WO2020157797A1 - Vehicle control device, vehicle control system, and program - Google Patents

Vehicle control device, vehicle control system, and program Download PDF

Info

Publication number
WO2020157797A1
WO2020157797A1 PCT/JP2019/002734 JP2019002734W WO2020157797A1 WO 2020157797 A1 WO2020157797 A1 WO 2020157797A1 JP 2019002734 W JP2019002734 W JP 2019002734W WO 2020157797 A1 WO2020157797 A1 WO 2020157797A1
Authority
WO
WIPO (PCT)
Prior art keywords
control
instruction
unit
update
vehicle
Prior art date
Application number
PCT/JP2019/002734
Other languages
French (fr)
Japanese (ja)
Inventor
亮 西垣
遼平 津越
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to JP2020568888A priority Critical patent/JP7321192B2/en
Priority to PCT/JP2019/002734 priority patent/WO2020157797A1/en
Publication of WO2020157797A1 publication Critical patent/WO2020157797A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02TCLIMATE CHANGE MITIGATION TECHNOLOGIES RELATED TO TRANSPORTATION
    • Y02T90/00Enabling technologies or technologies with a potential or indirect contribution to GHG emissions mitigation
    • Y02T90/10Technologies relating to charging of electric vehicles
    • Y02T90/16Information or communication technologies improving the operation of electric vehicles

Definitions

  • the present invention relates to a vehicle control device, a vehicle control system, and a program.
  • Railway vehicles are equipped with an in-vehicle system including a plurality of devices such as mechanical brakes and electric power converters, and a plurality of control devices for controlling the devices corresponding to each, for example, a brake controller and a switching control unit.
  • the plurality of devices and the plurality of control devices are connected to each other via an in-vehicle network.
  • An example of this type of vehicle-mounted system is disclosed in Patent Document 1.
  • a maintenance terminal can be connected to the in-vehicle network that constitutes the in-vehicle system disclosed in Patent Document 1.
  • the maintenance staff connects the maintenance terminal to the in-vehicle network, and uses the maintenance terminal to perform maintenance work such as updating the software of the control device and acquiring logs from the control device.
  • the maintenance terminal sends maintenance information for updating the software of the control device to the control device.
  • the control device updates the software based on the maintenance information.
  • control device If there is an unauthorized access to the control device, for example, an unauthorized external terminal connected to the in-vehicle network sends unauthorized maintenance information to the control device, the control device updates the software based on the unauthorized maintenance information. there is a possibility. As a result, the control performed by the control device may differ from the desired control.
  • the present invention has been made in view of the above circumstances, and an object thereof is to prevent the vehicle control device from updating the control information in accordance with an unauthorized access.
  • the vehicle control device of the present invention includes a storage unit, a communication unit, an authentication unit, and an updating unit.
  • the storage unit stores the control information.
  • the communication unit receives the authentication information and the update instruction for updating the control information stored in the storage unit from at least one instruction device connected via the vehicle network.
  • the authentication unit determines, based on the authentication information, whether the instruction device that has transmitted the authentication information is a previously permitted instruction device.
  • the update unit updates the control information stored in the storage unit in accordance with the update instruction transmitted by the instruction device that has been determined by the authentication unit to be a previously permitted instruction device.
  • the vehicle control device determines, based on the authentication information, whether or not the instruction device that has transmitted the authentication information is a previously permitted instruction device.
  • the vehicle control device updates the control information stored in the storage unit according to the update instruction transmitted by the instruction device that is determined to be the previously permitted instruction device. Since the vehicle control device updates the control information in accordance with the update instruction transmitted by the instruction device that is determined to be the previously permitted instruction device, it is possible to prevent the vehicle control device from updating the control information according to an unauthorized access. It is possible.
  • Block diagram of a vehicle control system according to Embodiment 1 of the present invention The figure which shows the example of the correspondence table of the user ID and the password which the vehicle control apparatus which concerns on Embodiment 1 hold
  • a railway vehicle includes a vehicle control system that controls in-vehicle devices such as brake devices and power conversion devices.
