JP5751103B2 - Battery maintenance system and battery maintenance method - Google Patents

Description

  The present invention relates to a battery maintenance system and a battery maintenance method for maintaining a battery.

  In recent years, smart grids have attracted attention. Smart grid is a power supply system that is built to adjust the balance between supply and demand in real time by combining distributed power supply and centralized power supply from electric power company, thereby providing efficient power supply. is there. The distributed power source includes a power storage device in addition to a power generation device that uses renewable energy such as solar power generation and wind power generation.

  The power storage device as described above includes a computer system in order to function as a distributed power source, and can control charging / discharging of a battery as a secondary battery according to, for example, the supply and demand of power. As one of such power storage devices, a smart battery configuration that reports battery parameters such as a battery identification parameter, a charging parameter, a battery voltage, and a battery current to an external device including a power management system is known. (For example, refer to Patent Document 1).

Japanese National Patent Publication No. 10-509857

  Batteries as distributed power sources are expected to become widespread. When such a battery becomes widespread and is installed in many houses and corporate facilities, it is required to perform maintenance (maintenance) of these many batteries efficiently.

  However, the smart battery described in Patent Document 1 is a configuration for realizing control related to charging / discharging of the battery. For example, how to perform battery maintenance in a long-term use process. Is not considered. For this reason, it is impossible for the technology described in Patent Document 1 to perform maintenance while effectively avoiding unauthorized use of non-genuine batteries.

  SUMMARY OF THE INVENTION An object of the present invention is to provide a battery maintenance system capable of performing appropriate maintenance while avoiding unauthorized use of a battery as a secondary battery.

  The present invention has been made to solve the above-described problems, and a battery maintenance system according to an aspect of the present invention includes a server, a terminal device, and a plurality of battery units including one or more cell packages including battery cells. The server needs to be replaced with a cell replacement necessity determination unit that determines whether or not replacement is required for each cell package based on cell package management information including information indicating a predetermined state of the cell package. A battery replacement information generating unit that generates battery replacement information having predetermined information content related to the determined cell package; transmitting the battery replacement information and password to the terminal device; and the battery replacement encrypted with the password. A transmission control unit that executes at least transmission of information to the battery unit. The terminal device includes a password transmission control unit that causes the received password to be transmitted to a battery unit that is a cell package replacement work target indicated in the received battery replacement information, and the battery unit received from the server A decryption unit that decrypts the encrypted battery exchange information with the password received from the terminal device; and when the decryption of the battery exchange information is normally executed, the battery package included in the battery unit is exchanged. A replacement permission / prohibition setting section to permit.

  A battery maintenance method according to an aspect of the present invention is a battery maintenance method in a battery maintenance system including a server, a terminal device, and a plurality of battery units each including one or more cell packages including battery cells. A cell replacement necessity determination step for determining whether or not replacement is required for each cell package based on cell package management information including information indicating a predetermined state of the cell package, and a cell determined to be replaced A battery replacement information generating step for generating battery replacement information having a predetermined information content related to the package; transmission of the battery replacement information and password to the terminal device; and the battery of the battery replacement information encrypted by the password At least send to the unit Communication terminal, and the terminal device includes a password transmission control step for transmitting the received password to a battery unit that is a cell package replacement work target indicated in the received battery replacement information. The decryption step of decrypting the encrypted battery exchange information received from the server with the password received from the terminal device, and when the battery exchange information is successfully decrypted, the battery unit A replacement enable / disable setting step for permitting replacement of the cell package.

  According to the present invention, it is possible to avoid the use of an unauthorized battery in the battery maintenance system, and it is possible to appropriately maintain the battery.

It is a figure which shows the example of whole structure of the battery unit maintenance system of embodiment of this invention. It is a figure which shows typically the example of a management mode of the cell package by the battery management apparatus in the battery unit of this embodiment. It is a figure which shows the operation example of each apparatus at the time of replacement | exchange of the cell package in the battery unit maintenance system of this embodiment. It is a figure which shows the structural example of the battery management apparatus in this embodiment. It is a figure which shows the structural example of the cell package in this embodiment. It is a figure which shows the structural example of the management server in this embodiment. It is a figure which shows the structural example of the portable terminal device in this embodiment. It is a figure which shows the function structural example of the battery management apparatus in this embodiment. It is a figure which shows the structural example of the cell package management table in this embodiment. It is a figure which shows the function structural example of the cell management apparatus in this embodiment. It is a figure which shows the function structural example of the management server in this embodiment. It is a figure which shows the structural example of the battery unit management table in this embodiment. It is a figure which shows the structural example of the portable terminal device management table in this embodiment, and battery exchange information. It is a figure which shows the function structural example of the portable terminal device in this embodiment. It is a sequence diagram which shows the example of a process sequence which each apparatus of the battery maintenance system of this embodiment performs corresponding to replacement | exchange of a cell package. It is a figure which shows the example of an authentication procedure of the exchange operator and owner as other embodiment (1st example) of this invention. In other embodiment (1st example) of this invention, it is a sequence diagram which shows the example of a process sequence which each apparatus of a battery maintenance system performs corresponding to cell package replacement | exchange. It is a figure which shows the example of an authentication procedure of the exchange operator and owner as other embodiment (2nd example) of this invention. In other embodiment (2nd example and 3rd example) of this invention, it is a sequence diagram which shows the example of the process sequence which each apparatus of a battery maintenance system performs corresponding to cell package replacement | exchange. It is a figure which shows the example of an authentication procedure of the exchange operator and owner as other embodiment (3rd example) of this invention. It is a figure which shows the example of an authentication procedure of the exchange operator and owner as other embodiment (4th example) of this invention. In other embodiment (4th example) of this invention, it is a sequence diagram which shows the process sequence example which each apparatus of a battery maintenance system performs corresponding to cell package replacement | exchange.

[Example of overall configuration of battery unit maintenance system]
FIG. 1 shows an operation example of the battery unit maintenance system in the present embodiment. The battery unit maintenance system of this embodiment includes a plurality of battery units 100 and a management server 600. In the present embodiment, it is assumed that each of the battery units 100 and the management server 600 can communicate with each other via a predetermined communication network such as a network.

  The battery unit 100 has a function of supplying power to a predetermined load by storing power by charging and discharging the stored power as necessary. The battery unit 100 of the present embodiment is assumed to be used as a power storage device that is a type of distributed power source in a smart grid.

  FIG. 2 schematically shows a device configuration inside the battery unit 100. As shown in the figure, the battery unit 100 includes a battery management device 200 and a plurality of cell packages 300. The battery management device 200 controls various operations such as charging / discharging of the cell package 300.

  Although not shown here, the cell package 300 includes a battery as a secondary battery called a cell. In addition, a cell management apparatus 400 that manages the cell is provided. The number of cell packages 300 varies depending on, for example, the use of the battery unit 100. When these cell packages 300 are connected in series, for example, a capacity necessary for the battery unit 100 is ensured. In such a configuration of the battery unit 100, the battery management device 200 is a higher-level information processing device, and the cell package 300 is a lower-level information processing device.

  Returning to FIG. The battery unit 100 is provided in vehicles and various facilities without being limited to a specific industrial field. For example, as illustrated, the battery unit 100 provided in the electric vehicle 1 functions as a battery that drives the electric vehicle 1. Moreover, the battery unit 100 provided in the housing facility 2 or the corporate facility 3 functions as an uninterruptible power supply, for example. In addition, these battery units 100 store electricity during a time period when the amount of power used is small in a smart grid environment, and perform discharge for supplying power to an electric power company as necessary.

  The management server 600 collectively manages the battery units 100 installed in various places as described above. As one of the management functions, the management server 600 can execute processing for updating a key used by each battery unit 100 for mutual authentication.

  In the configuration shown in FIG. 1, for example, a configuration in which a plurality of battery units 100 are provided in parallel in one residential facility 2 or corporate facility 3 can be considered.

[Operation example of information processing system]
The performance of the cell package 300 included in the battery unit 100 deteriorates as charging and discharging are repeated. However, the degree of deterioration between the cell packages 300 also varies due to variations in the cell packages 300, for example. The product as the battery unit 100 is expensive. For this reason, for example, although the small number of cell packages 300 in the battery unit 100 are deteriorated, the operation of replacing the battery unit 100 itself is not preferable from the viewpoint of cost.

  Therefore, in the battery unit maintenance system of the present embodiment, the operation for monitoring the deterioration of each cell package 300 in the battery unit 100 and exchanging only the cell package 300 for which the degree of deterioration is determined to be a certain level or more is performed.

