, NET ID 6031 is an identifier of the ECU on the network, whereas ECU ID 6032 is an identifier indicating the kind of the ECU. Hereinafter, NET ID 6031 may be referred to as "1 st identification information" and ECU ID 6032 may be referred to as "2 nd identification information".

The software version 6033 is a field storing information for identifying the version of software loaded in the ECU. Hereinafter, the information stored in the ECU ID 6032 and the information stored in the software version 6033 are also collectively referred to as "configuration information".

The combination table verification information 604 is an area in which integrity verification information of information registered in the combination table 603 is stored. The combination table verification information 604 is, for example, a digital signature that connects the function identification ID 601 and the values obtained by the ECU ID 6032 and the software version 6033.

The flag 605 stores information indicating whether or not the continuation of the operation of the function indicated by the function identification ID 601 is permitted in the case where the information registered in the combination table 603 and the information collected from the subordinate ECU are inconsistent. When the operation is permitted to continue, the "operation permission" is stored, and when the operation is not permitted and the stop is necessary, the "stop" is stored.

The record R1 in fig. 6 (a) is a record in which information relating to the function a indicated by the function identification ID "a 1" is stored. The function identification verification information 602 column of the record R1 stores "aaa", the NET ID 6031 column stores "700", the ECU ID 6032 column stores "engine" indicating that the engine control ECU 13 is the case, "1.0.0.0" in the software version 6033 column, the combination table verification information 604 column stores "taaa", and the flag 605 column stores "operation permission" that the operation of the function may be continued even if mismatch occurs.

The record R2 in fig. 6 (a) is a record in which information relating to the function B indicated by the function identification ID "B1" is stored. The function identification verification information 602 field of the record R2 stores "bbb", the NET ID 6031 field stores "701", the ECU ID 6032 field stores "brake" indicating that the brake control ECU 14 is present, "1.0.0.0" in the software version 6033 field, the combination table verification information 604 field stores "tbbb", and the mark 605 field stores "stop" indicating that the operation of the function should be stopped when a mismatch occurs.

The record R3 in fig. 6 (a) is a record in which information relating to the function C indicated by the function identification ID "C1" is stored. The function identification verification information 602 field of the record R3 stores "ccc". Since there are 3 ECUs constituting the function C, NET ID 6031 contains "700", "701" and "702", ECU ID 6032 contains "engine", "brake" and "ADAS", and software version 6033 contains "1.0.0.0", "1.0.0.0" and "1.0.0.0". The combination table verification information 604 field of the record R3 stores "tccc", and the mark 605 field stores "stop" indicating that the operation of the function should be stopped when a mismatch occurs.

Further, although an example in which the function C is constituted by 3 ECUs is shown here, as described above, 1 function may be constituted by an arbitrary number of ECUs, and there is no upper limit to the number of ECUs constituting 1 function.

Fig. 6 (b) is a diagram showing function configuration information 61b that is updated function configuration information 61 when the software of the engine control ECU 13 is updated from the function configuration information 61a shown in fig. 6 (b). Specifically, in fig. 6 (b), the software version of the engine control ECU 13 is updated from "1.0.0.0" to "1.0.0.1". The records R12, R22, and R32 shown in fig. 6 (b) correspond to the records R11, R21, and R31 shown in fig. 6 (a), respectively.

With the update of the software, as shown in the records R12 and R32 of fig. 6 (b), the software version 6033 of the record whose ECU ID 6032 is "engine" is updated to "1.0.0.1". Further, the function identification ID 601 including the functions of the record D101b and the record D103b of the engine control ECU 13 is updated to "a 2" and "C2", respectively. In this way, in the function configuration information, the function identification ID needs to be updated as the configuration of the ECU related to the function implementation is changed.

(software constitution of gateway or diagnostic device)

Fig. 7 is a block diagram showing a configuration of a gateway program 100 operating in the gateway 10.

The gateway program 100 that realizes the functions of the gateway 10 is stored in the FROM 1013 of the microcomputer 101 and executed by the CPU 1011. The set of functionalities shown in fig. 7 may be in the form of function blocks, which may be divided into multiple function blocks or may be integrated into several function blocks. The control program may be implemented by 1 piece of software, or may be implemented by a combination of 2 or more pieces of software.

The gateway 100 includes a control unit 10000, a table management unit 10001, a calculation determination unit 10002, an acquisition unit 10004, a stop control unit 10005, and a communication control unit 10006. The control unit 10000 controls the table management unit 10001, calculation determination unit 10002, acquisition unit 10004, stop control unit 10005, and communication control unit 10006. The table management unit 10001 manages the function configuration information 61 stored in the FROM 1013.

The calculation determination unit 10002 calculates a verification value using the configuration information acquired from the acquisition unit 10004, and determines matching with the table verification information 604 included in the function configuration information 61. The calculation determination unit 10002 outputs the result of the determination to the stop control unit 10005. The authentication value is calculated in the same manner as the server 2. When the ECU ID and the version of software used for calculation of the verification value by the calculation determination unit 10002 are the same as those used for calculation by the server 2, the verification value matches the table verification information 604.