  • a vehicle control system (hereinafter, simply referred to as a control system) 1 according to a first embodiment shown in FIG. 1 includes a vehicle control device (hereinafter, simply referred to as a control device) 10 for controlling an in-vehicle device and a control device 10. And at least one instruction device for transmitting the authentication information and at least one of a control instruction for instructing execution of control based on the control information stored in the control device and an update instruction for instructing update of the control information.
  • Prepare The control information includes a control program for controlling the in-vehicle device, a control script, and the like.
  • the update instruction includes the updated control information.
  • the control system 1 including the control device 10 including a brake control device that controls a mechanical brake will be described as an example of the control system 1 according to the first embodiment.
  • the control system 1 serves as an instruction device, the maintenance terminal 3 that performs maintenance work for updating the control information stored in the control device 10, transmission/reception of operation commands, and transmission of control instructions to the control device 10.
  • the control system 1 further includes a brake control valve 5 that compresses air supplied from an air reservoir (not shown) and supplies it to a relay valve, and a speed sensor 6 that is attached to an axle of a railway vehicle and that detects a rotation speed of the axle.
  • a brake control valve 5 that compresses air supplied from an air reservoir (not shown) and supplies it to a relay valve
  • a speed sensor 6 that is attached to an axle of a railway vehicle and that detects a rotation speed of the axle.
  • the maintenance terminal 3, the train information management system 4, and the control device 10 are connected to each other via the vehicle network 2.
  • the vehicle network 2 is composed of a communication network defined by standards such as Ethernet (registered trademark) and CAN (Controller Area Network).
  • Ethernet registered trademark
  • CAN Controller Area Network
  • the maintenance terminal 3, the train information management system 4, and the control device 10 mutually transmit and receive communication frames defined by the above-mentioned standard.
  • control device 10 uses a challenge-and-response method to determine whether the maintenance terminal 3 or the train information management system 4 that has transmitted the authentication information is a previously permitted instruction device. Each part of the system 1 will be described.
  • the maintenance terminal 3 is appropriately connected to the vehicular network 2 by a maintenance staff, and includes a display unit, an input unit, a transmission/reception unit, a CPU (Central Processing Unit), a control circuit having a memory, and the like. And a portable terminal such as a PC (Personal Computer) or a tablet terminal. Further, the maintenance staff appropriately connects the maintenance terminal 3 to the vehicle network 2 and operates the maintenance terminal 3 to perform the maintenance operation of updating the control information stored in the control device 10 when the railway vehicle is stopped. Specifically, the maintenance terminal 3 executes a program stored in the memory in response to an instruction input via an input unit such as a mouse, a keyboard, a touch panel, etc. An update instruction for instructing the update of the control information stored in the control device 10 is transmitted.
  • an input unit such as a mouse, a keyboard, a touch panel, etc.
  • the control device 10 authenticates the instruction device. Specifically, when starting the maintenance operation, the maintenance terminal 3 transmits the authentication information from the transmission/reception unit to the control device 10 and requests the authentication. Specifically, the maintenance terminal 3 transmits a communication frame including the user ID to the control device 10.
  • the user ID is an ID that uniquely identifies the pointing device. A unique user ID and password are assigned to the pointing device in advance, and each pointing device holds the assigned user ID and password.
  • the maintenance terminal 3 holds the user ID and password assigned to its own terminal.
  • the control device 10 receives the communication frame including the user ID
  • the control device 10 generates a challenge code.
  • the maintenance terminal 3 Upon receiving the communication frame including the challenge code from the control device 10, the maintenance terminal 3 generates a response code from the challenge code and the password held in advance according to a specific algorithm, and performs communication including the response code as the authentication information.
  • the frame is transmitted to the control device 10.
  • the maintenance terminal 3 holds this specific algorithm in advance, and the specific algorithm is the same as the algorithm held in advance by the authentication unit 12 included in the control device 10 described later.
