The invention relates to a control system for a motor vehicle, having a central control device and at least two further control devices, wherein the further control devices are designed for executing a function application that is loaded in the corresponding control device repectively. The invention further relates to a method for operating such a control system.

Presently, the architecture or topology of electronic devices in automotive manufacturing is based on a close connection between hardware components, for example control devices, and particular software. Such a control device typically has a nonvolatile or permanent memory, for example a flash memory, in which software which is coordinated with or matched to the functionality of the control device is stored, for example as a so- called function application. This software may also be referred to as firmware. For running the software, the control device also has a computing unit. For cost reasons, the size of the nonvolatile permanent memory is typically matched very closely to the software that is provided for the particular control device. In addition, the control device may also have a volatile (working) memory, for example a random access memory (RAM), for running the particular software or function application.

The software is permanently stored or saved in the nonvolatile memory, and generally cannot be readily updated or modified. Updating and modifying the function application is possible here only in a maintenance or service center via a special bootstrap loader or boot loader update mechanism, or via a wireless update mechanism (over-the-air update) which is implemented in the bootstrap loader of each control device and which must be synchronized with same. Accordingly, in a modern motor vehicle, which typically has approximately one hundred control devices, updating the function application, and thus a particular control device, involves considerable effort.

In this regard, DE 103 48 362 B4 describes an integrated vehicle control system having a plurality of electronic control devices which are connected via at least one communication line in order to communicate with one another for controlling particular functions of a vehicle, whereby one of the electronic control devices acts as a master control device in order to transmit operating instructions to other electronic control devices.

A method is known from EP 2 477 421 A1 in which data may be transmitted via a wireless network to a motor vehicle that is moving, for example during driving operation.

The object of the invention is to provide a simplified control system for a motor vehicle, having multiple control devices and which may be operated and updated more efficiently.

This object is achieved by the subject matter of the independent patent claims. Advantageous embodiments are apparent from the dependent patent claims, the description, and the figures.

The invention relates to a control system for a motor vehicle, having a central control device and at least two further control devices, preferably a plurality of further control devices, wherein the further control devices are designed for executing one or more function applications that are each loaded into or onto the respective control device. The function application may also be referred to as a function application program. The particular function applications for the further control devices are stored in the central control device, and during a start operation, i.e., a start-up or booting of the control device, the further control devices are designed to load the corresponding or appropriate function application, which is associated with the particular control device, from the central control device and subsequently activate or execute it. The appropriate function application may be loaded from the central control device into a particular local volatile memory, for example a random access memory, of the respective further control device. The central control device may thus be regarded as a shared data center for the further control devices. The function applications, which are generally stored as firmware in a local nonvolatile memory of the particular further control devices in the state of the art, are centrally stored in the data center. The invention therefore relates to a central control device which is connected to the further control devices of the control system, preferably to all further control devices of the motor vehicle. The central control device may include all firmware of the further control devices. During start-up, each further control device is able to contact the central control device and retrieve the necessary firmware data.

This has the advantage that the software, i.e., the function applications, of the further control devices and storage thereof are decoupled from the hardware of the particular further control devices. The size of a nonvolatile permanent memory in each further control device may thus be reduced, or a local nonvolatile memory may be dispensed with altogether. This nonvolatile memory is responsible for approximately 70 percent of the memory costs for each control device. Since the function applications are centrally stored, they may also be centrally managed, for example updated and distributed. When the function application is updated, it is also not necessary, as heretofore, to take file size into consideration, since the memory in the central control device may be flexibly associated with the particular function application. The file size or the size of the updated function application may thus exceed that of the function application to be updated. Thus, for example, a function application which grows in size from, for example, 500 kilobytes to 1 megabyte during an update, may still be used in the control system. In this way, memory redundancy may also be incorporated for critical function applications particularly easily, with little additional effort. Problems that may be caused by a faulty memory, for example, may thus be avoided or reduced. Since the further control devices reload the appropriate function application from the central control device for each start operation, it may thus be ensured at a central location that each further control device of the control system always executes the most current and correct function application. This also allows updating to take place during operation of the control system, since during the update operation, only the central control device, not the further control devices in which the function applications to be updated are active during operation, is accessed.

In one advantageous embodiment, it is provided that the function application for the further control devices is stored in a nonvolatile, i.e., persistent, memory of the central control device, for example a flash memory, which, in contrast to a random access memory, is suitable for permanently storing information, and thus, a function application. The further control devices do not have a nonvolatile memory that is suitable for storing the particular function application. In particular, the memory of the central control device is thus the only nonvolatile memory of the control system that is suitable for storing the function applications.