The acquiring unit 10004 acquires configuration information such as an ECU ID and a software version from the ECU based on the information managed by the table managing unit 10001, and outputs the configuration information to the verification information calculating unit. The stop control unit 10005 performs the operation continuation/stop control of the function in which the mismatch occurs, based on the flag indicating the operation permission/stop managed by the table management unit 10001 and the output information of the calculation determination unit 10002.

The communication control unit 10006 controls the CAN communication controller 1014 and the Ether communication controller 1015 according to an instruction from the stop control unit 10005 or the like to communicate with devices connected to the in-vehicle networks 10a and 10 b. When communicating with a device connected to the in-vehicle network 10a, the communication control unit 10007 analyzes and generates a TCP/IP packet, a UDP/IP packet, and the like. When communicating with a device connected to the in-vehicle network 10b, the communication control unit 10006 analyzes and generates a CAN frame. The communication control unit 10006 is also referred to as an "external communication unit" because it can communicate with the outside of the vehicle 1 via the communication module 11.

(verification)

Fig. 8 is a conceptual diagram illustrating verification of the table verification information 604 in the present embodiment. For convenience, step numbers are given in fig. 8 to express correspondence with the following description. The step numbers do not correspond to those of the flowcharts described later.

The server 2 stores a secret key SK in advance, and the gateway 10 stores a public key PK in advance. The CPU 201 of the server 2 creates a bit string X in which the configuration information is concatenated for each function according to a predetermined rule (S901). For example, in the case where the ECU constituting the function a is only the "engine control ECU" as shown in fig. 6, the CPU 201 converts the "engine" into, for example, the character code number of UTF-8 according to a predetermined rule to obtain "0 x 834712345" and converts the version number of "1.0.0.0" according to a predetermined rule to obtain "0 x 1000" in order to create the table verification information 604 of the function a. Then, "0X 8347123451000" obtained by concatenating these 2 bit strings is used as the bit string X.

When a certain function is constituted by a plurality of ECUs, a rule such as arranging the bit strings in the order of NET IDs from small to large is predetermined for the order of bit string arrangement when generating the bit string X.

Then, the CPU 201 creates a digital signature Y using the key SK for the bit string X (S902). The created digital signature Y is stored as the form verification information 604 of the function configuration information 61, and is transmitted to the gateway 10. The digital signature Y is created in advance in a manner shared with the gateway 10.

The gateway 10 reads out the configuration information from the ECU for each function with reference to the function configuration information 61 received from the server 2, and creates a bit string Z as an authentication value according to a predetermined rule (S903). The rule of the bit string Z is the same as the rule of creating the bit string X stored in the server 2. Then, the gateway 10 decrypts the digital signature Y, which is the table verification information 604 stored in the function configuration information 61, using the public key PK, and obtains the bit string X (S904).

It is clear that, if the combination of the key SK and the public key PK prepared in advance is appropriate, the bit string X decrypted in the gateway 10 is the same as the bit string X created in the server 2 regardless of the ECU connected to the gateway 10. Finally, the gateway 10 determines whether the bit string X is identical to the bit string Z to determine whether the verification is acceptable (S905).

However, in the generation of the digital signature Y using the bit string X, the digital signature Y may be generated not directly using the bit string X but using a hash value of the bit string X or an XOR value of the bit string X and a predetermined value. In addition, in the above description, the execution order of S903 and S904 may be switched, or may be substantially simultaneously executed. The bit string Z is also referred to as "verification value" hereinafter. Note that, as described above, the object of comparison of the bit string Z is the bit string X, but in order to avoid redundant description in the following description, the word "match determination between the bit string Z and the digital signature Y" or "match determination between the verification value and the table verification information 604" will be abbreviated.

(side display example of vehicle)

Fig. 9 is a diagram showing an example of a display screen displayed on the HMI 12. The display G1a shown in fig. 9 (a) is an example of a screen showing a user that a mismatch between the functional configuration information and the actual configuration is detected. If the function has been stopped due to a mismatch, information of the stopped function can be further displayed on the screen. The display G1b shown in fig. 9 (b) is an example of a screen showing the user a part of the stopped function due to the mismatch of the function configuration information.

The display G1c shown in fig. 9 (c) is an example of a screen that urges the user to contact the dealer for repair because the function configuration information is mismatched and cannot be processed. The display G1d shown in fig. 9 (d) is an example of a screen showing the user that the mismatch of the function configuration information is repaired and a part of the function is restored.

(order of confirmation)

Fig. 10 is a flowchart showing authentication processing in the gateway 10. When the ignition switch of the vehicle 1 is set to on, the processing shown in fig. 10 is executed. The gateway 10 may be connected to the ignition switch via a signal line and may directly receive a signal indicating an on/off state from the ignition switch, or may start operation by receiving an operation command signal from an ECU (not shown) connected to the ignition switch.

First, the control section 10000 sets the processing target record x to 1 (S101). When the function configuration information 61 is as shown in fig. 6 (a), the record R11 is read when X is 1, and the record R21 is read when X is 2. By the determination at S112 described later, the gateway program 100 repeats the processing at S103 to S111 for the number of records stored in the function configuration information 61.