  • the control device 10 determines whether or not the response code generated from the challenge code and the response code transmitted by the maintenance terminal 3 match. When determining that the response code generated from the challenge code and the response code transmitted by the maintenance terminal 3 match, the control device 10 transmits the determination result to the maintenance terminal 3. After receiving the determination result, the maintenance terminal 3 transmits the communication frame including the update instruction to the control device 10 from the transmission/reception unit.
  • the train information management system 4 includes a display unit, an input unit, a transmission/reception unit, a control circuit having a CPU, a memory, and the like.
  • the train information management system 4 acquires a driving command input from a master controller provided in a driver's cab, and executes a program stored in a memory according to the driving command. Specifically, the train information management system 4 instructs the control device 10 to execute control based on the control information stored in the storage unit 14 included in the control device 10, in response to the operation command.
  • the driving command can include, for example, a powering command for instructing acceleration of the railway vehicle, a braking command for instructing deceleration of the railway vehicle, and the like.
  • the power running command includes the target acceleration of the railway vehicle
  • the brake command includes the target deceleration of the railway vehicle.
  • the train information management system 4 instructs the control device 10 to control the brake.
  • the brake control valve 5 controlled by the control device 10 instructed to control the brake by the train information management system 4 will be described.
  • the brake control valve 5 compresses the air supplied from an air reservoir (not shown) and sends it to the relay valve.
  • the relay valve compresses the air supplied from the air reservoir using the pressure of the air output from the brake control valve 5 as a command pressure, and sends the compressed air to the brake cylinder of the mechanical brake device.
  • the pressure inside the brake cylinder rises, and the brake shoe of the mechanical brake device is pressed against the wheels to generate a braking force.
  • the speed sensor 6 has a PG (Pulse Generator) attached to the axle.
  • the speed sensor 6 calculates the rotation speed of the axle from the pulse signal output from the PG and outputs it to the control device 10.
  • the control device 10 includes a communication unit 11 that receives authentication information and at least one of a control instruction and an update instruction from the maintenance terminal 3 or the train information management system 4, and the maintenance terminal 3 or the train information management system 4 that has transmitted the authentication information.
  • a control command transmitted by the authentication unit 12 that determines whether or not the instruction device is permitted in advance, and the maintenance terminal 3 or the train information management system 4 that is determined to be the instruction device permitted in advance.
  • a control unit 13 that controls the brake control valve 5, a storage unit 14 that stores control information, and an update command transmitted by the maintenance terminal 3 or the train information management system 4 that is determined to be a previously permitted instruction device.
  • an updating unit 15 that updates the control information stored in the storage unit 14 in accordance with the above.
  • the communication unit 11 When the communication unit 11 receives the communication frame including the authentication information from the maintenance terminal 3 or the train information management system 4, the communication unit 11 sends the authentication information included in the communication frame to the authentication unit 12.
  • the authentication information includes a user ID and a response code.
  • the communication unit 11 receives a communication frame including a control instruction from an instruction device that is determined to be a previously permitted instruction device by the authentication unit 12 described later, the communication unit 11 outputs the control instruction included in the communication frame to the control unit 13. Send to.
  • the authentication unit 12 receives the communication frame including the update instruction from the instruction device that is determined to be the previously permitted instruction device, the communication unit 11 causes the update unit 15 to include the update instruction included in the communication frame. send.
  • the communication unit 11 discards the communication frame when the authentication unit 12 receives the communication frame from the maintenance terminal 3 or the train information management system 4 which is determined not to be a previously permitted instruction device.
  • the communication unit 11 also generates a communication frame from the data acquired from the authentication unit 12, the control unit 13, and the update unit 15, and transmits the communication frame to the maintenance terminal 3 or the train information management system 4. Specifically, when the communication unit 11 acquires the challenge code from the authentication unit 12, the communication unit 11 generates a communication frame including the challenge code and transmits the communication frame to the maintenance terminal 3 or the train information management system 4. Further, when the communication unit 11 acquires a notification indicating that the execution of the control based on the control information is completed from the control unit 13 described later, the communication unit 11 generates a communication frame including a notification of the completion of the execution of the control based on the control information, and this communication frame Is transmitted to the maintenance terminal 3 or the train information management system 4.