  When replacing the cell package 300, the replacement operator 5 shown in FIG. 1 goes to the installation position of the battery unit 100. Then, as shown in the figure, the replacement operator 5 takes out and collects the cell package 300 to be replaced from the battery unit 100, and newly loads the cell package 300 prepared for replacement.

  In the operation in the present embodiment, it is assumed that when the cell package 300 is replaced, it may be replaced with a new one, but the cell package 300 used in another battery unit 100 may be reused. ing. Even in the same cell package 300, the required performance may be different depending on the application. In other words, the cell package 300 is required to have very high performance in some applications, but in other applications, the cell package 300 can be used sufficiently if the performance does not decrease to a certain level or less. Can be assumed.

  Therefore, in the present embodiment, the cell packages 300 removed as being unusable in a certain battery unit 100 are not discarded uniformly, but are reused for reusable ones. In other words, if the cell package 300 removed from a certain battery unit 100 still satisfies the performance required for the other battery unit 100, the cell package 300 is reused when the cell package 300 is replaced in the other battery unit 100. To do. Thus, the cost can be further reduced by reusing the cell package 300. Such reuse is also desirable from an environmental point of view.

  In the present embodiment, it is assumed that the battery unit 100 is provided by various business operators (manufacturers). Specifically, in the case of the battery unit 100 of the electric vehicle 1, it is assumed that the operator B such as an electric component of the vehicle provides and performs a replacement service for the cell package 300. In addition, in the case of the battery unit 100 of the housing facility 2 or the enterprise facility 3, it is assumed that operators C and D such as a housing sales company and a construction company also enter and sell or replace the cell package 300. . In addition, the management server 600 is operated by another business operator A that collectively manages the business operators B, C, and D that provide the battery unit 100. Note that there may be a case where the business operator A that operates the management server 600 and one of the business operators that provide the battery unit 100 overlap.

[Overview of prevention of unauthorized use of cell package in battery unit maintenance system]
In order to operate the battery unit maintenance system as described above, the battery unit 100 is configured so that the cell package 300 can be replaced by human work. In this case, there is a possibility that an inexpensive cell package that is not a regular product will be on the market, and the user may purchase this cell package and replace it without permission.

  As described above, the cell package which is not a regular product cannot guarantee the reliability and safety of the product. For this reason, it is necessary to prevent the battery unit from operating when the cell package is replaced with a non-genuine cell package. In other words, it is necessary to prevent unauthorized use of cell packages that are not genuine.

  Therefore, in this embodiment, unauthorized use of a non-genuine battery is prevented from two aspects. First, one aspect is that mutual authentication is performed between the battery management device 200 and each cell package 300 in the battery unit 100.

  The mutual authentication will be described again with reference to FIG. In performing mutual authentication between the battery management apparatus 200 and the cell package 300, it is necessary to first check whether or not the battery unit 100 that controls the cell package 300 is genuine. . For this purpose, mutual authentication is performed between the general management server 600 and the battery management device 200 of the battery unit 100 (step S1). This mutual authentication is performed, for example, when the battery unit 100 is installed. Further, even after installation, for example, it may be performed when the battery unit is restarted or at a certain timing.

  If the mutual authentication is established, the integrated management server 600 recognizes that the battery unit 100 is authentic. On the other hand, if the mutual authentication is not established, the integrated management server 600 recognizes that the battery unit is not legitimate, and rejects even if access is made from this battery unit, for example.

  In the present embodiment, the parent key Kp is stored in the battery management device 200, and the child key Kc paired with the parent key is stored in the cell management device 400 in each of the cell packages 300. Then, each of the battery management device 200 and the cell management device 400 of the cell package 300 executes a mutual authentication process using, for example, a key exchange method using the parent key Kp and the child key Kc (step S2). This mutual authentication process is always executed when the cell package 300 is exchanged in the battery unit 100. Further, for example, it is executed when the battery unit 100 is installed. In addition, it is also executed when the battery unit 100 is restarted after the battery unit 100 is installed.

  When mutual authentication between the battery management device 200 and the cell package 300 is established, the battery management device 200 recognizes the cell package 300 as a genuine product, and manages the cell package 300. On the other hand, when the mutual authentication between the battery management device 200 and the cell package 300 is not established, the battery management device 200 recognizes that the cell package 300 is not a genuine product. In this case, the battery management apparatus 200 is controlled so that the cell package 300 is not operated so that it cannot be used. In the present embodiment, the battery management device 200 and the cell package 300 perform mutual authentication in this manner, thereby preventing the use of the cell package 300 that is not a regular product.

  Further, after mutual authentication between the battery management apparatus 200 and the cell package 300 is established as described above, the battery management apparatus 200 acquires cell package information from each of the cell packages 300 at a predetermined timing (step S3). . Specifically, the cell package information includes a cell identifier that uniquely identifies the corresponding cell package 300 and information indicating a predetermined state of a battery (secondary battery) included in the cell package 300. The battery management apparatus 200 constructs a cell package management table for managing the cell package 300 using the battery information acquired from each of the subordinate cell packages 300.

  As described above, the pair key of the parent key Kp and the child key Kc is used for mutual authentication between the battery management device 200 and the cell package 300. However, since the child key Kc is stored in the cell package 300 installed on the user side, it can be said that the child key Kc is easily leaked to a malicious user or the like. For this reason, if the child key Kc remains fixed, there is a possibility that a malicious operator decrypts the child key Kc to manufacture a non-genuine cell package storing the same child key Kc. Will arise.

  Therefore, in the present embodiment, the parent key Kp and the child key Kc are updated at a predetermined opportunity. For this purpose, first, the master key data for update is generated in the general management server 600, and the master key data for update is transmitted to the battery management device 200. The battery management apparatus 200 updates the parent key Kp using the received update parent key data (step S4). If the update of the parent key Kp is not established, the general management server 600 can detect the abnormality.

  Then, the battery management apparatus 200 executes a process for updating the child key Kc of the lower cell package 300 using the update of the parent key Kp as a trigger (step S5). That is, the battery management apparatus 200 generates update slave key data and transfers it to the cell package 300. The cell package 300 updates the child key Kc using the received update child key data. If the update of the child key Kc is not established, the battery management device 200 can detect the abnormality.

  In this way, by updating the child key Kc of the cell package 300 at a predetermined timing, it is possible to improve security compared to the case where the child key Kc is fixed. The timing for updating the child key Kc may be performed, for example, at regular intervals. In addition to this, if it is determined that there is a possibility that the data of the parent key Kp and the child key Kc has been leaked for some reason, the security can be further improved.

  Further, as described above, in the battery unit 100 of the present embodiment, the cell package 300 is replaced (step S6). Even when the cell package 300 is exchanged in this way, the battery management device 200 updates the child key Kc (step S7).

  In the present embodiment, the child key Kc of the cell package 300 prepared for exchange is reset to a predetermined initial value. The initial value of the child key Kc is set to a value that allows authentication to be established by mutual authentication processing regardless of what value the parent key Kp is updated to. As a result, after the cell package 300 is replaced, the battery management apparatus 200 can be recognized as a genuine product and normal operation can be guaranteed.

  However, if the child key Kc is left as the initial value, there is a high possibility that the initial value is specified by a malicious user. Therefore, immediately after the replacement of the cell package 300, the battery management apparatus 200 executes the update of the child key Kc for the cell package 300 newly loaded by the replacement according to the following procedure. That is, the battery management apparatus 200 and the newly loaded cell package 300 execute the mutual authentication process as step S2 using the parent key Kp and the initial value child key Kc, respectively. If the mutual authentication is established, the battery management apparatus 200 updates the initial value child key Kc by the processing in step S7. In this way, by updating the child key Kc according to the exchange of the cell package 300, the vulnerability that the child key Kc remains at the initial value is avoided, and security is enhanced.

  Another aspect for preventing unauthorized use of the cell package 300 is to prevent the cell package 300 from being replaced by anyone other than a regular trader replacement worker 5. For example, when the battery can be replaced even by the owner of the battery unit 100, even if the user does not intend to cheat, there is a possibility that a cell package that is not a genuine product is loaded due to some mistake. In addition, in the case of the scale of the battery unit 100 of the present embodiment, it is dangerous for a user who is poor in technology and knowledge to perform the replacement work. Therefore, if only the authorized supplier can replace the cell package 300, unauthorized use of the cell package can be prevented more securely, and further safety measures can be taken.