The control unit 10000 reads the NET ID of the processing target record x in the function configuration information 61, and instructs the acquisition unit 10004 to read the configuration information from the ECU having the NET ID (S103). The acquisition unit 10004 reads the configuration information, that is, the combination of the ECU ID and the software version, from the ECU via the communication control unit 10006, and passes the read configuration information to the calculation determination unit 10002 (S104). When there are a plurality of NET IDs as in the record R31 shown in fig. 6 (a), the configuration information is read for all of these NET IDs. The calculation determination unit 10002 calculates the verification information using the received configuration information (S105).

The calculation determination unit 10002 reads the table verification information 604 in the processing target record x of the function configuration information 61, and determines a match with the verification value calculated in S105 (S106). When the calculation determining unit 10002 determines that the verification value matches the table verification information 604 (yes in S107), the process proceeds to S112, and the control unit 10000 checks whether or not there is an unconfirmed record. When determining that there is no unconfirmed record (no in S112), the control section 10000 checks whether there is a mismatch of confirmed records. When the control unit 10000 determines that there is no mismatch at all, that is, when the calculation determination unit 10002 calculates verification values for all records of the function configuration information 61 and the table verification information 604 read from the function configuration information 61 match (no in S113), the process ends.

When determining that there is a mismatch, that is, when the calculation determination unit 10002 determines that the verification value calculated for any record of the function configuration information 61 does not match the table verification information 604 read from the function configuration information 61 (yes in S113), the control unit 10000 instructs the HMI to display the screen G1a of fig. 9 (S114), and the process is terminated. If there is an unconfirmed record (yes in S112), the control unit 10000 updates the processing target record x to the next record (S115), and returns to S103.

If the version information does not match (no in S107), the control unit 10000 records a dtc (diagnostic track code) code, which is a failure code whose version information does not match (S108). The stop control unit 10005 receives the processing target record X and the comparison result from the control unit 10000, and reads the mark 605 of the corresponding record from the function configuration information 61 (S109). If the read flag 605 indicates "operation permitted" (yes in S110), the stop control unit 10005 does nothing and continues the processing. If the read flag 605 is not "operation permitted" (S110: no), the relevant ECU registered in the processing target record X of the function configuration information 61 is instructed to stop the function via the communication control unit 10006 (S111). The above is the description of fig. 10.

(repair sequence when mismatch)

Fig. 11 is a flowchart showing the repair process in the gateway 10. The processing shown in fig. 11 is executed after the processing shown in fig. 10 is completed and when there is a mismatch in any of the records of the function configuration information 61. However, the processing shown in fig. 11 does not necessarily have to be started until the processing shown in fig. 10 is completed, and may be started in parallel with S108 when a negative determination is made in S107, for example.

The control unit 10000 first transmits configuration information including information on mismatch of function configuration information to the server 2 (S201). The server 2 transmits any one of the following 3 replies according to the configuration information received from the gateway 10. The 1 st reply is an update instruction of the function configuration information 61, the 2 nd reply is a software update instruction of the ECU, and the 3 rd reply is the function configuration information 61 and an update instruction of the software of the ECU. The server 2 selects which of the responses 1 to 3 is to be used, for example, based on the update date and time of the function configuration information 61, the update date and time of the software of the ECU, and the version number of the software. But the server 2 may also return a reply without an indication of the update.

When the control section 10000 receives a reply from the server 2 (S202), it is determined whether or not an update instruction is contained therein. When determining that the update instruction is not included (no in S203), the control unit 10000 instructs the HMI 12 to display the screen G1c shown in (c) of fig. 9 (S204), and ends the processing shown in fig. 11. When determining that the response includes the update instruction, the control unit 10000 determines whether or not the response from the server 2 includes the update instruction of the function configuration information 61. When determining that the update instruction of the function configuration information 61 is included (yes in S205), the control unit 10000 updates the function configuration information 61 (S206).

Next, the control unit 10000 determines whether or not the response from the server 2 includes a software update instruction of the ECU. When determining that the software update instruction by the ECU is not included (no in S207), the control unit 10000 instructs the ECU having stopped the function to resume the function (S209), instructs the HMI 12 to display the screen G1d shown in (d) of fig. 9 (S210), and ends the processing shown in fig. 11. When determining that the software update instruction of the ECU is included (yes in S207), control unit 10000 executes software update processing of the ECU (S208). Then, when the software update is completed, the control section 10000 instructs the ECU having stopped the function to resume the function (S209), instructs the HMI 12 to display a screen G1d shown in (d) of fig. 9 (S210), and ends the processing shown in fig. 11.

(software update sequence)

Fig. 12 is a sequence diagram showing the sequence of software update of the ECU. Note that, although the engine control ECU 13 is described as the processing target for software update in fig. 12 as an example of the processing, the order described below is common to all the processing target ECUs.

The gateway 10 first reads out the ECU ID and the software version from the engine control ECU 13 that is the update subject (S2081). Next, the gateway 10 transmits the acquired ECU ID and software version, that is, configuration information to the server (S2082). The server 2 determines whether or not the software update of the vehicle is present based on the received configuration information, and transmits the update information as a result thereof to the gateway 10 (S2083). Next, the gateway 10 downloads data necessary for update from the server 2 (S2084). The data necessary for updating includes new software and updated function configuration information 61.