  • the communication unit 11 acquires a notification indicating that the update process is completed from the update unit 15 described below, the communication unit 11 generates a communication frame including a notification of the completion of the update process, and this communication frame is used as the maintenance terminal 3 or the train information management system 4. Send to.
  • the authentication unit 12 determines, based on the authentication information acquired from the communication unit 11, whether the maintenance terminal 3 or the train information management system 4 that has transmitted the authentication information is a previously permitted instruction device.
  • the authentication unit 12 holds in advance a unique user ID and password assigned to the maintenance terminal 3 and the train information management system 4.
  • FIG. 2 shows an example of a correspondence table of user IDs and passwords that the authentication unit 12 holds in advance. Specifically, the authentication unit 12 holds a user ID and a password associated with the user ID for each maintenance terminal 3 or train information management system 4 that is a previously permitted instruction device.
  • the authentication unit 12 when the authentication unit 12 acquires the user ID as the authentication information from the communication unit 11, the authentication unit 12 generates a challenge code composed of random numbers and sends the challenge code to the communication unit 11. The authentication unit 12 also acquires the password corresponding to the acquired user ID based on the correspondence table shown in FIG. Then, the authentication unit 12 generates a response code from the password and the challenge code according to a specific algorithm.
  • the authenticating unit 12 holds this specific algorithm in advance, and the specific algorithm is the same as the algorithm held in advance by the maintenance terminal 3 and the train information management system 4 described above.
  • the authentication unit 12 determines whether the generated response code matches the acquired response code, and transmits the determination result to the communication unit 11. .. That the generated response code and the acquired response code match means that the maintenance terminal 3 or the train information management system 4 that has transmitted the authentication information holds the same algorithm as the specific algorithm held by the authentication unit 12. Means that Therefore, when the generated response code and the acquired response code match, the maintenance terminal 3 or the train information management system 4 that has transmitted the authentication information can be regarded as a previously permitted instruction device.
  • the control unit 13 reads the control information from the storage unit 14 according to the control instruction acquired from the communication unit 11, and executes the control based on the control information. Brake control will be described as an example of control based on control information executed by the control unit 13.
  • the control instruction acquired by the communication unit 11 from the train information management system 4 includes the target deceleration of the railway vehicle.
  • the control unit 13 calculates the braking force required to obtain the target deceleration from the weight of the railway vehicle acquired from the variable load valve (not shown) and the target deceleration.
  • the control unit 13 calculates the target value of the air pressure output by the brake control valve 5 from the necessary braking force and the friction coefficient of the contact surface between the brake shoe and the wheel of the mechanical braking device. Next, the control unit 13 controls the brake control valve 5 based on this target value to bring the pressure of the air output from the brake control valve 5 close to the target value.
  • the control unit 13 acquires the pressure value of air output by the brake control valve 5 from a pressure sensor that detects the pressure value of air output by the brake control valve 5, and performs feedback control based on this pressure value.
  • the storage unit 14 stores control information.
  • the control based on the control information includes the control of the brake control valve 5, the reading of the control history of the brake control valve 5 recorded during the control of the brake control valve 5, and the like.
  • the control history of the brake control valve 5 includes, for example, data transmitted to the brake control valve 5, a target value of air pressure output by the brake control valve 5, an air pressure value output by the brake control valve 5, and the like.
  • the update unit 15 updates the control information stored in the storage unit 14 according to the update instruction acquired from the communication unit 11.
  • the update instruction includes update information of the control information.
  • the control process performed by the control system 1 having the above configuration will be described.
  • the control process performed by the control device 10 included in the control system 1 the control process performed by the control system 1 using brake control will be described.
  • the maintenance terminal 3 starts the authentication process shown in FIG. 3 according to the operation of the maintenance personnel.
  • the control system 1 determines whether the maintenance terminal 3 is a pre-authorized instruction device before updating the control information. I do.
  • the maintenance terminal 3 transmits a communication frame including the user ID to the control device 10 (step Sq1).
  • the communication unit 11 Upon receiving the communication frame including the user ID, the communication unit 11 sends the user ID to the authentication unit 12.
