Conventionally, an electronic control unit (ECU) is equipped with a flash memory, an EEPROM or the like, which is a rewritable non-volatile memory, for controlling, for example, a vehicle engine and a vehicle transmission. Contents of such rewritable non-volatile memory are electrically rewritable (i.e., data is erasable therefrom and writable therein). Further, a control program stored in such rewritable non-volatile memory is rewritable and replaceable.
A vehicle having the ECU is usually brought to a dealership by an owner of the vehicle for the rewriting of the control program stored in the ECU. That is, the control program is rewritten by a rewrite program at the dealership, under control of a mechanic by using a rewrite device. Such rewrite scheme is disclosed in Japanese Patent Laid-Open No. 2004-220519.
However, such rewrite scheme may have to handle various changes, which are expected to occur. For example, various connection channels between the vehicle and a network maybe newly developed and established. Also, more and more vehicles would be shared by many users under management of an organization, instead of solely owned by respective users. Further, programs stored in the ECU would become more complicated and sophisticated, thereby necessitating frequent program updates for coping with security risks and the like.
In view of such changes, it may be desirable to have the user perform the rewriting of the programs, instead of having the user bring the vehicle to the dealership. That is, for the convenience of the user and for countering the security risk, the rewriting of the programs (i.e., may also be designated as “re-program” hereinafter) may be remotely performed.
In consideration of improved user convenience and prevention of mis-operation in the re-program process, the re-program may need to be remotely performed regardless of the operation state of the vehicle, or regardless of the transition from one operation state to the other state. That is, such re-program may need to be performed regardless of the operation state of the vehicle, such as a traveling state or a parking state, or regardless of the state transition from an ignition OFF to an ignition ON.
However, in, for example, a traveling vehicle, a program in the ECU is continuously executed, and the re-program during such a continuous execution of the program may lead to a hang up of the program, such that the program may become uncontrollable due to a “crash” of a computer executing the program.
For instance, a series of processes A, B, and C are controlled by a certain program, among which the processes A and C are designed to use the same data D1. The processes A, B, C may have an incorrect processing result, if (i) the program is designed on an assumption that the same data is used by both of the process A and the process C, (ii) the re-program is performed during the execution time of the process B, and (iii) the data D1 is rewritten to have a different value by such re-program. As a result, the program controlling the processes A, B, C may crash.
Further, the state transition between vehicle operation states may be un-predictable, and the re-program at the time of such state transition may also result in damaged data. For example, in an ECU that stops the power supply for a microcomputer at a time of transition from the ignition ON state to the ignition OFF state, the interrupted power supply for the microcomputer during the re-program process due to the state transition from the ignition ON state to the ignition OFF state may result in an interrupted re-program process and in an interrupted data rewriting in the interrupted re-program process, thereby damaging data and leading to an incorrect operation of the ECU at the next ignition ON time.