Next, the gateway 10 controls the engine control ECU 13 as the update target to update the software of the engine control ECU 13 (S2085). When the update is completed, the gateway 10 updates the function configuration information 61 (S2086).

In the software update process in S208 in fig. 11, S2081 to S2083 have already been implemented in S201 in fig. 11, and therefore, implementation thereof may be omitted. If the downloaded data does not include the function configuration information 61, the gateway 10 may not execute S2086.

(Server side display example)

Fig. 13 is a diagram showing an example of a registration screen of the function configuration information 61 in the server 2. The registration screen G2 is displayed on the display unit 206 of the server 2. The registration screen G2 of the function configuration information 61 is composed of a target function G21, a function ID G22, a function realization ECU G23, a mismatch action G24, a registration button G25, and a line addition button G26.

The target function G21 is an area for setting information for identifying a management target function such as an emergency braking function, and in the present example, "function C" is set as indicated by reference numeral G21 a. The function identification ID G22 is an area in which identification information for uniquely identifying the configuration of the management object is set, and in the present example, "C1" is set as indicated by a symbol G22 a.

The ECU G23 is a region in which information for uniquely identifying the ECU that realizes the target function G21 is set, and is composed of NET ID, ECU ID, and software version. In this example, the case where the function C is realized by 3 ECUs indicated by symbols G23a to G23C is shown. The NET ID of the ECU indicated by symbol G23a is "700", the ECU ID is "engine", and the software version is "1.0.0.0". The NET ID of the ECU indicated by symbol G23b is "701", the ECU ID is "brake", and the software version is "1.0.0.0". The NET ID of the ECU indicated by symbol G23c is "702", the ECU ID is "ADAS", and the software version is "1.0.0.0".

The mismatch time operation G24 is an area set for the operation of the function indicated by the target function G21 when a mismatch is detected in the configuration information of the function, and in this example, "stop" is set as indicated by reference sign G24 a. The registration button G25 is a button for registering the input information in the server 2, and when the operator clicks the button, the CPU 201 calculates the values in the fields of the function identification authentication information 602 and the form authentication information 604. The line addition button G26 is a button for adding an input field of the function-realizing ECU.

According to embodiment 1 described above, the following operational effects are obtained.

(1) The gateway 10 is connected with a plurality of ECUs. Each of the plurality of ECUs has 1 or more ECUs that constitute its function. The gateway 10 includes: a communication control unit 10006 that is an external communication unit that receives function configuration information 61 for each function, the function configuration information 61 including NET ID 6031 that is the 1 st identification information of 1 or more ECUs configuring the function, and table verification information 604 that is the 1 st verification information; an acquisition unit 10004 that acquires, from each of the plurality of ECUs, a software version 6033 installed in the ECU and an ECU ID 6032 that is 2 nd identification information of the ECU; a calculation determination unit 10002 that calculates a bit string Z that is the 2 nd authentication information for each function using the version information of all the ECUs that constitute the function, the software version 6033 acquired by the acquisition unit, and the ECU ID 6032 that is the 2 nd identification information of all the ECUs that constitute the function; and a calculation determination unit 10002 that determines matching between the 1 st authentication information and the 2 nd authentication information for each function. Therefore, the gateway 10 can confirm the configuration information of each function for all the functions configured by the ECUs connected to the gateway 10.

In the case where a certain function is constituted by a plurality of ECUs, the versions of the software installed in the plurality of ECUs are preferably combined in accordance with expectations. This is because, for example, if there is no previously verified combination, the operation may not be guaranteed. Further, since the software update can be performed via wireless communication, the possibility that the combination of software versions becomes a combination other than the predetermined combination is increased as compared with the case where the software update is performed by opening to a exclusive store. Further, when an ECU fails, the ECU may be replaced with another ECU of the same model, and the software version of the ECU may not match the ECU before replacement. In such a case, by performing the verification processing described in the present embodiment, it is possible to confirm the configuration information of each function to find a problem or confirm no problem.

(2) The 1 st identification information is NET ID 6031 which is an identifier of the ECU on the network. The 2 nd identification information is an ECU ID 6032 which is an identifier indicating the kind of the ECU.

(3) The function configuration information 61 includes a flag 605 indicating the execution of the mismatch for each function. When the calculation determining unit 10002 determines that the 1 st authentication information does not match the 2 nd authentication information, the stop control unit 10005 stops the function related to the 2 nd authentication information determined as not matching and the function having the flag indicating that the execution is rejected at the time of mismatch in the function configuration information. Therefore, the gateway 10 can stop the function when the setting of the flag 605 is mismatched.

(4) When the calculation determination unit 10002 determines that the 1 st authentication information does not match the 2 nd authentication information, the control unit 10000 updates at least one of the function configuration information 61 and the software of the ECU in accordance with the instruction received from the Ether communication controller 1015. Therefore, the gateway 10 can update at least one of the function configuration information 61 and the software of the ECU when there is a mismatch.