  • the authentication unit 12 generates a challenge code composed of random numbers (step Sq2).
  • the communication unit 11 transmits a communication frame including the challenge code to the maintenance terminal 3 (step Sq3).
  • the authentication unit 12 acquires the password corresponding to the user ID based on the correspondence table shown in FIG. 2, and generates a response code from the password and the challenge code generated in step Sq2 (step Sq4).
  • step Sq5 when the maintenance terminal 3 receives the communication frame including the challenge code from the control device 10, the maintenance terminal 3 generates a response code from the challenge code and the password held in advance according to a specific algorithm. Then, the maintenance terminal 3 transmits a communication frame including the response code to the control device 10 (step Sq6).
  • the communication unit 11 When the communication unit 11 receives the communication frame including the response code, the communication unit 11 sends the response code to the authentication unit 12. Then, the authentication unit 12 determines whether or not the response code generated in step Sq4 and the response code acquired from the communication unit 11 match, and sends the determination result to the communication unit 11 (step Sq7). When the authentication unit 12 determines that the response code generated in step Sq4 and the response code acquired from the communication unit 11 match, the communication unit 11 transmits a communication frame including the determination result to the maintenance terminal 3 ( Step Sq8). When the process of step Sq8 ends, the control system 1 ends the authentication process. When the authentication unit 12 determines that the response code generated in step Sq4 and the response code acquired from the communication unit 11 do not match, the communication unit 11 does not perform the process of step Sq8, and the maintenance terminal 3 does not perform the process. Discard the received communication frame.
  • the process and the update process will be described with reference to FIG. At this time, it can be considered that the maintenance terminal 3 or the train information management system 4 is a previously permitted instruction device.
  • the maintenance terminal 3 instructs the control device 10 to update the control information stored in the control device 10
  • the maintenance terminal 3 receives the determination result shown in step Sq8 of FIG. 3 from the control device 10
  • the maintenance terminal 3 transmits a communication frame including an update instruction to the control device 10.
  • the control device 10 receives the communication frame including the update instruction from the maintenance terminal 3 which is the transmission destination of the determination result transmitted in step Sq8 of FIG. 3, the control device 10 starts the control process and the update process shown in FIG.
  • step S11 When the communication frame received from the maintenance terminal 3, which is a previously permitted instruction device, includes an update instruction (step S11; Yes), the communication unit 11 sends the update instruction to the update unit 15. Then, the update unit 15 updates the control information stored in the storage unit 14 according to the update instruction (step S12). Then, when the updating process is completed, the updating unit 15 sends a notification that the updating process is completed to the communication unit 11, and the communication unit 11 generates a communication frame including a completion notification of the updating process of the control information, and this communication The frame is transmitted to the maintenance terminal 3. When the process of step S12 ends, the control device 10 ends the control process and the update process.
  • the train information management system 4 instructs the control device 10 to execute control based on the control information stored in the storage unit 14 of the control device 10 . Since the control based on the brake command needs to be performed promptly, the control device 10 does not perform the authentication process for the instruction device that has transmitted the control command for instructing the brake.
  • the train information management system 4 transmits a communication frame including a control instruction to the control device 10 when the driving instruction includes the brake instruction.
  • the control device 10 starts the control process and the update process shown in FIG.
  • the communication frame received from the train information management system 4 includes a control instruction, that is, when the communication frame does not include an update instruction (step S11; No)
  • the communication unit 11 sends the control instruction to the control unit 13.
  • control unit 13 reads the control information stored in the storage unit 14 according to the control instruction, and executes control based on the control information (step S13). Then, when the execution of the control based on the control information is completed, the control unit 13 sends a notification to the communication unit 11 that the execution of the control based on the control information is completed, and the communication unit 11 executes the control based on the control information. A communication frame including a completion notification of is generated, and this communication frame is transmitted to the train information management system 4. When the process of step S13 ends, the control device 10 ends the control process and the update process.