  With reference to FIG. 3, an outline of a mechanism for enabling replacement of the cell package 300 only by an authorized trader will be described. This figure shows a management server 600 and one battery unit 100 to be replaced. Furthermore, a mobile terminal device 700 is shown. The exchange operator 5 belongs to a regular business operator who undertakes the exchange work of the cell package 300. The portable terminal device 700 is a device that this authorized replacement worker 5 possesses for replacement work. The portable terminal device 700 can communicate with the management server 600 from the gateway of the wireless communication network via the network.

  Cell package management information is transmitted from the battery unit 100 to the management server 600 (step S11). The management server 600 determines whether or not replacement is required for each cell package 300 based on the received cell package management information (step S12).

  When determining that at least one cell package 300 should be replaced, the management server 600 generates a one-time password (OTP) and battery replacement information (step S13). The one-time password can be generated using a random number, for example. Further, the battery replacement information includes predetermined information related to the cell package to be replaced. Further, the battery replacement information includes information necessary for the replacement work by the replacement worker 5. As an example, the model number of the battery unit 100 to be replaced, the installation position of the battery unit 100, the loading position (for example, the loading position number) of the cell package 300 to be replaced in the battery unit 100, owner information (for example, the owner's information) Name, address, telephone number, etc.).

  Then, the management server 600 transmits the one-time password and battery replacement information generated in step S13 to the mobile terminal device 700 (step S14). The mobile terminal device 700 stores the received one-time password and battery replacement information.

  In addition, the management server 600 encrypts the battery replacement information generated in step S13 with the one-time password, and transmits the encrypted information to the battery unit 100 to be replaced (step S15).

  The replacement worker 5 causes the display unit 706 to display the content of the received battery replacement information by a predetermined operation on the mobile terminal device 700. The replacement operator 5 can determine the model of the battery unit 100 to be replaced and the type of the cell package 300 to be prepared for replacement from the model number displayed as the battery replacement information. Further, it is possible to know the place where the replacement battery unit 100 is installed from the displayed installation position. In addition, information such as the name and contact information of the owner of the battery unit 100 to be replaced can be obtained from the displayed owner information.

  Therefore, for example, the replacement worker 5 makes an appointment with the owner, and then carries the portable terminal device 700 to the place where the battery unit 100 to be replaced is installed. Then, the exchange operator 5 transmits the one-time password stored in the portable terminal device 700 to the battery unit 100 to be exchanged and executes the authentication process by a predetermined operation on the portable terminal device 700 (step S16).

  The battery unit 100 sets a prohibition on whether or not the internal cell package 300 can be replaced in a normal state. Suppose that the cell package 300 is replaced in a state where prohibition of replacement is set. Then, the battery unit 100 that has detected this is configured to stop its operation if an error occurs unconditionally regardless of whether or not the replaced cell package is a genuine product.

  However, if the prohibition of replacement is set as described above, the cell package 300 cannot be replaced even by a regular replacement operator 5. Therefore, when the authentication in step S16 is established, the battery unit 100 cancels the replacement prohibition and sets replacement permission (step S17). Thereby, even if the battery unit 100 detects the replacement of the cell package 300, the battery unit 100 operates normally without treating this as an error.

  Then, the replacement operator 5 performs the replacement work of the cell package 300 in a state where the replacement permission is set as described above. As described above, in the present embodiment, the cell package 300 can be replaced only by the replacement worker 5 of a regular contractor.

  Note that the parent key Kp and the child key Kc described above with reference to FIG. 2 may be a secret key (a secret number) used for a password scheme such as password authentication, or a key used for a common key scheme or a key exchange scheme. The common key method and the key exchange method are preferable to the password method because mutual authentication is possible. When the secret key is used, the child key Kc can be generated by calculation using the secret key of the parent key Kp and a value unique to the cell such as a cell identifier.

  Further, when using the common key method or the key exchange method, a pair of parameter key and logic (algorithm) is used. Specifically, DES (Data Encryption Standard), AES (Advanced Encryption Standard), RSA, elliptical encryption, or the like can be used as a logic (algorithm) of the common key encryption method or the public key encryption method. In these methods, mutual authentication can be performed by having two parameter authentication keys and logic pairs corresponding to each other, and collating the results calculated using them. In this case, only the parameter key may be updated, or only the logic (algorithm) may be updated. Further, both the parameter key and the logic (algorithm) may be updated.

  Also, when generating the child key Kc from the parent key Kp, the child key Kc obtained from the operation using the cell-specific value such as the cell identifier is generated based on at least one of the parameter key and logic of the parent key. You can also The arithmetic logic for generating the child key Kc can be stored not only in the management server 600 but also in the battery management device 200.

[Configuration of Battery Management Device in Battery Unit]
Hereinafter, the configuration for key update in the battery unit maintenance system of the present embodiment will be described. First, the configuration of the battery unit 100 will be described. As shown in FIG. 2, the battery unit 100 includes a battery management device 200 and a cell package 300.

  The battery management device 200 of the battery unit 100 will be described first. FIG. 4 shows a configuration example of the battery management device 200. The battery management apparatus 200 shown in this figure includes a CPU (Central Processing Unit) 201, a RAM (Random Access Memory) 202, a storage unit 203, an input interface 204, an output interface 205, a communication unit 206, and a cell package compatible communication unit 207. . These parts are connected via a data bus 208.

  The CPU 201 implements a predetermined function as the battery management device 200 by executing a program stored in the storage unit 203.

  The RAM 202 functions as a main storage device, and a program to be executed by the CPU 201 is read from the storage unit 203 and expanded. The RAM 202 is used as a work area when the CPU 201 executes arithmetic processing.

  The storage unit 203 functions as an auxiliary storage device, and stores programs executed by the CPU 201 and various data. As the storage unit 203, for example, a semiconductor storage device such as a hard disk or a flash memory can be employed.

  The input interface 204 collectively indicates input devices such as operation devices such as a keyboard and a mouse. The output interface 205 collectively shows output devices such as a display device and a speaker.

  The communication unit 206 is a part that communicates with the management server 600 and the mobile terminal device 700 via a predetermined communication network such as a network. As the network supported by the communication unit 206, the Internet, a WAN (Wide Area Network), or the like can be assumed. Note that the communication unit 206 may be configured to be able to communicate with the mobile terminal device 700 and the management server 600 through one interface. Alternatively, a plurality of interfaces such as an interface for communication with the mobile terminal device 700 and an interface for communication with the management server 600 may be provided.

  The cell package compatible communication unit 207 is a part that communicates with each of the plurality of cell packages 300 in the same battery unit 100 according to a predetermined communication standard. As this communication standard, for example, a data interface such as IEEE1394 is considered variously. In addition to a wired data interface, a communication method applied to RFID (Radio Frequency IDentification) and a short-range wireless communication standard such as Bluetooth (registered trademark) may be adopted.

[Configuration of cell package in battery unit]
FIG. 5 shows a configuration example of the cell package 300 in the battery unit 100. As shown in this figure, the cell package 300 includes a cell management device 400 and a cell 500.

  The cell management device 400 is a part that performs predetermined control related to the cell 500 provided in the cell package 300. Specifically, control related to charging / discharging of the cell 500 is performed. In addition, information related to the cell 500 for determining the degree of deterioration of the cell 500 is collected. Examples of the information related to the cell 500 include information on charging / discharging history of the cell 500, a voltage value of the cell 500, and the like.

  The cell management device 400 shown in the figure includes a CPU 401, a RAM 402, a storage unit 403, a management device correspondence communication unit 404, and a cell correspondence communication unit 405. These parts are connected via a data bus 406.

  The CPU 401 implements a predetermined function as the cell management device 400 by executing a program stored in the storage unit 403. Note that the individual functions of the RAM 402 and the storage unit 403 are the same as those of the RAM 202 and the storage unit 203 in FIG.

  The management device corresponding communication unit 404 is a part that communicates with the battery management device 200 in the same battery unit 100. The management device compatible communication unit 404 is configured to enable communication corresponding to the same communication standard as the cell package compatible communication unit 207 in the battery management device 200.

  The cell corresponding communication unit 405 is a part that communicates with the cell 500 in the same cell package 300. The cell management device 400 can execute control such as charging / discharging of the cell 500 by communication via the cell correspondence communication unit 405. In addition, predetermined information used for determining the deterioration of the cell 500 can be acquired from the cell 500. The communication standard supported by the cell-compatible communication unit 405 may be a predetermined short-range wireless communication standard such as a communication method applied to RFID or Bluetooth (registered trademark) in addition to a predetermined wired data interface. Conceivable.