(5) When the calculation determining unit 10002 determines that the 1 st authentication information and the 2 nd authentication information do not match, the control unit 10000 records the occurrence of the mismatch in the form of a failure code in the FROM 102 which is a storage unit. Therefore, the occurrence of mismatch can be confirmed afterwards by referring to the FROM 102.

(6) When the calculation determining unit 10002 determines that the 1 st authentication information and the 2 nd authentication information do not match, the control unit 10000 causes the HMI 12, which is a display unit, to display the fact that the mismatch occurs. Therefore, the occupant of the vehicle 1 can know the occurrence of the mismatch through the display of the HMI 12.

(7) The gateway 10 is mounted on the vehicle 1. When the ignition switch of the vehicle 1 is turned on, the acquisition unit 10004 and the calculation determination unit 10002 start operating. Therefore, by operating when the vehicle 1 starts, it is possible to detect a software mismatch before the vehicle 1 starts running or during the period in which the vehicle 1 is running at a low speed.

(modification 1)

The confirmation of the configuration information of each function may be realized by a device other than the gateway 10. For example by a diagnostic device connectable to the vehicle 1.

Fig. 14 is a diagram showing the configuration of the function configuration information management system Sa in modification 1. Fig. 14 differs from embodiment 1 in that a diagnostic device 5 is added. In the present modification, the function configuration information 61 transmitted by the server 2 is received by the diagnostic device 5. The diagnostic device 5 and the gateway 10 are connected via a general-purpose connector 600 such as an OBD 2. In fig. 14, the communication module 11 is not connected to the server 2, but when the software of the ECU is updated, the communication module 11 communicates with the server 2 as in embodiment 1.

(constitution of diagnostic device)

Fig. 15 is a block diagram showing a configuration example of the diagnostic device 5. The diagnostic device 5 includes a CPU 501, a main storage unit 502, an auxiliary storage unit 503, a 1 st communication unit 504, a 2 nd communication unit 505, an input unit 506, and a display unit 507. The CPU 501 executes a program stored in the auxiliary storage unit 503 or the like on the main storage unit 502 to perform control of managing the functional configuration. The auxiliary storage unit 503 stores function configuration management information and data for updating the ECU software delivered to the vehicle.

The 1 st communication unit 504 transmits and receives data to and from the server 2 via the internet 3. The 2 nd communication unit 505 transmits and receives data to and from the vehicle 1. The input unit 506 receives an operation and input information from an operator who operates the diagnostic apparatus 5. The display unit 507 displays function configuration management information to the operator who operates the diagnostic apparatus 5.

(action)

In the present modification, the verification process shown in fig. 10 is started by the operator giving an operation instruction from the input unit 506. In the present modification, the gateway 10 mediates communication with each ECU in accordance with an operation command of the diagnostic device 5. Other operations are the same as those of embodiment 1.

(modification 2)

In embodiment 1 described above, the function configuration information 61 further includes an ECU ID 6032 and a software version 6033. However, since the gateway 10 does not particularly require the ECU ID 6032 and the software version 6033 including the authentication processing, the function configuration information 61 may not include the ECU ID 6032 and the software version 6033.

Fig. 16 is a diagram showing an example of the function configuration information 64 in the modification 1. In the function configuration information 64, the combination table 603 is configured only by NET ID 6031. In this modification, the operation of the gateway 10 is also the same as that of embodiment 1. As described above, in embodiment 1, the gateway 10 does not have a chance to refer to the ECU ID 6034 and the function version 6035 described in the function configuration information 61 received from the server 2. Therefore, even if the ECU ID 6034 and the function version 6035 are deleted from the function configuration information 64, there is no influence.

(modification 3)

In embodiment 1 described above, the function configuration information 61 further includes NET ID 6031 and software version 6033. However, the NET ID 6031 and the software version 6033 may not be included in the function configuration information 61.

Fig. 17 is a diagram showing an example of the function configuration information 65 in modification 3. In the function configuration information 65, the combination table 603 is configured only by the ECU ID 6032. In the present modification, S103 to S105 of fig. 10 of the gateway 10 are changed as follows. That is, the gateway 10 sends a message inquiring the ECU ID and the software version to all connected ECUs. Then, the verification information, that is, the bit string Z in fig. 8 is created for each function described in the function configuration information 65 using the acquired ECU ID and software version.

In embodiment 1, the gateway 10 uses NET ID 6031 to determine an ECU that constitutes a function for each function and makes an inquiry. However, in the present modification, since NET ID 6031 is not included in function configuration information 65, an inquiry is made to all connected ECUs. In the present modification, since the ECU constituting each function in the function configuration information 65 is specified by the ECU ID 6032, the gateway 10 creates the bit string Z for each function using the ECU ID and version information obtained as a reply to the inquiry.

(modification 4)

In embodiment 1 described above, the function configuration information 61 includes a mark 605. However, the mark 605 may not be included in the function configuration information 61. In this case, the gateway 10 is configured to permit the operation uniformly or not permit the operation uniformly in S110 in fig. 10. Further, in this case, the function may be restricted instead of the stop operation. The limitation of the function is to reduce the processing capability or to reduce the kind of the function to be realized.