This has the advantage that the further control devices may be implemented in a particularly robust manner and with little effort, with few components and at low cost.

In another advantageous embodiment, it is provided that the function application in the central control device is stored in a memory having a file system, so that for the further control devices, the function application may in each case be stored in a variable file size.

Using a file system has the advantage that fragmentation of the data, for example, as in an update process, in which a certain function application in its updated version requires more memory space than in the version to be updated, may be managed and therefore is not a problem. By use of a file system, internal as well as external fragmentation problems may be addressed and thus avoided. The memory in the central control device may thus be managed in a particularly efficient manner. Flexible and dynamically adaptable memory management is thus achieved, which is advantageous in particular for an update process.

In another advantageous embodiment, it is provided that in the central control device and in the further control devices an encryption process and/or a signing process are/is implemented for at least one of the particular function applications, in particular all function applications. Use of a file system for the function applications in the central control device is particularly advantageous here.

This has the advantage that the function applications may be protected from unauthorized access or manipulation, in particular by means of a single security certification operation for the entire control system, instead of a security certification operation for each individual control device. It may thus be provided that each further control device is capable of executing only specific function applications, so that in addition, reliability of the particular control device is increased and the susceptibility to error of the control system is reduced. The function application of the particular further control device is thus automatically validated prior to being executed.

In another advantageous embodiment, it is provided that the further control devices have a standardized, i.e., an identical or structurally identical, bootstrap loader or boot loader for loading the particular function application from the central control device. The bootstrap loader may have, for example independently of the control device, i.e., independently of hardware, multiple different connection options for further components that are coupled to the particular control device.

This has the advantage that the development of the control system is simplified, and at the same time reliability is increased with a minimal number of errors.

In another advantageous embodiment, it is provided that the function applications are stored as a respective binary file for the further control device.

This has the advantage that the further control devices require no, or only minimal, software for interpreting the particular function applications, so that memory requirements there are minimized.

In another advantageous embodiment, it is provided that the central control device and the further control devices are coupled to one another via a data connection having a transmission rate of at least 100 megabits, in particular at least 1 gigabit.

This has the advantage that during start-up of the control system, which includes starting or start-up of the further control devices, the further control devices are ready for use particularly quickly, since data are often transmitted between the central control device and the further control devices during start-up. In another advantageous embodiment, it is provided that the central control device has an update interface, in particular a wireless update interface, i.e., an update interface for wireless transmission of data, via which the function applications stored in the control device may be updated, i.e., overwritten. The update interface may be or include a standardized data interface.

This has the advantage that the particular function applications may be easily updated without individually modifying in each case a bootstrap loader of the further control devices in question for the particular update process. Instead, in each case one or more of the further control devices of the control system are updated for the entire control system via a single update interface. Thus, for the update process itself, only the central control device is involved.

It may advantageously be provided that the function applications are updatable via the wireless update interface by means of a mobile wireless connection and/or a wireless local area network (WLAN) connection and/or a Bluetooth connection. For this purpose, the update interface may have a corresponding wireless module, for example a mobile wireless module and/or a WLAN module and/or a Bluetooth module, and/or the like.

This has the advantage that the function applications may be updated in numerous different situations, and thus, also outside a service mode. Thus, for example, a control system of a motor vehicle which is in operation and moving along a route according to its intended use may be updated.

The invention further relates to a motor vehicle having a single control system or multiple control systems according to one or more of the described embodiments. The single control system may include, for example, all control devices of the motor vehicle. This has the advantage that all control devices of the motor vehicle may be updated via a single update interface.

In an alternative variant with multiple control systems, these control systems may in each case be part of so-called domains of control devices, i.e., control devices of one functional group, for example an engine control domain or a driver assistance domain. This has the advantage that the described progressive architecture for the control system may be implemented step by step in a motor vehicle, and does not have to be realized in a single development step.

In one particularly advantageous embodiment, it is provided that the function applications stored in the central control device are updatable when the motor vehicle is being used as intended, i.e., in an operating mode that is different from a service mode, in particular during driving operation.

This has the advantage that the function applications may be updated at any time. Since during use of the motor vehicle as intended, the corresponding function applications are already locally stored and executed in the further control devices, for example in a volatile memory, an update operation may meanwhile take place in the central control device without jeopardizing the functioning of the further control devices. Since the central control device is already in operation during use of the motor vehicle as intended, the update operation may also be started with little effort. In addition, it is not necessary to activate a particular operating mode of the motor vehicle in order to update the function programs, so that the update operation may be started automatically when the motor vehicle is started up, and no disadvantages, for example due to limited availability, result here for a user of the motor vehicle. The updated function applications are thus also always automatically in the most current version.