  The cell 500 is a secondary battery (battery) having a predetermined capacity such as a lithium ion battery. Further, the cell 500 in this figure includes peripheral circuits such as a charge / discharge circuit for the secondary battery.

  In the operation of the battery unit maintenance system in the present embodiment, as described above, replacement is performed for each cell package 300 as maintenance for the performance deterioration of the battery unit 100. Accordingly, the cell package 300 has a packaged structure so that the internal cell 500 cannot be removed.

[Management server configuration]
FIG. 6 shows a configuration example of the management server 600. The management server 600 shown in this figure includes a CPU 601, a RAM 602, a storage unit 603, an input interface 604, an output interface 605, and a communication unit 606. These parts are connected via a data bus 607.

  The CPU 601 realizes a predetermined function as the management server 600 by executing a program stored in the storage unit 603.

  The individual functions of the RAM 602, the storage unit 603, the input interface 604, and the output interface 605 are the same as the RAM 202, the storage unit 203, the input interface 204, and the output interface 205 of FIG. Description is omitted.

  The communication unit 606 is a part that communicates with the battery unit 100 and the mobile terminal device 700 via a predetermined communication network such as a network.

[Configuration of mobile terminal device]
FIG. 7 shows a configuration example of the mobile terminal device 700. A portable terminal device 700 shown in this figure includes a CPU 701, a RAM 702, a storage unit 703, a communication unit 704, an operation unit 705, and a display unit 706. These parts are connected via a data bus 707.

  The CPU 701 implements a predetermined function as the mobile terminal device 700 by executing a program stored in the storage unit 703.

  Note that the individual functions of the RAM 702 and the storage unit 703 are the same as those of the RAM 202 and the storage unit 203 in FIG.

  The communication unit 704 is a part that performs communication via a wireless communication network. The mobile terminal device 700 can communicate with the management server 600, the battery unit 100, and the like via the network through the wireless communication network gateway supported by the communication unit 704. In addition, a mobile phone or the like can be assumed as the mobile terminal device 700, but the communication unit 704 in this case can also perform transmission and reception for a call via a mobile phone communication network.

  The operation unit 705 collectively shows various operators provided in the mobile terminal device 700. The display unit 706 displays a predetermined image according to the control of the CPU 701. When the mobile terminal device 700 includes the touch panel as the display unit 706, the touch sensor of the touch panel is also included in the operation unit 705.

[Functional configuration of battery management device in battery unit]
FIG. 7 shows a functional configuration example realized by the CPU 201 of the battery management apparatus 200 executing a program. Further, in this figure, the storage unit 203, the communication unit 206, and the cell package compatible communication unit 207 shown in FIG. 4 are shown together.

  Further, in this figure, the master key Kp, the battery unit identifier 230, and the cell package management table 240 are shown as data used by the CPU 201 among the data stored in the storage unit 203. The master key Kp is a key used when mutual authentication with the cell package 300 of the same battery unit 100 is executed.

  The battery unit identifier 230 is an identifier that uniquely identifies the battery unit 100 including the battery management device 200. Note that uniquely specifying the battery unit 100 is synonymous with uniquely specifying the battery management device 200 provided for each battery unit 100.

  The cell package management table 240 is a table that stores management information for each cell package 300 in the same battery unit 100.

  In the figure, as a function unit of the CPU 201, a cell package management unit 211, a decryption unit 212, an authentication processing unit 213, a cell package specifying unit 214, an exchange availability setting unit 215, and a child key generation unit 216 are shown.

  The cell package management unit 211 integrates and manages the subordinate cell packages 300 in the same battery unit 100. Specifically, the cell package management unit 211 performs charge / discharge control for each cell package 300. Further, history information indicating the number of times of charging / discharging and cell package information such as a voltage value and a current value are acquired from each of the cell packages 300.

  Further, the cell package management unit 211 registers and manages the cell package information acquired as described above in the cell package management table 240 of the storage unit 203.

  FIG. 9 shows a structural example of the cell package management table 240. The cell package management table 240 shown in this figure corresponds to each cell package 300 loaded in the battery unit 100, the cell package loading position 241, the cell identifier 242, the cell package status information 243, and the exchangeability flag 244. Is stored.

  The cell package loading position 241 indicates the loading position of the corresponding cell package 300. Here, it is assumed that (N-1) cell packages 300 can be loaded in the battery unit 100, and numbers # 0 to #N are assigned to the respective loading positions. And The cell package loading position 241 stores the loading position numbers of # 0 to #N.

  The cell identifier 242 is an identifier that uniquely identifies the corresponding cell package 300. The cell package state information 243 indicates the state of the corresponding cell package 300, and specifically includes information on predetermined items such as the above-described charge / discharge history information, voltage value, and current value.

  The exchange enable / disable flag 244 is a flag indicating whether the exchange prohibition or the exchange permission is set for the corresponding cell package 300. As an example, here, a value of “0” indicates prohibition, and a value of “1” indicates permission.

  In the present embodiment, as described above, the replaceability flag 244 is associated with each cell package 300, so that the replaceability of the cell package 300 can be set for each loading position. On the other hand, it is also conceivable to uniformly set whether or not the cell package 300 can be exchanged for the cell packages 300 at all loading positions. However, by making it possible to set whether or not the cell package 300 can be replaced for each loading position as described above, the cell package 300 that is not a replacement target cannot be replaced, and thus security is further enhanced.

  Returning to FIG. In response to a predetermined trigger or a request from the management server 600, the cell package management unit 211 also executes control for transmitting data of the cell package management table 240 from the communication unit 206 to the management server 600. The cell package management table 240 transmitted in this manner is used in the management server 600 to construct a table for managing the battery unit 100 and to determine whether or not each cell package 300 needs to be replaced. .

  As described above with reference to FIG. 3, the battery replacement information encrypted with the one-time password is transmitted from the management server 600. Also, a one-time password for authentication is transmitted from the mobile terminal device 700.

  The decryption unit 212 decrypts the encrypted battery replacement information with the one-time password transmitted from the mobile terminal device 700. If the decryption is executed normally, it is verified that the one-time password transmitted by the mobile terminal device 700 is correct. This means that the portable terminal device 700 is legitimate, and therefore the exchange worker 5 possessing the portable terminal apparatus 700 has been authenticated as a legitimate merchant.

  The authentication processing unit 213 performs authentication processing with the management server 600 and authentication processing with the mobile terminal device 700 via the communication unit 206. Further, mutual authentication using each of the cell packages 300 in the same battery unit 100 and the master key Kp is executed via the cell package compatible communication unit 207.

  The cell package specifying unit 214 specifies the cell package 300 to be exchanged based on the content of the battery exchange information decoded by the decoding unit 212. The specified cell package 300 to be exchanged is indicated by, for example, its loading position.

  The exchangeability setting unit 215 sets whether or not the cell package 300 can be exchanged. When the cell package 300 to be replaced is specified by the cell package specifying unit 214 as described above, whether or not the cell package 300 can be replaced is changed from “prohibited” to “permitted”. The change of the exchangeability setting is performed by rewriting the exchangeability flag 244 of the cell package management table 240 from “0” to “1”.

  The child key generation unit 216 generates update child key data when the child key Kc in the cell package 300 is updated. Here, it is assumed that the updating child key is data of the child key Kc itself to be updated. However, for example, seed data for generating a child key may be considered. Then, the updating slave key is transferred to each cell package 300 via the cell package compatible communication unit 207. The cell package 300 updates the child key Kc stored in the cell package 300 with the transferred child key for update.

[Functional configuration of cell management device in cell package]
FIG. 10 shows a functional configuration example realized by the CPU 401 of the cell management apparatus 400 in the cell package 300 executing a program. Further, in this figure, the storage unit 403, the management device compatible communication unit 404, and the cell compatible communication unit 405 shown in FIG. 5 are shown together.

  Also, in this figure, among the data stored in the storage unit 403, a child key Kc, a cell identifier 430, and a cell management table 440 are shown as data used by the CPU 401.

  The child key Kc is a key used when performing mutual authentication with the battery management apparatus 200 in the same battery unit 100. The cell identifier 430 is an identifier that uniquely identifies the cell package 300 including the cell management device 400.

  In the figure, a cell management unit 411, an authentication processing unit 412 and a child key update unit 413 are shown as functional units of the CPU 401. The cell management unit 411 manages the cells 500 in the same cell package 300. As a specific example, the cell management unit 411 controls charging / discharging operations for the cell 500 via the cell correspondence communication unit 405. Further, predetermined information indicating an operation state such as a voltage value or a current value is acquired from the cell 500 and stored in the storage unit 403 as the cell management table 440. The cell management table 440 also stores history information indicating the number of times of charging / discharging so far.

