Automobiles have ECUs mounted thereon for performing control of engine ignition timings and steering motors. Conventionally, an ECU (hereinafter referred to as a control system ECU) that performs safety critical control relating to acceleration, steering, and braking is connected only with an on-vehicle network but separated from external networks. In addition, update of applications mounted on such control system ECUs is not performed routinely, but update of applications is performed by dealers in service campaigns or in the event of recall.
From now on, however, an on-vehicle network with which a control system ECU is connected will be connected with external networks and applications for the control system ECU will be rewritten via radio communication from a cloud network for the purpose of reduction in dealers' cost or the like. Furthermore, applications for implementing drive assisting functions at various levels provided by a safety drive assisting system and an automatic cruise system and applications for implementing functions associated with the driver's taste have been demanded for the control system ECUs. Thus, similarly to adding applications to smart phones, it is expected that overwriting, addition, and deletion (hereinafter, overwriting, addition, and deletion will be collectively referred to as update) of applications for the control system ECU due to improvement or upgrade of the applications will be performed through a cloud network after purchase of a car.
In update of an application at the control system ECU, it is necessary to not only make sure that existing applications operate normally and that new applications can be executed at predetermined timings, but also consider whether or not timings of data input from sensors used by respective applications and timings of control of actuators can be achieved with the applications. When such data input timings and control timings are satisfied, control intended by the developers of applications can be achieved even after the applications are updated.
In conventional control system ECUs, application installation patterns are only present depending on destinations and options, and the number of the application installation patterns is limited. Thus, in performing update of an application, all the installation patterns in the control system ECUs to be updated can be covered for verification including the aforementioned timings and the like and determination on whether or not the update is allowed for every development of a new application.
When, however, the control system ECUs tend to be customized in response to various demands after shipment as described above, the number of installation patterns that need to be verified will be enormous. In addition, car manufacturers and developers of new applications do not always cover all the applications already installed in the control system ECUs to be updated. If a control system ECU including such an unknown application, that is, a control system ECU having an installation pattern that cannot be verified at the application development stage is updated with a new application, the control system ECU may become in an abnormal state, which may disable control of the vehicle, cause the car to become immobile or cause an accident. It is therefore necessary to individually determine whether or not update of an application in the control system ECU to be updated is allowed before updating the application.
Patent Literature 1, for example, discloses a method for determining whether or not update of an application is allowed in view of a deadline of the application, a processing time of the application, and a communication time between the control system ECUs.