JP2017149234A - Vehicle monitoring system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a vehicle monitoring system capable of detecting that a control unit has been replaced without separately adding a dedicated component for detection.SOLUTION: A vehicle monitoring system 1 monitors a plurality of control units 10 connected to a network 20. Each control unit 10, when an ignition switch 30 is off, stores its own collation key in a non-volatile memory 12 and transmits it to the other control units 10. The received collation key of each of the other control units 10 is stored in the non-volatile memory 12. Each control unit 10, when the ignition switch 30 is on, reads its own collation key as well as the collation key of each of the other control units 10 from the non-volatile memory 12 and transmits the read own collation key to the other control units 10. When the received collation key of the other control unit 10 does not match the read collation key of the other control unit 10, it is determined that the other control unit 10 has been replaced.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a vehicle monitoring system that monitors a plurality of control units connected to a network.

  The vehicle is equipped with a plurality of control units that control the engine, transmission, and the like. If the control unit is illegally replaced (including software rewriting) after the vehicle is shipped to the market, the safety, durability, fuel consumption, etc. of the vehicle may be reduced. Therefore, it is desired to detect that the control unit has been replaced.

  Patent Document 1 discloses a method in which an identification chip that wirelessly transmits identification information is attached to a vehicle part, the identification information is received by a detection device, and whether or not the identification information is a legitimate vehicle part is disclosed. Has been.

JP 2007-22467 A

  However, in the detection method disclosed in Patent Document 1, it is necessary to attach an identification chip for each vehicle component. Therefore, as the number of vehicle components to be detected increases, the cost and weight increase.

  The present invention has been made to solve the above-described problems, and provides a vehicle monitoring system capable of detecting that a control unit has been replaced without adding a separate dedicated detection component. The purpose is to provide.

  The vehicle monitoring system according to the present invention is a vehicle monitoring system that monitors a plurality of control units mounted on a vehicle and connected to a network, and each of the plurality of control units transmits and receives information via the network. Communication means, a non-volatile memory, and mutual monitoring means, and each mutual monitoring means of the plurality of control units sets its own collation information when the vehicle start switch is off, The collation information is stored in the non-volatile memory and transmitted to other control units by the communication means, and the collation information for each other control unit received by the communication means is stored in the non-volatile memory, and when the vehicle start switch is turned on, the vehicle The self-verification information stored when the start switch is turned off and the verification information for each other control unit are read from the nonvolatile memory, The self-verification information is transmitted to the other control unit by the communication means, and the collation information of the other control unit received by the communication means matches the read-out collation information of the other control unit for each other control unit. It is determined whether or not the control unit does not match when it is determined that they do not match.

  In the vehicle monitoring system according to the present invention, a plurality of control units are connected to a network, and each control unit transmits / receives information to / from other control units via the network. In addition, each control unit of the vehicle monitoring system according to the present invention includes a nonvolatile memory, and can retain information in the nonvolatile memory even when the power supply voltage is not supplied. In the vehicle monitoring system according to the present invention, each control unit includes a mutual monitoring means, and performs mutual monitoring between a plurality of control units. In the mutual monitoring means of each control unit, the collation information for each other control unit received via the network when the vehicle start switch is turned off is stored in a non-volatile memory, and when the vehicle start switch is turned on, the other control unit Whether the collation information of the other control unit received via the network every time matches the collation information of the other control unit held in the nonvolatile memory (the collation information received when the vehicle start switch is turned off). If the verification information is different, it is determined that the control unit has been replaced. As described above, according to the vehicle monitoring system of the present invention, the network communication means and the non-volatile memory generally mounted on the control unit are used, and the plurality of control units connected to the network are mutually connected. By monitoring, it is possible to detect that the control unit has been replaced without separately adding a dedicated detection component.

  In the vehicle monitoring system according to the present invention, it is preferable that the mutual monitoring means sets own collation information different from the self collation information set when the vehicle start switch was turned off last time when the vehicle start switch was turned off. By doing so, even when the control unit software is rewritten, it can be detected as replacement of the control unit.