  Further, the cell management unit 411 responds to a request from the battery management device 200 or a predetermined trigger, and stores the cell identifier 430 and the data (battery information) of the cell management table 440 stored in the storage unit 403. Forward against. The battery management apparatus 200 creates the cell package management table 240 using the transferred cell identifier 430 and the data of the cell management table 440.

  The authentication processing unit 412 executes mutual authentication processing with the upper battery management device 200 in the same battery unit 100. In this mutual authentication process, the authentication processing unit 412 uses the child key Kc stored in the storage unit 403.

  The child key update unit 413 updates the child key Kc stored in the storage unit 403 using the updating child key received from the battery management device 200.

[Functional configuration of Management Server]
FIG. 11 shows a functional configuration example realized by the CPU 601 of the management server 600 executing a program. In this figure, both the storage unit 603 and the communication unit 606 shown in FIG. 6 are shown.

  Moreover, in this figure, the battery unit management table 630 and the portable terminal device management table 650 are shown among the data which the memory | storage part 603 memorize | stores. The battery unit management table 630 is a table that stores information on predetermined items for the battery unit 100 under its own management. The mobile terminal device management table 650 is a table that stores information on predetermined items for the mobile terminal device 700 registered in the management server 600.

  In the figure, as a function unit of the CPU 601, a battery unit management unit 611, an authentication processing unit 612, a cell replacement necessity determination unit 613, a battery replacement information generation unit 614, a one-time password generation unit 615, and a transmission control unit 616 are illustrated. It is.

  The battery unit management unit 611 manages the battery unit 100 under its own management. As a specific example, the battery unit management unit 611 creates the battery unit management table 630 using data (cell package management information) of the cell package management table 240 received from the battery unit 100 via the communication unit 606.

  FIG. 12A shows a structural example of the battery unit management table 630. As shown in this figure, the battery unit management table 630 has a structure in which a battery unit model number 632, an IP address 633, and battery unit state information 640 are associated with the battery unit identifier 631.

  The battery unit identifier 631 stores the value of the battery unit identifier 230 for each battery unit 100 under the management of the management server 600. The battery unit model number 632 stores the model number of the corresponding battery unit 100.

  The IP address 633 stores an IP address assigned to the battery unit 100 specified by the corresponding battery unit identifier 631. The communication unit 606 can perform communication by designating the battery unit 100 by setting this IP address as a transmission destination.

  The battery unit state information 640 stores information indicating the state of the corresponding battery unit 100. Specifically, information indicating the state of each cell package 300 in the corresponding battery unit 100 is stored.

  FIG. 12B shows a structural example of the battery unit state information 640. The battery unit state information 640 shown in this figure has a structure in which a cell package loading position 641, a cell identifier 642, and cell package state information 643 are associated with each other. The information of the cell package loading position 641, the cell identifier 642, and the cell package state information 643 is based on information received as cell package management information from the battery unit 100. That is, based on the information stored as the cell package loading position 241, the cell identifier 242, and the cell package state information 243 in the cell package management table 240 of the battery unit 100.

  Returning to FIG. The authentication processing unit 612 is a part that performs mutual authentication with each of the battery units 100 under the management server 600. At this time, the authentication processing unit 612 executes mutual authentication processing with the authentication processing unit 213 included in the battery management device 200 of the battery unit 100. When this mutual authentication process is established, the management server 600 recognizes that the partner battery unit 100 is genuine.

  The cell replacement necessity determination unit 613 determines the necessity of replacement for each cell package 300 in the battery unit 100 based on information in the cell package management table 240 (that is, cell package management information). As described above, the battery unit management table 630 stores information such as the number of times of charging / discharging for each cell package, the voltage value, and the current value as the cell package state information 643. It can be determined that the deterioration of the cell 500 of the cell package 300 progresses as the number of times of charging / discharging increases. Further, the degree of progress of deterioration can also be estimated based on the difference between the measured voltage value or current value and a predetermined value. Therefore, the cell replacement necessity determination unit 613 determines that replacement is necessary for the cell package 300 whose degree of deterioration is determined to be a certain level or more based on the contents of the cell package state information 643.

  The battery replacement information generation unit 614 uses the battery replacement information used for the replacement of the cell package 300 that is the replacement target when the cell replacement necessity determination unit 613 determines the cell package 300 that needs to be replaced. Is generated. For generating the battery replacement information, predetermined information in the battery unit management table 630 and the portable terminal device management table 650 stored in the storage unit 603 is used.

  The one-time password generation unit 615 generates a one-time password in response to the determination of the cell package 300 that needs to be replaced by the cell replacement necessity determination unit 613. For example, a random number is used to generate the one-time password.

  Here, a structural example of the mobile terminal device management table 650 will be described with reference to FIG. The portable terminal device management table 650 shown in this figure has a structure in which a maintenance target battery unit list 652 and an IP address 653 are associated with each terminal identifier 651.

  The terminal identifier 651 is an identifier that uniquely identifies the mobile terminal device 700 registered in the management server 600.

  The maintenance target battery unit list 652 indicates a list of battery units 100 that are to be maintained by the corresponding portable terminal device 700. As shown in the figure, the maintenance target battery unit list 652 stores a battery unit identifier 652a, a battery unit installation position 652b, and owner information 652c.

  The battery unit identifier 652a stores the identifier of the battery unit 100 to be maintained. The battery unit installation position 652b indicates a position (place) where the battery unit 100 to be maintained is installed. This position is indicated by, for example, a street address, latitude and longitude. The owner information 652c stores predetermined information regarding the owner of the corresponding battery unit 100. Specifically, the owner information 652c stores information such as the owner's name, address, and telephone number.

  The IP address 653 stores an IP address assigned to the corresponding portable terminal device 700.

  A structural example of the battery replacement information will be described with reference to FIG. The battery replacement information 660 shown in this figure includes a battery unit identifier 661, a battery unit model number 662, a battery unit installation position 663, a cell package loading position 664, and owner information 665.

  The battery unit identifier 661 stores an identifier of the battery unit 100 to be replaced. The battery unit model number 662 indicates the model number of the battery unit 100 to be replaced. The battery unit installation position 663 stores a position (place) where the battery unit 100 to be replaced is installed. The cell package loading position 664 indicates the loading position where the cell package 300 to be exchanged is loaded, for example, by a number assigned to the loading position. The owner information 665 indicates information related to the owner of the battery unit 100 to be replaced.

  In the battery replacement information 660, each information of the battery unit identifier 661, the battery unit model number 662, and the cell package loading position 664 is acquired from the battery unit management table 630. That is, among the information stored in the battery unit management table 630, the battery unit identifier 631, the battery unit model number 632, and the cell package loading position 641 corresponding to the replacement battery unit 100 are acquired.

  Further, the battery unit installation position 663 and the owner information 665 are acquired from the mobile terminal device management table 650. That is, it is acquired from the battery unit installation position 652b and the owner information 652c in the maintenance target battery unit list 652 including the battery unit identifier 652a of the battery unit 100 to be replaced.

  Returning to FIG. The transmission control unit 616 transmits the battery replacement information 660 and the one-time password generated as described above from the communication unit 606 to the mobile terminal device 700. At this time, the transmission control unit 616 sets the IP address associated with the maintenance target battery unit list 652 storing the battery unit identifier 652a of the battery unit 100 to be replaced as a transmission destination. Thereby, the battery replacement information 660 and the one-time password can be transmitted to the portable terminal device 700 whose maintenance target is the battery unit 100 to be replaced.

  Also, the transmission control unit 616 encrypts the generated battery replacement information 660 with the one-time password, and transmits the encrypted battery replacement information 660 to the battery unit 100 to be replaced. At this time, the transmission control unit 616 reads the IP address 633 of the battery unit 100 to be replaced from the battery unit management table 630, and designates the read IP address as a transmission destination.

[Functional configuration example of portable terminal device]
FIG. 14 shows a functional configuration example realized by the CPU 701 of the mobile terminal device 700 executing a program. Further, in this figure, the storage unit 703, the communication unit 704, and the operation unit 705 shown in FIG.