  • the maintenance terminal 3 or the train information management system 4 that has transmitted the authentication information is based on the authentication information transmitted from the maintenance terminal 3 or the train information management system 4. It is determined whether the pointing device has been permitted in advance. Then, the control device 10 operates in accordance with the update instruction transmitted by the maintenance terminal 3 or the train information management system 4 that is determined to be a previously permitted instruction device, and thus suppresses updating the control information according to unauthorized access. It is possible to
  • the maintenance operation by the maintenance terminal 3 is performed when the railway vehicle is stopped. Therefore, in the second embodiment, in order to prevent unauthorized access to the control device more reliably, the control device that updates the control information stored in the storage unit 14 only when the railway vehicle is stopped. Will be described.
  • the control of the control device by the train information management system 4 includes, for example, control performed during traveling of the railway vehicle, such as brake control. Therefore, the control device operates according to the control instruction when the communication frame including the control instruction is received from the train information management system 4, which is a previously permitted instruction device, regardless of whether or not the railway vehicle is stopped.
  • the basic configuration of the control device 20 according to the second embodiment shown in FIG. 5 is the same as the basic configuration of the control device 10 according to the first embodiment.
  • the updating unit 15 included in the control device 20 determines whether the railway vehicle is stopped, and when it is determined that the railway vehicle is stopped, the updating unit 15 is an instruction device that is permitted in advance by the authentication unit 12. This is different from the update unit 15 included in the control device 10 in that the control information stored in the storage unit 14 is updated according to the determined update instruction transmitted from the maintenance terminal 3.
  • the update unit 15 acquires the update instruction from the communication unit 11, the update unit 15 acquires the rotation speed of the axle from the speed sensor 6. Then, the updating unit 15 determines whether or not the rotation speed of the axle is equal to or lower than the reference speed. Note that the reference speed is a value that is sufficiently small that it can be considered that the railway vehicle is stopped. When the updating unit 15 determines that the rotation speed of the axle is less than or equal to the reference speed, that is, when the railway vehicle is stopped, the updating unit 15 responds to the updating instruction acquired from the communication unit 11 and stores the storage unit 14 therein. The control information stored in is updated.
  • the updating unit 15 transmits the update instruction even if the update instruction is transmitted from the maintenance terminal 3 which is determined by the authentication unit 12 to be a previously permitted instruction device. , Discard this update instruction.
  • the operation of the control system 1 according to the second embodiment will be described with reference to FIG.
  • the authentication process performed by the control system 1 according to the second embodiment is the same as the authentication process performed by the control system 1 according to the first embodiment shown in FIG.
  • the control device 20 when the control device 20 receives the communication frame including the update instruction from the maintenance terminal 3 which is the transmission destination of the determination result, the control device 20 starts the control process and the update process shown in FIG. 6.
  • the processing of steps S11 to S13 is the same as the processing performed by the control device 10 shown in FIG.
  • step S11 When the communication unit 11 receives a communication frame including an update instruction from the maintenance terminal 3 which is a previously permitted instruction device (step S11; Yes), the communication unit 11 sends the update instruction to the update unit 15. Then, when the update unit 15 acquires the update instruction from the communication unit 11, the update unit 15 acquires the rotation speed of the axle from the speed sensor 6 (step S14). Then, the updating unit 15 determines whether or not the acquired rotation speed of the axle is equal to or lower than the reference speed (step S15). When the rotation speed of the wheels is not equal to or lower than the reference speed (step S15; No), the update unit 15 does not perform the process of step S12, and the control device 20 ends the control process and the update process. On the other hand, when the rotation speed of the wheels is equal to or lower than the reference speed (step S15; Yes), the update unit 15 performs the process of step S12.
  • the control device 20 follows the update instruction transmitted from the maintenance terminal 3 that is determined to be the previously permitted instruction device when the rotation speed of the axle is equal to or lower than the reference speed.
  • the control information stored in the storage unit 14 is updated.
  • the control information is updated if the rotation speed of the axle is not less than or equal to the reference speed even if the update instruction is transmitted from the maintenance terminal 3 which is determined by the authentication unit 12 as a previously permitted instruction device. do not do.