  In the vehicle monitoring system according to the present invention, the mutual monitoring means preferably outputs a signal indicating that the control unit has been replaced when it is determined that the control unit has been replaced. By using this signal, it is possible to easily take a countermeasure when the control unit is replaced.

  In the vehicle monitoring system according to the present invention, it is preferable to provide information indicating that the control unit has been replaced when a signal is output from any one of the plurality of control units. By providing this information, the user of the vehicle can easily recognize that the control unit has been replaced.

  In the vehicle monitoring system according to the present invention, the mutual monitoring means preferably stores information indicating the replaced control unit in a nonvolatile memory when it is determined that the control unit has been replaced. Based on the information stored in the nonvolatile memory, the control unit exchanged by a dealer of the vehicle can be easily specified.

  In the vehicle monitoring system according to the present invention, the information stored in the nonvolatile memories of the plurality of control units is used to determine whether there is a replaced control unit, and there is a replaced control unit. It is good also as a structure provided with the diagnostic means which identifies the replaced control unit. By this diagnostic means, the replaced control unit can be easily identified.

  In the vehicle monitoring system according to the present invention, when the vehicle includes an engine as a drive source, the vehicle start switch is an ignition switch.

  The replacement of the control unit that can be detected by the vehicle monitoring system according to the present invention includes rewriting of the software of the control unit in addition to the replacement of the control unit main body.

  According to the present invention, it is possible to detect that the control unit has been replaced without separately adding a dedicated component for detection.

It is a block diagram which shows the structure of the monitoring system for vehicles which concerns on embodiment. It is an example of a countermeasure when an exchange of a control unit is detected in the vehicle monitoring system according to the embodiment, (a) is a case where a warning light is lit, and (b) is a case where starting of the engine is prohibited It is. It is a flowchart which shows the flow of a process at the time of OFF of the ignition switch in each control unit of the monitoring system for vehicles which concerns on embodiment. It is a flowchart which shows the flow of a process at the time of ON of the ignition switch in each control unit of the monitoring system for vehicles which concerns on embodiment.

  DESCRIPTION OF EMBODIMENTS Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the drawings. In the drawings, the same reference numerals are used for the same or corresponding parts. Moreover, in each figure, the same code | symbol is attached | subjected to the same element and the overlapping description is abbreviate | omitted.

  A vehicle monitoring system 1 according to an embodiment will be described with reference to FIG. FIG. 1 is a block diagram illustrating a configuration of a vehicle monitoring system 1 according to the embodiment. In the present embodiment, the vehicle monitoring system 1 is mounted on a vehicle including an engine as a drive source.

  The vehicle monitoring system 1 includes a plurality of control units 10,... And a network 20 to which the plurality of control units 10,. FIG. 1 shows five control units 10A, 10B, 10C, 10D, and 10E as an example. In the vehicle monitoring system 1, mutual monitoring is performed between the plurality of control units 10,. By this mutual monitoring, in the vehicle monitoring system 1, any one of the control units 10,... Is turned off while the ignition switch 30 (corresponding to the vehicle start switch described in the claims) is turned off. Detect whether 10 has been replaced. The replacement of the control unit 10 includes rewriting of software (control program, control data, control map, etc.) of the control unit 10 in addition to replacement of the control unit 10 main body.

  The network 20 is an in-vehicle LAN [Local Area Network] that connects a plurality of control units (nodes) 10. The network 20 is, for example, CAN [Controller Area Network]. Hereinafter, the network 20 will be described as CAN.

  The network (CAN) 20 includes a pair of communication lines (CAN-H) 20a and a communication line (CAN-L) 20b, and transmits a signal with a potential difference between the communication line 20a and the communication line 20b. . In communication using the network 20, communication is performed according to the CAN protocol. In the CAN protocol, a data frame is used when data (information) is transmitted. The data frame includes an SOF [Start Of Frame], an ID [Identifier] (arbitration field), an RTR [Remote Transmission Request], a control field, a data field, a CRC [Cyclic Redundancy Check] field, and an ACK [Acknowledged Field]. Of Frame]. The ID is used for identification of data contents and a transmission node (control unit 10), and is 11 bits in the standard format. The priority of communication arbitration is determined by this ID. The smaller the ID value, the higher the priority. The data field stores transmission data and has a transmission data length of 0 to 8 bytes (0 to 64 bits).