  In the figure, a reception data storage control unit 711 and a one-time password transmission control unit 712 are shown as functional units of the CPU 701. The reception data storage control unit 711 executes control for storing the battery replacement information 660 and the one-time password received from the management server 600 in the storage unit 703. The one-time password transmission control unit 712 executes control for transmitting the one-time password stored in the storage unit 703 from the communication unit 704 according to a predetermined operation performed on the operation unit 705.

[Example of processing procedure for cell package replacement]
The sequence diagram of FIG. 15 shows an example of a processing procedure executed in response to the replacement of the cell package 300 in the battery unit maintenance system of the present embodiment. Note that the processing shown in this figure includes the predetermined function unit of the battery management device 200 shown in FIG. 8, the predetermined function unit in the CPU 601 of the management server 600 shown in FIG. 11, and the portable terminal device shown in FIG. One of the predetermined functional units in the CPU 701 is appropriately executed in 700.

  As described in step S11 in FIG. 3, the cell package management unit 211 of the battery unit 100 (battery management apparatus 200) transmits the data in the cell package management table 240 as cell package management information (step S101).

  The battery unit management unit 611 of the management server 600 creates the battery unit management table 630 using the cell package management information received as described above. Then, the cell replacement necessity determination unit 613 determines the necessity of replacement for each cell package 300 in the subordinate battery unit 100 based on the contents of the battery unit management table 630 (step S102). In this determination, the number of times of charging / discharging stored in the cell package state information 643, the voltage value, the current value, etc. are used as described above. For example, it is determined that the replacement is necessary when the number of charge / discharge times exceeds a predetermined threshold, and the condition that the error with respect to the specified values of the voltage value and the current value is equal to or higher than a predetermined rate is satisfied.

  Then, it is assumed that the cell replacement necessity determination unit 613 determines that a certain cell package 300 needs to be replaced by the replacement necessity determination process (step S103). In response to this, the battery replacement information generation unit 614 generates battery replacement information 660 for the battery unit 100 to be replaced (step S104). The one-time password generation unit 615 generates a one-time password (step S105).

  Next, the transmission control unit 616 encrypts the battery replacement information 660 with a one-time password. In addition, the encrypted battery replacement information 660 is transmitted from the communication unit 606 to the battery unit 100 to be replaced (step S106). The cell package management unit 211 in the battery unit 100 receives the encrypted battery replacement information 660 and stores it in the storage unit 203.

  Also, the transmission control unit 616 causes the communication unit 606 to transmit the generated battery replacement information 660 and the one-time password to the portable terminal device 700 whose maintenance target is the battery unit 100 to be replaced (step S107). . In response to this, the received data storage control unit 711 of the mobile terminal device 700 causes the storage unit 703 to store the received battery replacement information 660 and the one-time password.

  After the portable terminal device 700 receives the battery replacement information 660 and the one-time password in accordance with the previous step S106, the replacement operator 5 visits the battery unit 100 indicated by the battery replacement information 660 as the replacement work target and performs the replacement work. Will do. Prior to this work, the replacement worker 5 inputs a worker authentication code (password) by a predetermined operation on the operation unit 705. The one-time password transmission control unit 712 of the portable terminal device 700 performs verification as to whether or not the input worker authentication code is correct (step S108). For this purpose, for example, an operator authentication code stored in advance in the storage unit 703 and an input worker authentication code may be collated to determine whether or not they match.

  After obtaining the verification result that the worker authentication code is correct, the replacement worker 5 instructs the portable terminal device 700 to transmit a one-time password by a predetermined operation. In response to this, the one-time password transmission control unit 712 causes the communication unit 606 to transmit the one-time password stored in the storage unit 703 by designating the battery unit 100 to be exchanged as a transmission destination (steps S109 and S110). ).

  Here, in FIG. 15, the one-time password is transmitted to the mobile terminal device 700 after passing through the management server 600. That is, the one-time password transmission control unit 712 first transmits a one-time password transfer request together with the one-time password data to the management server 600 (step S109). At this time, the IP address of the battery unit 100 to be replaced is designated as the transfer destination. Receiving this transfer request, the communication unit 606 of the management server 600 transmits a one-time password using the IP address designated as the transfer destination as the transmission destination (step S110).

  For example, a one-time password may be transmitted and received between the mobile terminal device 700 and the battery unit 100 without relaying the management server 600. However, if the management server 600 is interposed as described above, a transfer request other than the portable terminal device 700 registered in the management server 600 is rejected as being illegal. It is done.

  In the battery unit 100 to be exchanged, the decryption unit 212 decrypts the encrypted battery replacement information 660 by using the received one-time password corresponding to step S109 as a decryption key (step S111). The encrypted battery replacement information 660 is received in correspondence with the previous step S106 and stored in the storage unit 203.

  Further, the decryption unit 212 verifies whether or not the one-time password received corresponding to step S110 is correct based on the result of the decryption process of step S111 (step S112). If the battery replacement information 660 can be decrypted normally, the one-time password is verified as correct, and if the decryption results in an error, the one-time password is verified as invalid.

  When it is verified in step S112 that the one-time password is correct, the portable terminal device 700 that has transmitted the one-time password is genuine, and therefore, an exchange operator who owns the portable terminal device 700. 5 also belongs to a regular business. In this manner, whether or not the exchange worker 5 is authorized is verified by the verification of the one-time password in step S112.

  When it is verified that the one-time password is correct, the cell package specifying unit 214 specifies the cell package 300 to be exchanged from among the subordinate cell packages 300 (step S113). For this purpose, the cell package specifying unit 214 recognizes the cell package loading position 664 in the decrypted battery replacement information 660. That is, the cell package specifying unit 214 specifies the cell package 300 to be exchanged based on the loading position.

  Next, the exchange enable / disable setting unit 215 sets exchange permission for the cell package 300 specified as the exchange target (step S114). For this purpose, as described above, in the cell package management table 240, the value “1” indicating permission is given to the exchange enable / disable flag 244 associated with the cell package loading position 241 of the cell package 300 specified as the exchange target. Set.

  Under the condition where the replacement permission is set as described above, the replacement operator 5 performs the operation of replacing the cell package 300 according to a predetermined procedure. At this time, the cell package management unit 211 sets a mode state corresponding to the replacement of the cell package 300 according to the operation of the replacement worker 5 (step S115). For example, a state in which the electrical connection of the cell 500 is cut off is set so that the work can be performed safely.

  Then, after the replacement work of the cell package 300 is completed, the replacement worker 5 performs a predetermined operation on the battery unit 100 to notify the completion of the battery replacement work. When the authentication processing unit 213 detects the operation for completing the battery replacement work (step S116), the authentication processing unit 213 executes the mutual authentication process described as step S1 in FIG. 2 with the newly loaded cell package 300 (step S116). S117).

  In response to the establishment of the mutual authentication process in step S117, the child key generation unit 216 uses the initial value child key Kc stored in the newly loaded cell package 300 as described in step S3 in FIG. Control for updating is executed (step S118).

  When the processing so far is completed, the cell package management unit 211 notifies the management server 600 that the replacement operation of the cell package 300 has been completed (step S119). Although not shown in this figure, the exchange enable / disable setting unit 215 has set “permitted” so far, for example, at a predetermined timing after the operation for completing the battery exchange operation is detected in step S116. Execute the process of changing from to "prohibited".

[Other Embodiments (First Example)]
Subsequently, another embodiment of the present invention will be described. In another embodiment, when the cell package 300 is replaced, authentication is performed in advance as to whether or not the replacement worker 5 and the owner of the battery unit 100 are the owners. Hereinafter, this authentication is also referred to as human authentication. Here, four examples of the first example to the fourth example will be described as configurations for human authentication as another embodiment.

  FIG. 16 shows an outline of human authentication as a first example of another embodiment. In this figure, a battery unit 100 to be replaced, a management server 600, and a portable terminal device 700 possessed by the replacement worker 5 are shown. In addition, an IC card 800 is further shown. The IC card 800 corresponds to another terminal device described in the claims.

  The IC card 800 is distributed to the owner of the battery unit 100, and a unique card identifier is set for each IC card 800. The IC card 800 stores this card identifier. Further, although the description of the configuration shown in the drawing is omitted, the IC card 800 can perform communication by a predetermined short-range wireless system. In this other embodiment, the communication unit 206 of the battery unit 100 and the communication unit 704 of the portable terminal device 700 are configured to be communicable in accordance with the short-range wireless communication method of the IC card 800. And Note that the device (other terminal device) possessed by the owner for authentication is not limited to the form of the IC card 800.