According to the present modification, the following operational effects are obtained.

(8) When the calculation determining unit 10002 determines that the 1 st authentication information does not match the 2 nd authentication information, the stop control unit 10005 stops or restricts the function related to the 2 nd authentication information determined as not matching. Therefore, the function of detecting a mismatch of software can be uniformly stopped or limited.

(modification 5)

In the above embodiment 1, information is verified between the server 2 and the gateway 10 by using a public key encryption method. However, the method of verification is not particularly limited, and various known methods may be substituted or the known methods may be combined to be included in the scope of the present invention. For example, even in the public key encryption system, the authentication can be performed by encrypting the key SK in the server 2 and decrypting the key PK in the gateway 10. In addition, a symmetric encryption method may be used instead of the public key encryption method, and a message authentication code or encryption salt may be used.

(modification 6)

The reply to the gateway 10 from the server 2 may also include a restoration propriety flag. In this case, the control unit 10000 of the gateway 10 instructs, in step S209 in fig. 11, restoration of the function only to the ECU for which the flag for allowing restoration of the content by the restoration availability flag is set.

(modification 7)

Although not specifically described in embodiment 1, the gateway 10 may also perform authentication on the function identification authentication information 602 in the same manner as the form authentication information 604. In this case, the gateway 10 performs authentication of the function identification authentication information 602, for example, before S108 in fig. 10, and if the authentication is successful, the process proceeds to S112, and if the authentication is failed, the process proceeds to S108. According to the present modification, the function identification ID 601 can be verified.

(modification 8)

The server 2 may further use at least one of the function identification ID 601 and NET ID 6031 in the calculation of the table verification information 604. In this case, the gateway 10 performs the same calculation in the authentication process.

(modification 9)

In embodiment 1 described above, the gateway 10 starts the authentication process when the ignition switch of the vehicle 1 is turned on. The gateway 10 may also receive an action instruction from the outside to start the authentication process. For example, the gateway 10 may receive an operation command from the outside of the vehicle 1 via the communication module 11, or may receive an operation command from an ECU or the like mounted in the vehicle 1 to start the operation.

(modification 10)

In the above-described embodiment 1, the server 2 creates the function configuration information 61 based on the information input by the operator. However, the function configuration information 61 may be created by the operator in advance, and the operator may store the function configuration information 61 itself in the auxiliary storage unit 203 of the server 2.

Embodiment 2

A 2 nd embodiment of a gateway as an arithmetic device according to the present invention will be described with reference to fig. 18 to 19. In the following description, the same components as those in embodiment 1 are denoted by the same reference numerals, and different points are mainly described. The contents not specifically described are the same as those of embodiment 1. The main difference between the present embodiment and embodiment 1 is that the version of software is managed in the ECU for each function. In the present embodiment, the information stored in the function configuration information is different from that of embodiment 1.

Fig. 18 is a diagram showing an example of the version information 951 for each function stored in each ECU in embodiment 2. In fig. 18, using the engine control ECU 13 as a specific example, fig. 18 (a) shows the function-by-function version information 951a of the engine control ECU 13 before update, and fig. 18 (b) shows the function-by-function version information 951b of the engine control ECU 13 after update. The engine control ECU 13 contributes to the realization of the functions a and C. Therefore, the function-by-function version information 951 stored in the engine control ECU 13 is configured from the software version "1.0.0.0", the function a version "1", and the function C version "1" as shown in fig. 18 (a). The per-function version information 950 is updated as the software is updated.

In the updated per-function version information 951b shown in fig. 18 (b), the software version is updated to "1.0.1.0" and the function a version is updated to "2". But no update related to function C is made, so function C version remains "1".

Fig. 19 is a diagram showing an example of the function configuration information 62 in the present embodiment. Fig. 19 (a) is a diagram showing function configuration information 62a before update, and fig. 19 (b) is a diagram showing function configuration information 62b after update. The example shown in fig. 19 (a) includes records such as R41, R51, and R61, and the example shown in fig. 19 (b) includes records such as R42, R52, and R62. The function configuration information 62 in the present embodiment is obtained by deleting the software version 6033 field and adding the DID6034 and function version 6035 fields in the function configuration information 61, compared with the function configuration information 61 in embodiment 1.

The DID 6034 stores identification information used when the version of each function is read from the ECU. The DID 6034 is identification information of a function set for reading version information. The DID 6034 may correspond to the function one by one in a manner common to all the ECUs as shown in fig. 19, or may differ in the DID and function correspondence for each ECU. For example, fig. 19 shows a case where version information of function C is read out in record R61 by means of DID 6034, which is "F003" common to 3 ECUs.

In fig. 19 (a), the record R41 is different from the record R42, but the record R51 and the record R61 are the same as the record R52 and the record R62, compared to fig. 19 (b). This is because the version information of the software itself is not stored in the function configuration information 62, and only the version information of each function of each software is stored in the function configuration information 62.