  The ignition switch 30 is a switch for starting the engine of the vehicle. The ignition switch 30 can be switched off (OFF), accessory (ACC), on (ON), and start (START) by the operation of the driver of the vehicle. The ignition switch 30 transmits an ignition signal indicating the state of the switch to a specific control unit 10 (control unit 10A in the example shown in FIG. 1). An ignition signal is transmitted to the control units 10 other than the specific control unit 10 via the network 20. In the following, in particular, when the ignition signal indicates the off state of the ignition switch 30, it is referred to as an ignition off signal, and when the ignition signal indicates the on state of the ignition switch 30, it is referred to as an ignition on signal.

  The control unit 10 is an ECU (Electronic Control Unit) that is mounted on a vehicle and performs various controls of the vehicle. The control unit 10 mounted on the vehicle includes, for example, a large number of controls for engines, transmissions, brakes, steering, airbags, air conditioners, meters, power windows, lights, car navigation, etc. There is a unit.

  Before specifically describing the control unit 10, the self-shut function of the control unit 10 will be described. In the self-shut function, when the ignition-off signal is received, the shutdown process is started and the self-shut relay is kept on to maintain the voltage (power) supply from the power source to the control unit 10, and when the shutdown process is completed, the self-shut relay To turn off the voltage supply from the power source to the control unit 10. In this way, the power supply voltage is supplied to the control unit 10 for a predetermined time even after the ignition switch 30 is turned off. When the ignition on signal is received, a voltage is supplied from the power source to the control unit 10 by turning on the self shut relay.

  The control unit 10 will be specifically described. The control unit 10 includes a microprocessor that performs calculations, a ROM that stores programs for causing the microprocessor to execute each process, and a RAM that stores various data such as calculation results. The control unit 10 includes a communication unit 11 (corresponding to communication means described in claims) and a nonvolatile memory 12.

  In particular, the control unit 10 has a function of monitoring all the other control units 10 connected to the network 20, and a mutual monitoring processing unit 13 (mutual monitoring described in the claims). Equivalent to the means). In the control unit 10, the mutual monitoring processing unit 13 is configured by executing a program stored in the ROM by the microprocessor.

  The communication unit 11 transmits data (information) to the network 20 and receives data (information) from the network 20 according to the CAN protocol of the network 20. The communication unit 11 includes, for example, a CAN controller that performs communication control using a CAN protocol, and a CAN transceiver that performs transmission and reception between the communication lines 20a and 20b.

  The non-volatile memory 12 is a memory capable of holding stored information even when the power supply voltage is not supplied to the control unit 10. The non-volatile memory 12 is, for example, a flash memory or an EEPROM.

  In particular, the non-volatile memory 12 has an area for storing a collation key described below. The collation key area includes a self-collation key area set by the control unit 10 and a collation key area for every other control unit 10 connected to the network 20.

  The non-volatile memory 12 has an area for storing a replacement history of the control unit 10 described below. This exchange history includes, for example, identification information for each of the other control units 10 connected to the network 20 (for example, the above-described data frame ID (transmission node identification information)) and information indicating unexchanged / exchanged (for example, , 0 (not exchanged) / 1 (exchange) information). The replacement history held in the nonvolatile memory 12 can be reset only by a dealer (all control units 10 are set to be not replaced), for example.

  The mutual monitoring processing unit 13 uses collation keys (corresponding to collation information described in claims) set for each control unit 10 for all other control units 10 connected to the network 20. It is a processing unit that detects whether or not the ignition switch 30 has been replaced while the ignition switch 30 is off. The processing of the mutual monitoring processing unit 13 includes processing when an ignition off signal is received (when the ignition switch 30 is turned off) and processing when an ignition on signal is received (when the ignition switch 30 is turned on). There is. The process when the ignition off signal is received is a part of the above-described shutdown process.