  In the first example of this other embodiment, the exchange worker 5 receives the IC card 800 from the owner 6 prior to the exchange work, and the IC card 800 is sent to the portable terminal device 700 by the short-range wireless communication. The stored card authentication code is transmitted (step S21). Here, the card authentication code is a code with a predetermined number of bits that is unique to each IC card 800. As an example, a card identifier that uniquely identifies the IC card 800 or a password registered in advance by the owner 6 is used. be able to.

  Next, the mobile terminal device 700 transfers the received card authentication code to the management server 600 (step S22). In addition, the mobile terminal device 700 transmits the terminal authentication code stored in the storage unit 203 to the management server 600 (step S23). As an example of this terminal authentication code, a terminal identifier for uniquely identifying the mobile terminal device 700 or a password registered in advance corresponding to the mobile terminal device 700 can be used.

  The authentication processing unit 612 of the management server 600 executes a card authentication process as to whether or not the IC card 800 is genuine using the card authentication code received corresponding to step S22 (step S24). The card authentication process when the card authentication code is a card identifier is as follows. That is, the authentication processing unit 612 searches the card identifier 634 in the battery unit management table 630 for a match with the received card identifier as the card authentication code. Here, if a match is found, authentication that the IC card 800 is properly registered is established. In the present embodiment, establishment of this authentication means that the owner 6 has been authenticated as the principal.

  In addition, the authentication processing unit 612 executes terminal authentication processing using the terminal authentication code received according to step S23 (step S25). The terminal authentication process when the terminal authentication code is a terminal identifier is as follows. The authentication processing unit 612 searches the portable terminal device management table 650 for a match with the terminal identifier as the received terminal authentication code. Here, if a match is found, authentication is established. The establishment of this authentication means that the portable terminal device 700 is authentic, and therefore, the replacement worker 5 has been authenticated.

  In addition, when the card authentication code and the terminal authentication code are transmitted online as described above, the following route may be considered. That is, the card authentication code is transmitted from the IC card 800 to the battery unit 100 by short-range wireless communication (step S21a). The battery unit 100 transfers the received card authentication code to the management server 600 (S22a).

  The mobile terminal device 700 also transmits terminal identification data to the battery unit 100 by short-range wireless communication (step S23a). The battery unit 100 transfers the received terminal identification data to the management server 600 (S23b).

  The sequence diagram of FIG. 17 shows an example of a processing procedure at the time of cell package replacement using the result of the person authentication processing shown in FIG. In this figure, the same steps as those in FIG.

  The procedure for human authentication (card authentication and terminal authentication) in steps S21 to S25 described with reference to FIG. 16 is performed at a stage before execution of transmission of the one-time password from the mobile terminal device 700 as step S109. . Then, the exchange operator 5 performs the card authentication and the terminal authentication of FIG. 16 and then operates the portable terminal device 700 to execute the one-time password transmission as step S109.

  At the stage where the one-time password is transmitted in step S109, the management server 600 holds the result of the card authentication process in step S24 in FIG. 16 and the result of the terminal authentication process in step S25. Therefore, the authentication processing unit 213 of the management server 600 confirms whether both card authentication and terminal authentication are established based on the above result (step S121).

  If it is confirmed in step S121 that both the card authentication result and the terminal authentication result are established, the transmission control unit 616 of the management server 600 stores the one-time password received from the mobile terminal device 700 in step S110 in the battery unit 100. Execute the control to transfer. That is, control is performed so that the battery unit 100 executes the procedure from step S111 onward, and permission for replacement is set in step S114. Thus, the replacement | exchange work of the cell package 300 can be performed by the permission of replacement | exchange being set.

  On the other hand, if it is confirmed in step S121 that neither the card authentication result nor the terminal authentication result is established, the transmission control unit 616 does not execute the one-time password transfer control in step S110. That is, the battery unit 100 is controlled so that the processing after step S111 is stopped and the prohibition of replacement is set in step S114. As a result, the cell package 300 cannot be replaced.

  As described above, in the first example of the other embodiment, the person authentication described with reference to FIG. 16 is performed when the processing corresponding to the cell package replacement is executed as in the previous embodiment. The cell package 300 cannot be exchanged unless this personal authentication is established. Thereby, in other embodiments, security is further strengthened based on the previous embodiments.

[Other Embodiments (Second Example)]
FIG. 18 shows a procedure for human authentication in a second example of another embodiment. Both the card authentication and the terminal authentication in the first example can be regarded as being performed online via a network. On the other hand, the second example performs terminal authentication offline while performing card authentication online.

  The card authentication procedure in FIG. 18 is executed in steps S21, S22, and S24 as in FIG. That is, the card authentication code of the IC card 800 is transferred from the portable terminal device 700 to the management server 600, and the management server 600 executes card authentication processing.

  On the other hand, as for terminal authentication, first, data of a terminal authentication code for each portable terminal device 700 registered in advance is transmitted from the management server 600 to the battery unit 100 (step S31). The battery unit 100 stores the data of the terminal authentication code in the storage unit 203.

  In addition, the replacement worker 5 inputs a terminal authentication code by a predetermined operation on the battery unit 100 (step S32). When the authentication code is input by operation in the offline environment as described above, smooth operation can be performed by using a predetermined number of PINs as the authentication code.

  In response to the input of the terminal authentication code, the authentication processing unit 213 of the battery unit 100 executes terminal authentication processing (step S33). At this time, the authentication processing unit 213 searches the terminal authentication codes stored in the storage unit 203 for a match with the input terminal authentication code. If the same terminal authentication code is searched, authentication is established assuming that the mobile terminal device 700 is authentic. Thus, in the second example, the card authentication process is executed on the management server 600 online, and the terminal authentication process is executed on the battery unit 100 offline.

  The sequence diagram of FIG. 19 shows an example of a processing procedure at the time of cell package replacement using the result of the person authentication processing shown in FIG. In this figure, the same steps as those in FIG.

  In this case, the authentication processing unit 612 of the management server 600 confirms the success or failure of the card authentication process executed in step S24 of FIG. 18 as confirmation of the success or failure of the human authentication process in step S121. Here, if it is confirmed that the card authentication has been established, the one-time password is transferred in step S110. On the other hand, if it is confirmed that the card authentication is not established, the transfer of the one-time password is not executed, and as a result, the replacement of the cell package 300 in the battery unit 100 is prohibited.

  Further, the authentication processing unit 213 in the battery unit 100 determines whether or not the terminal authentication in step S33 in FIG. 18 has been established as a process for confirming the success or failure of the person authentication in response to receiving the one-time password transmitted in step S110. Confirm (step S122). Here, if it is confirmed that the terminal authentication process has been established, the battery exchange information 650 is decrypted in step S111, and the exchange of the cell package 300 is permitted as the decryption is normally executed ( Step S114).

  On the other hand, if it is confirmed that terminal authentication has not been established, the cell package 300 is prohibited from being replaced because the decryption process in step S111 is not executed. As described above, also in the second example, the cell package 300 cannot be exchanged unless personal authentication (card authentication and terminal authentication) is established.

[Other Embodiments (Third Example)]
FIG. 20 shows a human authentication procedure in the third example of the other embodiment. In contrast to the second example, in the third example, the card authentication of the IC card 800 is performed offline, while the terminal authentication of the mobile terminal device 700 is performed online.

  In FIG. 20, for card authentication, first, data of a card authentication code for each IC card registered in advance is transmitted from the management server 600 to the battery unit 100 (step S41). The battery unit 100 stores the data of the card authentication code in the storage unit 203.

  In addition, the owner 6 inputs a card authentication code by a predetermined operation on the battery unit 100 (step S42). In response to this, the authentication processing unit 213 of the battery unit 100 executes card authentication processing (step S43). At this time, the authentication processing unit 213 searches the card authentication codes stored in the storage unit 203 for a match with the input card authentication code. If the same card authentication code is retrieved, authentication is established assuming that the IC card 800 is genuine.

  As for terminal authentication, as in the first example (FIG. 16), the mobile terminal device 700 transmits the terminal authentication code stored in the storage unit 203 to the management server 600 (step S23). . And according to reception of this terminal authentication code, the authentication process part 612 of the management server 600 performs a terminal authentication process (step S25).

  The processing procedure at the time of cell package replacement using the result of the human authentication processing of the third example is the same as that shown in FIG. 19 previously shown as the second example. However, step S121 of the third example is a process of confirming the success or failure of the terminal authentication process executed by the authentication processing unit 612 of the management server 600 in step S25 of FIG. Further, step S122 is a process of confirming the success or failure of the card authentication process executed by the authentication processing unit 213 in the battery unit 100 in step S43 of FIG.

