This application claims the priority of German patent document 100 37 397.6, filed 1 Aug. 2000 (PCT International Application No. PCT/EP01/08355, filed 19 Jul. 2001), the disclosure of which is expressly incorporated by reference herein.
The invention relates to a method for loading software into a target appliance in a vehicle control system having a plurality of appliances, and to a vehicle control system for carrying out the method.
German patent document DE 43 34 859 A1 discloses a device for programming electronic controllers in a motor vehicle, which is intended for initialization of the controllers on the production line. The controllers are connected to one another, with one of them being able to communicate with an external programmer via an existing transmitting/receiving device, for example an infrared locking system.
During initialization of the appliances, each appliance to be programmed must have sufficient computation power and sufficient free memory to carry out the tasks which occur during the programming process. The loading of new software versions, that is to say so-called updates, presents more stringent requirements than those during initialization since it may be necessary to back up already loaded software and the amount of free memory space is reduced since it is occupied by operating data.
These more stringent requirements have to be satisfied, for example, by providing greater computation power and larger memories for appliances in a vehicle control system. At the same time, vehicle control systems are subject to considerable cost pressure so that appliances which are intended to be fitted in large-scale production, in particular, must be designed to have as low a cost as possible. Until now, loading of software in vehicle control systems has thus been restricted to the initialization of specific appliances on the production line and to the updating of specific appliances, which are generally provided as special equipment, such as navigation systems, which receive new data records via CDs (compact discs).
German patent document DE 196 25 002 A1 discloses a vehicle communications system, in which appliance units for transmitting, receiving, detecting and/or processing data can be associated in a flexibly controllable manner with various telemetry applications. This is intended to provide increased flexibility for carrying out telemetry applications at low cost, with the intention of avoiding redundant equipping of the vehicle with identical appliances for different telemetry applications.
One object of the invention is to provide a method for loading software into a target appliance in a vehicle control system and of providing a vehicle control system for carrying out the method, which places only minor requirements on the performance of the target appliance.
This and other objects and advantages are achieved by the method and apparatus according to the invention, in which the process of loading a software module is sub-divided into task elements, the performance of which is assigned to a target appliance, to appliances in the vehicle control system and/or to a control apparatus outside the vehicle control system. Accordingly, all of the tasks need not be carried out by a single apparatus while loading the software module. It is thus possible to distribute the load, for example with regard to the computation performance and memory capacity, on the basis of the performance of the individual appliances. Most appliances in a vehicle control system are not part of the standard equipment. Intelligent distribution of the task elements makes it possible to prevent the small number of standard appliances having to be upgraded (and thus made more expensive) in order to allow a software update. The definition of task elements corresponds to the definition of logical appliances. When the method is carried out, the task elements or the logical appliances are then assigned to the appliances which are actually physically present.
The task elements include i) a monitoring appliance task, which in turn includes processing and passing on control commands for the loading of the software module from outside the vehicle control system, ii) an update appliance task, which includes control of the process of loading the software module between the target appliance, the appliances and/or the control appliance, and iii) a receiving appliance task, which includes provision of an interface for the software module to be loaded from outside the vehicle control system. Subdivision into these task elements is particularly suitable for a vehicle control system since this takes account of specific boundary conditions that occur in a vehicle control system. For example, vehicle control systems do not have powerful central computers which could generally be used to accept the main load during the loading process. In fact, different equipment variants differ considerably in terms of the performance of the installed appliances, so that variable assignment of the task elements is the only way to allow the software to be loaded in different equipment variants. The high degree of flexibility of the method allows it to be used over a number of model cycles of a manufacturer.
The provision of a monitoring appliance task allows different appliances to be used as the interface to the outside world without having to modify the method for loading a software module. For example, the loading of one or more software modules can be controlled by an external diagnosis appliance or else by an input device in the vehicle itself. The same method can thus be used for updating controllers from the diagnosis computer and for updating a navigation system from the controller in the vehicle. The flexible assignment for carrying out the update appliance task also makes it possible to provide less powerful appliances in the vehicle control system with new software modules, since the control of the process of loading the software module can be assigned to a more powerful appliance.
The provision of a receiving appliance task allows a single physical appliance to be used for updating different appliances. The method can also be used without modification if software is intended to be loaded via an optionally provided mobile radio or CD ROM interface rather than via a diagnosis interface which is provided, for example, in the standard equipment. When different data transmission rates are used outside the vehicle control system and in the networked vehicle control system, the receiving appliance task may include not only the reception of the data but also the temporary storage of the received data.
The definition of a configuration manager task allows computation-intensive compatibility checking during the loading of a software module in the case of vehicle control systems having a standard outfitting to be moved elsewhere and, for example, to be transferred to a diagnosis appliance. On the other hand, in variants with better equipment, the compatibility check can be carried out within the configuration manager task in the vehicle itself, for example by the customer himself when loading new software for a navigation system.
Since the data for configuration management are carried directly together with the software in a version line and in a list of requirements, there is no need for costly central data storage. Only the evaluation of the data that is also carried is performed centrally by the appliance to which the process of performing the configuration manager task has been assigned. Only as many central components as are necessary are therefore provided for compatibility checking, and the method is thus particularly suitable for a vehicle control system. Self-testing of the software configuration of the vehicle control system is also possible.
The provision of a backup appliance task, which includes backing up at least some of the software modules in the target appliance within the vehicle control system, allows previously loaded software to be backed up even for software updates which are carried out by the customer himself (for example from the CD ROM without any connection to an external diagnosis appliance, or via mobile radio for a software update). The flexible assignment of the backup appliance task makes it possible to choose an appliance which is particularly suitable for this purpose depending on the equipment variant.
The assignment of the process for carrying out the task elements is advantageously made as a function of the computation performance required for the task elements, of the memory space required for the task elements and/or of the time which is required for the storage of data in the target appliance and in the appliances in the vehicle control system. This allows computation-intensive, memory-intensive, and/or time-critical task elements to be assigned to the most suitable of the respective appliances.
Since a data transmission is made secure by cryptographic scrambling only outside the vehicle control system, the complexity can be reduced considerably in comparison to so-called end-to-end protection, so that standard configurations of vehicle control systems can be designed to be simpler, despite being capable of carrying out an update. In particular, less computation power is required within the vehicle control system and, in general, the administrative complexity is decreased since fewer cryptographic keys need to be administered.
The invention also provides a vehicle control system in which the data required for carrying out a compatibility check within a configuration manager task are carried together with the software. For this purpose, the software modules which have already been loaded in the respective appliances in the vehicle control system each have a version line and a list of requirements. Such vehicle control system allows a compatibility check to be carried out for a software module to be loaded, without any complex central data storage, since the required data are attached to the software modules themselves. A vehicle control system such as this is thus particularly suitable for production in different equipment variants, including standard configurations.
Since the vehicle control system can be operated by means of a control appliance outside the vehicle control system, the configuration manager task can be carried out outside the vehicle control system, thus reducing the requirements for the appliances in the vehicle control system.
However, it is also advantageous to provide an appliance which is suitable for carrying out the configuration manager task in the vehicle control system, since a compatibility check, specifically to determine whether the vehicle control system satisfies the hardware and software requirements for the software module to be loaded and whether the software module to be loaded satisfies the requirements for operation of the vehicle control system, can be carried out in the vehicle itself. This is advantageous, for example, when the data are transmitted by mobile radio or from a CD ROM when an update is intended to be carried out without connecting any external appliance.
Other objects, advantages and novel features of the present invention will become apparent from the following detailed description of the invention when considered in conjunction with the accompanying drawings.