  The verification key will be described. The configuration of the collation key may be composed of only numbers, may be composed of only alphabets, or may be composed of a combination of numbers and alphabets, for example. The verification key is composed of a predetermined number of bits (number of bytes), and the greater the number of bits (number of bytes), the higher the security. The collation key may be set randomly using a random number table or the like, or may be set according to a specific rule. The verification key is set every time an ignition-off signal is received. As the collation key, a collation key different from at least the collation key set at the time of receiving the previous ignition off signal is set, and a different collation key may be set every time the ignition off signal is received. The collation key set in an arbitrary control unit 10 may be the same collation key as the collation key set in another control unit 10.

  Processing when an ignition-off signal is received will be described. When the ignition-off signal is received, the mutual monitoring processing unit 13 sets a self-matching key that is different from at least the self-matching key set when the ignition-off signal was previously received. The mutual monitoring processing unit 13 causes the communication unit 11 to transmit the set own collation key via the network 20. The transmitted self-verification key is received by all other control units 10. Further, the mutual monitoring processing unit 13 stores the set own collation key in a predetermined area of the nonvolatile memory 12. At this time, the self-matching key stored in the predetermined area of the nonvolatile memory 12 when the ignition-off signal is received last time is rewritten, and the self-matching key stored in the nonvolatile memory 12 is updated. The self-matching key stored in the nonvolatile memory 12 is retained even when the ignition switch 30 is turned off (when the power supply voltage is not supplied).

  When the communication unit 11 receives the verification key transmitted from each of the other control units 10, the mutual monitoring processing unit 13 stores the verification key for each of the other control units 10 in a predetermined area of the nonvolatile memory 12. At this time, each other control unit 10 stored in the non-volatile memory 12 is rewritten with the collation key for each other control unit 10 stored in the predetermined area of the non-volatile memory 12 when the ignition-off signal is received last time. Will be updated. The collation key for each other control unit 10 stored in the nonvolatile memory 12 is retained even when the ignition switch 30 is turned off.

  Processing when an ignition-on signal is received will be described. When the ignition on signal is received, the mutual monitoring processing unit 13 receives its own collation key and other control unit 10 stored when the ignition off signal of the previous trip (from the previous ignition switch 30 on (start) to off) is received. Each verification key is read from the nonvolatile memory 12. The mutual monitoring processing unit 13 causes the communication unit 11 to transmit the read self-matching key via the network 20. The transmitted self-verification key is received by all other control units 10.

  When the communication unit 11 receives the verification key transmitted from each of the other control units 10, the mutual monitoring processing unit 13 reads the verification key of the other control unit 10 read from the nonvolatile memory 12 for each of the other control units 10. In other words, it is determined whether or not the collation key received at the time of receiving the previous trip ignition off signal matches the collation key of the other control unit 10 received this time. If the collation keys match, the mutual monitoring processing unit 13 determines that the other control unit 10 with the matching key is not exchanged. If the verification keys do not match, the mutual monitoring processing unit 13 determines that another control unit 10 whose verification key does not match has been replaced. In this case, the mutual monitoring processing unit 13 causes the communication unit 11 to transmit a warning signal indicating that the other control unit 10 has been exchanged via the network 20, and confirms the exchange history of the non-volatile memory 12 with one verification key. The information is rewritten to indicate that another control unit 10 that has not been replaced has been replaced. This transmitted warning signal is received by another control unit 10.