The invention further relates to a method for operating a control system for a motor vehicle, wherein the control system has a central control device and at least two further control devices that are designed for executing a function application which in each case is loaded in the respective further control device, the further control device in question. The method has multiple method steps. One method step is storing a particular function application for the further control devices in question in the central control device. A further method step is automatically loading the particular function application from the central control device into the particular further control device during a start operation, a so-called booting or boot, of the particular further control device, by this specific further control device. Lastly, the method also comprises activating the particular function application in the further control device in question.

Advantages and advantageous embodiments of the method correspond here to advantages and advantageous embodiments of the control system.

The features and feature combinations mentioned above in the description as well as the features and feature combinations mentioned below in the description of figures and/or shown in the figures alone are usable not only in the respectively specified combination, but also in other combinations without departing from the scope of the invention. Thus, implementations are also to be considered as encompassed and disclosed by the invention, which are not explicitly shown in the figures and explained, but arise from and can be generated by separated feature combinations from the explained implementations. Implementations and feature combinations are also to be considered as disclosed, which thus do not have all of the features of an originally formulated independent claim. Moreover, implementations and feature combinations are to be considered as disclosed, in particular by the implementations set out above, which extend beyond or deviate from the feature combinations set out in the relations of the claims.

Exemplary embodiments of the invention are explained in greater detail below with reference to one schematic drawing. The single fig. shows a motor vehicle having one exemplary embodiment of a control system with multiple control devices.

The motor vehicle 1 shown in the fig. includes a control system 2 having a central control device 3 and at least two, in the present case a plurality of, further control devices 4a, 4b, 4c. The further control devices 4a through 4c are designed for executing a function application 5a, 5b, 5c, respectively, which in each case is loaded into the corresponding control device 4a through 4c. In the present case, the further control devices 4a through 4c are coupled to the central control device 3 via a bus 6 of the motor vehicle 1 , for example via an Ethernet. In the present case, the first further control device 4a is coupled to a camera 10, and is used here with the function application 5a to operate this camera, for example for a driver assistance functionality of the motor vehicle 1 . The second further control device 4b in the present case is coupled to a driving motor 1 1 of the motor vehicle 1 , and with the second function application 4b is used here for engine control. Within a field of application, a so-called domain, for example the driver assistance domain or the engine control domain, multiple further control devices may also be provided, each of which takes over different functionalities within the field of application in question.

The particular function applications 5a through 5c for the further control devices 4a through 4c are now centrally stored in the central control device 3. The further control devices 4a through 4c are appropriately designed for loading the appropriate function application 5a through 5c from the central control device 3 and subsequently activating it during a start-up or boot operation. Thus, during start-up the first further control device 4a loads the first function application 5a, the second further control device 4b loads the function application 5b, the third further control device 4c loads the corresponding function application 5c, and so forth.

The central control device 3 is equipped with a file system here, so that the corresponding function applications 5a through 5c, which in the present case are stored as binary files, may be efficiently stored, even when they have different sizes or their sizes change. Dynamic and flexible updating of the function applications 5a through 5c is thus made possible. In addition, in the present case a communication protocol is provided in the control system, and thus in the central control device 3 and the further control devices 4a through 4c, which offers the storing of the function applications 5a through 5c as a service within the control system, i.e., "data storage as service," in which the function applications 5a through 5c may be requested and transmitted, in the present case as binary files.

Furthermore, in the present case an update service, a signing or verification service, and an encryption service are also implemented in the central control device 3. For the update service, the central control device 3 has a wireless update interface 7 in the present case, via which update data and thus updated function applications may be retrieved from a computing device 9, for example a server, external to the vehicle by means of a wireless data connection 8, in the present case for example a mobile wireless connection. Simple updating of the further control devices 4a through 4c or of the corresponding function applications 5a through 5c is thus possible via the central control device 3. Due to the file system that is used in the central control device 3, varying sizes of the particular function applications 5a through 5c may also be processed without problems.

In addition, in the present case a verification service is also implemented in the central control device 3, so that, for example via the known encryption or signing algorithms with public and private keys, the further control devices 4a through 4c may identify the particular loaded function application 5a through 5c as originating from the central control device 3 and not being manipulated, and may thus execute them without a security risk. To further increase the security, appropriate encryption is also provided here, so that the particular further control device 4a through 4c is able to decrypt and thus execute in each case only its own function application 5a through 5c which is intended for it.