(other differences)

In the present embodiment, when each ECU receives an inquiry from the gateway 10 about the version information of the software including the DID 6034, the following operation is performed. That is, the ECU refers to the function configuration information 62 stored in the FROM 1313 and returns version information of the function corresponding to the received DID 6034.

The gateway 10 makes an inquiry to the ECU of NET ID stored in the function configuration information 62 together with the version information of the DID 6034 in S104 in fig. 10. For example, when the processing target record X is 1, the gateway 10 makes an inquiry to the ECU whose NET ID is "700" together with version information of the DID 6034 "F001".

In the present embodiment, the server 2 generates the bit string X using the ECU ID 6032 and the function version 6035, and generates the table verification information 604 as a digital signature thereof. The gateway 10 creates a bit string Z using the ECU ID 6032 and the function version 6035, and verifies the table verification information 604.

As described above, by managing version information of the relevant software portion in the ECU for each function, it is possible to reduce the influence on the function configuration information at the time of software update and reduce the change portion of the function configuration information 62.

(modification of embodiment 2)

The server 2 may further use the value of DID 6034 for creating the bit string X. In this case, the gateway 10 also uses the value of DID 6034 for creating the bit string Z.

Embodiment 3

With reference to fig. 20 to 21, a gateway 3, which is an arithmetic device according to the present invention, will be described. In the following description, the same components as those in embodiment 2 are denoted by the same reference numerals, and different points will be mainly described. The contents not specifically described are the same as those of embodiment 2. In the present embodiment, mainly the information stored in the function configuration information is different from that in embodiment 2.

Fig. 20 is a diagram showing an example of the version information 952 for each function stored in each ECU in the present embodiment. In fig. 20, the engine control ECU 13 is used as a specific example, and fig. 20 (a) shows the function-by-function version information 952a of the engine control ECU 13 before update, and fig. 20 (b) shows the function-by-function version information 952b of the engine control ECU 13 after update.

The per-function version information 952 is composed of 6 bytes, and indicates information for uniquely identifying the software versions of the boot loader, BSW, ASW, calibration data, function a, and function C from the top. The values of the bits of the per-function version information 952 are updated as the software of the respective target portions is updated. Although information corresponding to each bit is described in fig. 20 for explanation, actually, the per-function version information 952 is configured with only a value of 6 bytes.

The pre-update per-function version information 952a shown in fig. 20 (a) is "1, 1". In the updated per-function version information 952b shown in fig. 20 (b), since the part related to the function a is updated, the identification information corresponding to the function a is updated to "2", and the identification information indicating the ASW of the software including the entire application of the function a is updated to "2".

Fig. 21 is a diagram showing an example of the function configuration information 63 in the present embodiment. Fig. 21 (a) is a diagram showing function configuration information 63a before update, and fig. 21 (b) is a diagram showing function configuration information 63b after update. The example shown in fig. 21 (a) includes records such as R71, R81, and R91, and the example shown in fig. 21 (b) includes records such as R72, R82, and R92. Function configuration information 63 in the present embodiment is added with a mask 6036 column instead of DID 6034 in function configuration information 62, as compared with function configuration information 62 in embodiment 2.

The mask 6036 is identification information indicating the function, which corresponds to the several bytes from the head of the per-function version information 952. The gateway 10 reads the per-function version information 952 from the ECU, and then determines identification information related to the function from the read per-function version information 952 by using a mask 6036. It is also possible for the gateway 10 to send the value of the mask 6036 along with the request of the per-function version information 952 of software to the ECU, which returns only the value of the bit conforming to the mask 6036 among the per-function version information 952.

In fig. 21 (a), the record R1 is different from the record R72, but the record R81 and the record R91 are the same as the record R82 and the record R92, compared to fig. 21 (b). This is because the version information of the software itself is not stored in the function configuration information 63, and only the version information of each function of each software is stored in the function configuration information 63.

Otherwise, the description is omitted since it is the same as embodiment 2.

As described above, by managing the version of the relevant software portion in the ECU for each function, it is possible to reduce the influence on the function configuration information at the time of software update and reduce unnecessary changes.

4 th embodiment

A 4 th embodiment of a gateway as an arithmetic device according to the present invention will be described with reference to fig. 22 to 24. In the following description, the same components as those in embodiment 2 are denoted by the same reference numerals, and different points will be mainly described. The contents not specifically described are the same as those of embodiment 2. In the present embodiment, the operation in the case where the table verification information is not matched is mainly different from that in embodiment 1.

Fig. 22 is a diagram showing function configuration information 61c of the function D, and fig. 23 is a diagram showing function restriction information 91 of the function D.

The record R4 in fig. 22 is a record in which information relating to the function D indicated by the function identification ID "D2" is stored. The function identification verification information 602 field of the record R4 stores "dzzz". Since there are 3 ECUs constituting the function D, there are "701", "702" and "703" in the NET ID 6031 column, "brake", "ADAS" and "camera" in the ECU ID 6032 column, and "1.0.0.0", "1.0.0.1" and "1.0.0.0" in the software version 6033 column, respectively. The table verification information 604 field of the record R4 stores "tddd", and the tab 605 field stores "restriction" indicating that the function is required to be operated under the action restriction when a mismatch occurs. Here, the operation restriction of the function means that a part of the function is continuously operated, not the function is stopped. That is, in the present embodiment, either one of "stop" and "limit" is stored in the mark 605 column, and the value of "operation permission" is not stored.