  For example, in the example shown in FIG. 1, when the control unit 10E is replaced while the ignition switch 30 is off (when the engine of the vehicle is stopped), when the ignition switch 30 is turned on, the nonvolatile memory of the control unit 10E after the replacement is replaced. 12 does not store the normal self-matching key updated when the ignition-off signal of the previous trip is received and the matching key for each other control unit 10. In this case, in the control unit E after replacement, all the verification keys of the other control units 10A to 10D do not match, and in the control units 10A to 10D, the verification key of only the control unit E does not match. Further, when the software of the control unit 10E is rewritten while the ignition switch 30 is turned off, the voltage is supplied to the control unit 10E during the rewriting of the software, so that the processing in the mutual monitoring processing unit 13 is performed. Is executed. As a result, the own collation key stored in the non-volatile memory 12 of the control unit 10E and the collation key for each other control unit 10 are updated. Therefore, when the ignition switch 30 is turned on, the non-volatile memory 12 The normal self verification key updated when the ignition off signal of the previous trip is received and the verification key for each other control unit 10 are not stored. Also in this case, in the control unit E after software rewriting, the collation keys of all the other control units 10A to 10D do not match, and in the control units 10A to 10D, the collation keys of only the control unit E do not match.

  Therefore, after the replacement, the control unit 10E (including the case where the software is rewritten) determines that all the other control units 10A to 10D have been replaced, outputs a warning signal, and replaces the non-volatile memory 12. Is rewritten to information indicating that all other control units 10A to 10D have been replaced. On the other hand, in the control units 10A to 10D that have not been replaced, it is determined that only the control unit 10E has been replaced, a warning signal is output, and the replacement history of the nonvolatile memory 12 indicates that only the control unit 10E has been replaced. Rewrite to Therefore, warning signals are output from all the control units 10A to 10E, and information indicating that all other control units 10A to 10D have been replaced is left in the replacement history of the nonvolatile memory 12 of the control unit 10E. Information indicating that only the control unit 10E has been replaced is left in the replacement history of each nonvolatile memory 12 of the control units 10A to 10D.

  For example, when the control unit 10E is removed while the ignition switch 30 is off, the verification key from the control unit 10E is not transmitted to the control units 10A to 10D when the ignition on signal is received. Therefore, the control units 10A to 10D cannot perform normal verification using the verification key for the control unit E, and the verification key does not match. Also in this case, the control units 10A to 10D determine that the control unit 10E has been replaced, output a warning signal, and rewrite the replacement history of the nonvolatile memory 12 with information indicating that only the control unit 10E has been replaced. Thus, even when any control unit 10 is removed, it can be detected, and information indicating the removed control unit 10 can be left in the replacement history of the nonvolatile memory 12.

  With reference to FIG. 2, an example of countermeasures when a warning signal is output from the control unit 10 will be described. FIGS. 2A and 2B are examples of countermeasures when the replacement of the control unit 10 is detected in the vehicle monitoring system 1 according to the embodiment. FIG. 2A shows a case where a warning light is lit, and FIG. This is a case where the starting of the is prohibited. FIG. 2 shows five control units 10A, 10B, 10C, 10D, and 10E as an example.

  For example, in the meter control unit 10, when a warning signal is output from at least one of the plurality of control units 10 connected to the network 20 (the warning signal is received via the network 20). When the meter control unit 10 itself outputs a warning signal, a warning light (for example, a warning light indicating an abnormality of the control unit 10) is turned on as shown in FIG. For example, the user of the vehicle brings the vehicle into a dealer or a repair shop by turning on the warning light. Other information indicating that the control unit 10 has been replaced may be provided in addition to the lighting of the warning light. For example, in the control unit 10 for car navigation, information indicating that the control unit has been replaced. May be displayed on the display, or a sound indicating that the control unit has been replaced may be output from the speaker.

  For example, in the engine control unit 10, when a warning signal is output from at least one of the plurality of control units 10 connected to the network 20, as shown in FIG. Prohibit starting. Thereby, traveling of the vehicle is prohibited. In addition to the prohibition of starting the engine, the control of each device may be prohibited. For example, control of each device is prohibited in the control unit 10 that is important for traveling of the vehicle such as transmission, brake, and steering. You may do it. Such prohibition is preferably performed only when the exchange of the control unit 10 that is important with respect to the traveling of the vehicle is detected.

  An example of a method for using the replacement history remaining in the nonvolatile memory 12 of each control unit 10 will be described. Here, a case where it is used by a dealer of a vehicle will be described. In the dealer, for example, a diagnostic tool is used. In this embodiment, this diagnostic tool corresponds to the diagnostic means described in the claims.