[Other Embodiments (Fourth Example)]
FIG. 21 shows a human authentication procedure in the fourth example of the other embodiment. In the fourth example, both the card authentication of the IC card 800 and the terminal authentication of the mobile terminal device 700 are performed offline.

  In FIG. 21, first, the card authentication code for each IC card registered in advance and the data of the terminal authentication code of the mobile terminal device 700 are transmitted from the management server 600 to the battery unit 100 (steps). S51). The battery unit 100 stores each data of the card authentication code and the terminal authentication code in the storage unit 203.

  In addition, corresponding to the card authentication, the owner 6 inputs a card authentication code by a predetermined operation on the battery unit 100 as in FIG. 20 (third example) (step S42). In response to this, the authentication processing unit 213 of the battery unit 100 executes card authentication processing (step S43).

  Corresponding to the terminal authentication, the replacement worker 5 inputs a terminal authentication code by a predetermined operation on the battery unit 100 (step S32). In response to this, the authentication processing unit 213 of the battery unit 100 executes terminal authentication processing (step S33).

  The sequence diagram of FIG. 22 shows a processing procedure at the time of cell package replacement using the result of the human authentication processing of the fourth example. In the process of confirming the success / failure of human authentication in FIG. 22, step S121 executed by the management server 600 is omitted, and only step S122 executed by the battery unit 100 is performed.

  In step S122, the authentication processing unit 213 in the fourth example confirms both success / failure of the terminal authentication process in step S33 and success / failure of the card authentication process in step S43. If it is confirmed that both the terminal authentication process and the card authentication process are established, the exchange of the cell package 300 is permitted by executing the decryption process in step S111. On the other hand, when it is confirmed that at least one of the terminal authentication process and the card authentication process is not established, the decryption process in step S111 is stopped and the replacement of the cell package 300 is prohibited. Become.

  The battery unit 100, the management server 600, the portable terminal device 700, and the IC card 800 described above have a computer system therein. The process corresponding to the battery replacement described above is stored in a computer-readable recording medium in the form of a program, and the above process is performed by the computer reading and executing the program. Here, the computer-readable recording medium means a magnetic disk, a magneto-optical disk, a CD-ROM, a DVD-ROM, a semiconductor memory, or the like. Alternatively, the computer program may be distributed to the computer via a communication line, and the computer that has received the distribution may execute the program.

  Further, the program for realizing the functions of the processing units in FIGS. 8, 10, 11 and 14 is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into a computer system. Each process as this embodiment may be performed by executing. Here, the “computer system” includes an OS and hardware such as peripheral devices. The “computer system” includes a WWW system having a homepage providing environment (or display environment). The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

DESCRIPTION OF SYMBOLS 1 ... Electric vehicle, 2 ... Housing facility, 3 ... Corporate facility, 5 ... Replacement worker, 6 ... Owner, 100 ... Battery unit, 200 ... Battery management apparatus, 211 ... Cell package management part, 212 ... Decoding part, 213 ... Authentication processing unit, 214 ... Cell package specifying unit, 215 ... Exchangeability setting unit, 216 ... Child key generation unit, 300 ... Cell package, 400 ... Cell management device, 500 ... Cell, 600 ... Management server, 611 ... Battery unit Management unit, 612 ... Authentication processing unit, 613 ... Cell exchange necessity determination unit, 614 ... Battery exchange information generation unit, 615 ... One-time password generation unit, 616 ... Transmission control unit, 700 ... Mobile terminal device, 711 ... Received data Storage control unit, 712 ... One-time password transmission control unit, 800 ... IC card

Claims (10)

A server, a terminal device, and a plurality of battery units including one or more cell packages including battery cells,
The server
A cell replacement necessity determination unit that determines whether or not replacement is required for each cell package, based on cell package management information including information indicating a predetermined state of the cell package;
A battery replacement information generating unit for generating battery replacement information having predetermined information content related to a cell package determined to be replaced;
A transmission control unit that executes at least transmission of the battery replacement information and password to the terminal device and transmission of the battery replacement information encrypted by the password to the battery unit;
The terminal device
A password transmission control unit that causes the received password to be transmitted to a battery unit that is a cell package replacement work target indicated in the received battery replacement information;
The battery unit is
A decryption unit for decrypting the encrypted battery exchange information received from the server with the password received from the terminal device;
A battery maintenance system, comprising: a replacement availability setting unit that permits replacement of the cell package included in the battery unit when the battery replacement information is normally decoded. The battery maintenance system according to claim 1, further comprising a one-time password generation unit that generates a one-time password as the password each time a cell package that needs to be replaced is determined. The battery unit is
A cell package specifying unit for specifying a cell package to be exchanged from the content of the battery exchange information decrypted;
The battery maintenance system according to claim 1, wherein the exchange availability setting unit permits the exchange of the cell package specified as the exchange target. In addition to other terminal devices,
The server
In-server authentication processing unit that executes authentication processing using the terminal authentication code transmitted from the terminal device, and executes authentication processing using the other terminal authentication code transmitted from the other terminal device;
A server that controls the exchange of the cell package to be prohibited by the exchange availability setting unit when at least one of the authentication of the terminal device by the authentication processing unit and the authentication of the other terminal device is not established The battery maintenance system according to any one of claims 1 to 3, further comprising an internal prohibition control unit. In addition to other terminal devices,
The server
An in-server authentication processing unit that executes an authentication process using the other terminal authentication code transmitted from the other terminal device;
If the authentication by the in-server authentication processing unit is not established, the server further includes an in-server prohibition control unit that controls the replacement of the cell package by the exchange enable / disable setting unit.
The battery unit is
An in-battery unit authentication processing unit that executes an authentication process using a terminal authentication code input from the terminal device;
A battery unit prohibition control unit for controlling the replacement of the cell package by the replacement enable / disable setting unit when authentication by the authentication unit in the battery unit is not established. The battery maintenance system according to any one of claims 1 to 3. In addition to other terminal devices,
The server
An in-server authentication processing unit that executes an authentication process using a terminal authentication code transmitted from the terminal device;
When authentication by the in-server authentication processing unit is not established, the server further includes an in-server prohibition control unit that controls the replacement of the cell package by the replaceability setting unit.
The battery unit is
An in-battery unit authentication processing unit that executes an authentication process using the other terminal authentication code input from the other terminal device;
A battery unit prohibition control unit for controlling the replacement of the cell package by the replacement enable / disable setting unit when authentication by the authentication unit in the battery unit is not established. The battery maintenance system according to any one of claims 1 to 3. In addition to other terminal devices,
The battery unit is
An authentication processing unit in the battery unit that executes an authentication process using a terminal authentication code input from the terminal device and executes an authentication process using an other terminal authentication code input from the other terminal device; ,
When at least one of the authentication of the terminal device by the authentication processing unit in the battery unit and the authentication of the other terminal device is not established, the replacement of the cell package is prohibited by the replacement enable / disable setting unit. The battery maintenance system according to any one of claims 1 to 3, further comprising an in-battery unit prohibition control unit that controls the battery unit. The in-server prohibition control unit is the transmission control unit, and does not transmit the password to be received from the terminal device and transferred to the battery unit to be exchanged, so that the cell package is set by the exchange availability setting unit. The battery maintenance system according to claim 4, wherein the battery maintenance system is controlled so as to be prohibited from being replaced. The in-battery unit prohibition control unit is the decryption unit, and performs control so that the replacement of the cell package is prohibited by the replacement enable / disable setting unit by not decrypting the encrypted battery replacement information. The battery maintenance system according to claim 5, wherein the battery maintenance system is a battery maintenance system. A battery maintenance method in a battery maintenance system comprising a server, a terminal device, and a plurality of battery units including one or more cell packages including battery cells,
The server
A cell replacement necessity determination step for determining whether or not replacement is required for each cell package, based on cell package management information including information indicating a predetermined state of the cell package;
A battery replacement information generating step for generating battery replacement information having a predetermined information content related to a cell package determined to be replaced;
A transmission control step for executing at least transmission of the battery replacement information and password to the terminal device and transmission of the battery replacement information encrypted by the password to the battery unit;
The terminal device
A password transmission control step for transmitting the received password to a battery unit that is a cell package replacement work target indicated in the received battery replacement information;
The battery unit is
Decrypting the encrypted battery exchange information received from the server with the password received from the terminal device;
A battery maintenance method comprising: a replacement permission / permission setting step for permitting replacement of the cell package included in the battery unit when the battery replacement information is normally decoded.

Images