Fig. 23 is a diagram showing an example of the function restriction information 91 referred to when the column 605 indicates "restriction", and is managed in the same manner as the function configuration information 61 c. Record R41 in fig. 23 is a record in which function restriction information relating to function D is stored. Since "D" is stored in the function 600 column of the record R41 and 3 ECUs constituting the function D are provided, the "brake", "ADAS" and "camera" are stored in the version inconsistency ECU ID 6038 column, and "only warning operation", "function complete stop" and "function complete stop" are stored in the restriction content 6037 column.

Next, a description will be given of a case where the function D is an automatic braking function as an example of the contents exemplified in fig. 23. The automatic braking function of function D is realized by the cooperation of 3 ECUs having IDs such as "brake", "ADAS" and "camera". The automatic braking function is constituted by 3 basic functions of detection of an obstacle to which braking should be applied, warning to the driver when the obstacle approaches, and braking. In the present functional configuration, when the versions of the "brake" ECUs do not match, the cameras and the ADAS ECU can operate normally, so that the detection of an obstacle and the warning to the driver in the basic function can be realized without problems, and it is preferable to operate these functions. On the other hand, in the case where the versions of the "camera" or the "ADAS" ECU do not coincide, both the detection of an obstacle and the warning may be problematic, and therefore it is preferable that the automatic braking function be stopped entirely. Thus, even when the table verification information 604 does not match, a useful function can be operated.

Fig. 24 is a flowchart showing the function restriction processing in the gateway 10. This processing is realized by replacing the processing S111 of fig. 10. First, the stop control unit 10005 determines whether or not the flag is "stop" and, when "stop" (yes in S121), instructs the relevant ECU to stop (S111). If the flag is "stop", that is, "function restriction" (no in S121), the record R41 of the function D of the function restriction information 91 is read (S122).

Next, the gateway 10 compares the version acquired from the ECU with the version of the function configuration information 61c for each ECU, and confirms the difference (S123). In the case where the versions are judged to be consistent, the gateway 10 does nothing (yes at S124). When determining that the versions do not match (no in S124), the gateway 10 restricts a part of the functions in accordance with the contents specified in the restriction contents 6037 of the function restriction information 91 (S125). Next, the gateway 10 determines whether there is an ECU whose version has not been compared (S126), and if the comparison of all versions is completed, the process is terminated (no in S126). If it is determined that there is an ECU of an uncompared version (no in S126), the gateway 10 returns to S123 to repeat the processing.

The above-described embodiment 4 achieves the following operational effects.

(9) When the calculation determining unit 10002 determines that the 1 st authentication information does not match the 2 nd authentication information, the stop control unit 10005 refers to the function restriction information 91 and determines whether or not to restrict the function based on the 2 nd identification information whose version information does not match, for the function related to the 2 nd authentication information determined as not matching and the function having the flag indicating that the execution is permitted at the time of mismatch. Therefore, even when the table verification information does not match, a useful function can be operated.

The present invention includes various modifications, and is not limited to the embodiments described above. For example, the above-described embodiments are intended to explain the present invention in a manner that is easy to understand, and are not necessarily limited to all the configurations explained. Note that a part of the configuration of one embodiment may be replaced with the configuration of another embodiment, and the configuration of one embodiment may be added to the configuration of another embodiment. Further, some of the configurations of the embodiments may be added, deleted, replaced, or the order of processing in each process may be changed. For example, although the function configuration information management device is the gateway 10 in embodiment 1, the communication module 11 or the HMI 12 may be a function configuration information management device. In addition, a dedicated device may be provided.

In the above embodiments and modifications, the configuration of the functional block is merely an example. Several functional configurations shown as respective functional blocks may be integrally configured, or a configuration shown as 1 functional block diagram may be divided into 2 or more functions. Further, another functional block may have a configuration in which a part of the functions of each functional block is provided.

The above-described configurations, functions, processing units, processing means, and the like may be partially or entirely realized in hardware by designing them with an integrated circuit, for example. Each of the above-described configurations, functions, and the like may be realized by software that is interpreted by a processor and executes software that realizes each function.

Further, the control lines and the information lines are shown as what is considered necessary for the description, and not necessarily all of the control lines and the information lines are shown in the product. In practice, almost all of the components can be considered to be connected to each other.

While the various embodiments and modifications have been described above, the present invention is not limited to these embodiments. Other embodiments contemplated within the scope of the technical idea of the present invention are also included in the scope of the present invention.

The disclosures of the following priority base applications are incorporated herein by reference:

japanese patent application 2019-66887 (application 3/29/2019).

Description of the symbols

1 … vehicle

5 … diagnostic device

6 … function configuration information

10 … gateway

61. 62, 63, 64, 65 … function configuration information

604 … form verification information

605 … Mark

6031…NET ID

6032…ECU ID

10002 … calculation determination unit

10005 … stop the control section.