  In the diagnostic tool, data (particularly, replacement history) stored in the nonvolatile memory 12 of each control unit 10 is read, and whether or not there is a control unit 10 replaced using the replacement history of each control unit 10. Judgment is made, and if there is an exchanged control unit 10, the exchanged control unit 10 is specified. For example, when the control unit 10E is replaced in the example shown in FIG. 1, information indicating that only the control unit 10E has been replaced is left in the replacement history of each nonvolatile memory 12 of the control units 10A to 10D. Information indicating that all other control units 10A to 10D have been replaced remains in the replacement history of the nonvolatile memory 12 of the unit 10E. In this case, the diagnostic tool determines that there is a replaced control unit 10. Furthermore, since the diagnostic tool indicates that the four control units 10A to 10D among the five control units 10A to 10E have been replaced, it is specified that the control unit 10E has been replaced by majority vote. Alternatively, in the diagnostic tool, since only the control unit 10E indicates that all the other control units 10A to 10D have been replaced, it is specified that the control unit 10E has been replaced. The dealer operator sees the replacement history read from the non-volatile memory 12 of each control unit 10 to determine whether there is a replaced control unit 10 or to specify the replaced control unit 10. May be performed.

  Incidentally, when a plurality of control units 10 are replaced, information indicating that all other control units 10 have been replaced is left in the replacement history of the nonvolatile memory 12 of the replaced plurality of control units 10, Information indicating that a plurality of exchanged control units 10 have been exchanged remains in the exchange history of the nonvolatile memory 12 of the control unit 10 that has not been exchanged. Also in this case, a plurality of exchange units 10 that have been exchanged can be identified by comparing the exchange histories of the respective control units 10.

  Even when an arbitrary control unit 10 is properly replaced by a dealer, if the ignition switch 30 is turned on after the replacement, the replacement history of the non-volatile memory 12 of the control unit 10 that has been replaced regularly Information indicating that the control unit 10 has been replaced remains, and information indicating that the control unit 10 that has been normally replaced has been replaced remains in the replacement history of the nonvolatile memory 12 of the control unit 10 that has not been replaced. End up. Therefore, after the replacement history of the nonvolatile memory 12 of all the control units 10 is reset in the dealer, the vehicle is returned from the dealer to the user.

  With reference to FIG. 1, the flow of processing in each control unit 10 of the vehicle monitoring system 1 will be described. In particular, the flow of processing in each control unit 10 when the ignition switch 30 is turned off will be described with reference to FIG. 3, and the flow of processing in each control unit 10 when the ignition switch 30 is turned on is shown in FIG. It explains along. FIG. 3 is a flowchart showing a flow of processing when the ignition switch 30 is turned off in each control unit 10 of the vehicle monitoring system 1 according to the embodiment. FIG. 4 is a flowchart showing a flow of processing when the ignition switch 30 is turned on in each control unit 10 of the vehicle monitoring system 1 according to the embodiment.

  Each control unit 10 determines whether or not an ignition-off signal has been received (step S10). If it is determined in step S10 that the ignition off signal has not been received, each control unit 10 performs the determination in step S10 again after a predetermined time.

  If it is determined in step S10 that an ignition off signal has been received (ignition switch 30 is turned off), each control unit 10 sets its own collation key (step S12). Each control unit 10 transmits its own verification key to the other control unit 10 via the network (CAN) 20 (step S14). Each control unit 10 stores its own verification key in the nonvolatile memory 12 (step S16).

  Each control unit 10 receives the verification key transmitted from each other control unit 10 via the network 20 (step S18). And in each control unit 10, the collation key for every other control unit 10 is memorize | stored in the non-volatile memory 12 (step S20). With the processing so far, the processing when the ignition-off signal is received is completed. Even when the ignition switch 30 is off (even when the power supply voltage is not supplied to the control unit 10), the non-volatile memory 12 of each control unit 10 has its own verification key of each control unit 10 and verification for each other control unit 10. The key is held.

  When the ignition on signal is received (when the ignition switch 30 is turned on), each control unit 10 stores the own collation key stored at the time of receiving the previous trip ignition off signal and the collation key for each other control unit 10 in a nonvolatile manner. Read from the memory 12 (step S30). Each control unit 10 transmits its own collation key read to the other control unit 10 via the network 20 (step S32).

  Each control unit 10 receives the collation key transmitted from each other control unit 10 via the network 20 (step S34). Then, each control unit 10 determines whether or not the other verification unit 10 matches the verification key stored at the time of receiving the ignition off signal of the previous trip and the verification key received this time (step S36). If it is determined in step S36 that they do not match, each control unit 10 outputs a warning signal (step S38), and the control unit 10 whose matching key does not match the replacement history of the nonvolatile memory 12 is replaced. It is rewritten to information indicating that (step S40).

  When it is determined in step S36 that they match or when the process of step S40 is completed, each control unit 10 determines whether or not collation has been completed for all other control units 10 (step S42). If it is determined in step S <b> 42 that the process has not been completed, each control unit 10 performs collation in step S <b> 36 for the next other control unit 10. On the other hand, if it is determined in step S42 that the process has ended, each control unit 10 ends the process when the ignition-on signal is received.

  According to the vehicle monitoring system 1 according to the embodiment, between all the control units 10 that use the CAN communication unit 11 and the nonvolatile memory 12 that are generally mounted on the control unit 10 and are connected to the network 20. By mutual monitoring, it is possible to reliably detect that the control unit 10 has been replaced without adding a separate dedicated detection component. In this way, no special parts (hardware) are required, so the cost and weight do not increase. Further, since the verification key received when the ignition switch 30 is turned off and on is checked, the processing load is low and the processing time can be shortened. Further, since it is possible to detect that various control units 10 have been exchanged in the same manner, the expandability is high. Moreover, since the mutual monitoring is performed between the plurality of control units 10, the monitoring performance is high. In the vehicle monitoring system 1 according to this embodiment, it is possible to detect even when the control unit 10 is removed.

  According to the vehicle monitoring system 1 according to the embodiment, since the collation key different from the self collation key set when the ignition switch 30 was turned off last time is set as the self collation key, the software of the control unit 10 can be rewritten. Even if it is performed, it can be detected as replacement of the control unit 10.

  According to the vehicle monitoring system 1 according to the embodiment, when it is determined that the control unit 10 has been replaced, a warning signal indicating that the control unit 10 has been replaced is output. Therefore, by using this warning signal, the control unit 10 is replaced. Can be handled easily. In particular, according to the vehicle monitoring system 1 according to the embodiment, when any one of the control units 10 outputs a warning signal, information indicating that the control unit 10 has been replaced is provided (for example, a warning light is turned on). Thus, the user of the vehicle can easily recognize that the control unit 10 has been replaced. In addition, according to the vehicle monitoring system 1 according to the embodiment, when any one of the control units 10 outputs a warning signal, the start of the vehicle can be prohibited. In particular, since detection can be performed immediately after the ignition switch 30 is turned on, traveling of the vehicle in which the control unit 10 has been illegally replaced can be prohibited, and safety can be improved.

  According to the vehicle monitoring system 1 according to the embodiment, when it is determined that the control unit 10 has been replaced, the replacement history of the non-volatile memory 12 is rewritten with information indicating the replaced control unit 10, so that the vehicle dealer diagnosis is performed. Control units exchanged with tools can be easily identified. In particular, the control unit 10 that has not been replaced leaves a replacement history indicating that only the replaced control unit 10 has been replaced, and the replaced control unit 10 indicates that all other control units 10 have been replaced. Since the exchange history is left, the exchanged control unit can be specified by majority vote or the like. By replacing the identified control unit that has been identified with the regular control unit 10, it is possible to prevent the safety, durability, fuel consumption, and the like from being deteriorated due to the illegally replaced control unit.

  Even when an accident or malfunction caused by unauthorized replacement of the control unit 10 occurs and returned to the regular control unit 10, the replacement history remains in the nonvolatile memory 12 of another control unit 10 that has not been replaced. Therefore, it can be proved that the control unit 10 has been illegally exchanged.

  As mentioned above, although embodiment of this invention was described, this invention is not limited to the said embodiment, A various deformation | transformation is possible. For example, in the above embodiment, CAN is applied as the network 20, but other than CAN can be applied as the network 20, and can be applied to, for example, LIN [Local Interconnect Network], FlexRay, etc., and different communication protocols. The present invention is also applicable to a network in which a plurality of networks are connected via a gateway or the like.

  In the above-described embodiment, a warning signal is output when it is detected that the control unit 10 has been replaced. However, information indicating the replaced control unit 10 is not stored in the nonvolatile memory 12 without outputting the warning signal. You may just memorize it.

  In the above embodiment, the mutual monitoring processing unit 13 is provided in all the control units 10 connected to the network 20 and the mutual monitoring is performed between all the control units 10. Only the control unit 10 (for example, an important control unit for an engine or the like) may include the mutual monitoring processing unit 13 and perform mutual monitoring between some control units 10.

  In the above embodiment, the ignition switch 30 is applied as a vehicle start switch in a vehicle including an engine as a drive source. However, other switches can be applied as the vehicle start switch, for example, an electric vehicle including an electric motor as a drive source. In some cases, a power switch is applied. In the case of an electric vehicle including an electric motor as a drive source, a control unit 10 for the electric motor is provided instead of the engine control unit, and in the case of a hybrid car including the electric motor and the engine as a drive source. Engine, electric motor, and hybrid control units 10 are provided.

1 vehicle monitoring system 10 (10A, 10B, 10C, 10D, 10E) control unit 11 communication unit (communication means)
12 Non-volatile memory 13 Mutual monitoring processing unit (mutual monitoring means)
20 Network 30 Ignition switch (vehicle start switch)

Claims (7)

A vehicle monitoring system for monitoring a plurality of control units mounted on a vehicle and connected to a network,
Each of the plurality of control units is
Communication means for transmitting and receiving information via the network;
Non-volatile memory;
Mutual monitoring means;
With
The mutual monitoring means of each of the plurality of control units includes:
When the vehicle start switch is turned off, the self collation information is set, and the set self collation information is stored in the non-volatile memory, transmitted to the other control unit by the communication means, and received by the communication means. Storing other verification information for each control unit in the nonvolatile memory;
When the vehicle start switch is turned on, the collation information stored when the vehicle start switch is off and the collation information for each other control unit are read from the nonvolatile memory, and the read collation information is read The communication means transmits to the other control unit, and for each other control unit, the verification information of the other control unit received by the communication means and the read verification information of the other control unit are A vehicle monitoring system, wherein it is determined whether or not they match, and when it is determined that they do not match, it is determined that a control unit whose matching information does not match has been replaced.   The said mutual monitoring means sets the said collation information different from the self collation information set when the said vehicle start switch was turned off last time at the time of the said vehicle start switch being turned off. Vehicle monitoring system.   The vehicle monitoring system according to claim 1, wherein the mutual monitoring unit outputs a signal indicating that the control unit has been replaced when it is determined that the control unit has been replaced.   4. The vehicle monitoring system according to claim 3, wherein when the signal is output from any one of the plurality of control units, information indicating that the control unit has been replaced is provided. .   The said mutual monitoring means memorize | stores the information which shows the said replaced control unit in the said non-volatile memory, when it determines with the said control unit having been replaced | exchanged. The vehicle monitoring system according to item.   Using information stored in each of the non-volatile memories of the plurality of control units, it is determined whether there is an exchanged control unit. If there is an exchanged control unit, the exchanged control unit is The vehicle monitoring system according to claim 5, further comprising a diagnosis unit that identifies the vehicle. The vehicle includes an engine as a drive source,
The vehicle monitoring system according to any one of claims 1 to 6, wherein the vehicle start switch is an ignition switch.

Images