  • the control device 20 may determine any method for determining whether or not the railway vehicle is stopped. Then, the control device 20 may update the control information stored in the storage unit 14 when it is determined that the railway vehicle is stopped. As an example, the control device 20 determines whether or not the railroad vehicle is stopped based on the rotation speed of the axle and the driving command, and when it is determined that the railroad vehicle is stopped, the control unit 20 stores it in the storage unit 14. You may update the control information currently provided.
  • the control device 20 may acquire the operation command from the master controller provided in the driver's cab or the train information management system 4 and store the operation command in a memory (not shown). Then, the updating unit 15 determines that the rotation speed of the axle is equal to or lower than the reference speed and that the most recently stored operation command includes the brake command, that is, that the railway vehicle is stopped. In this case, the control information stored in the storage unit 14 may be updated according to the update instruction acquired from the communication unit 11.
  • the authentication process performed by the control device 20 is the same as in the first and second embodiments. Similarly to the first embodiment, when the control device 20 receives the communication frame including the update instruction from the maintenance terminal 3 which is the transmission destination of the determination result, the control device 20 starts the control process and the update process shown in FIG. 7. The processing of steps S11 to S15 is the same as the processing performed by the control device 20 shown in FIG.
  • the communication unit 11 When the communication unit 11 receives the communication frame including the update instruction from the maintenance terminal 3 which is a previously permitted instruction device (step S11; Yes), the communication unit 11 sends the update instruction to the update unit 15. Further, the communication unit 11 reads out a driving command from the master controller provided in the driver's cab or the train information management system 4 (step S16) and sends it to the updating unit 15.
  • step S17 determines whether the driving command includes the brake command.
  • step S17 determines that the operation command does not include the brake command (step S17; No)
  • step S12 determines that the control device 20 ends the control process and the update process.
  • step S17 determines that the operation command includes the brake command (step S17; Yes)
  • the update unit 15 performs the process of step S12.
  • the configuration of the control system 1 is not limited to the above example. As long as the pointing device and the control devices 10 and 20 can communicate with each other, the method of connecting the pointing device and the control devices 10 and 20 is arbitrary.
  • the control device 10 may be connected to the maintenance terminal 3 via the vehicle network 2 and to the maintenance terminal 7 via the train information management system 4.
  • the train information management system 4 and the maintenance terminal 7 may be connected by a maintenance LAN (Local Area Network).
  • the train information management system 4 transmits the communication frame transmitted from the maintenance terminal 7 to the control device 10, and transmits the communication frame to the maintenance terminal 7 transmitted from the control device 10 to the maintenance terminal 7, thereby performing maintenance.
  • the terminal 7 can perform a maintenance operation of updating the control information stored in the control device 10.
  • the control devices 10 and 20 may be connected to three or more indicating devices via the vehicle network 2.
  • the method for the control devices 10 and 20 to determine whether or not the instruction device that has transmitted the authentication information is a previously permitted instruction device is not limited to the above-described example, and the authentication is performed based on the authentication information included in the communication frame. Any method can be used.
  • the control devices 10 and 20 are pre-authorized by the instruction device that has transmitted the authentication information based on user authentication using SSL (Secure Sockets Layer) client certificate, EAP (Extensible Authentication Protocol) It may be determined whether or not it is the designated pointing device.
  • SSL Secure Sockets Layer
  • EAP Extensible Authentication Protocol
  • control devices 10 and 20 are not limited to the brake control device, and are configured by any control device that controls the equipment mounted on the railway vehicle.
  • the control devices 10 and 20 may be configured by a VVVF inverter control device that controls a VVVF (Variable Voltage Variable Frequency) inverter, a static inverter control device that controls a static inverter, or the like.
  • VVVF Very Voltage Variable Frequency
  • the control instruction from the instruction device to the control devices 10 and 20 is not limited to the brake control, but is an arbitrary instruction to instruct the operation of the control devices 10 and 20.
  • the control instruction can include an output instruction for instructing the output of the history stored in storage unit 14.
  • the train information management system 4 may send a communication frame including a control instruction indicating an output instruction to the control devices 10 and 20. Then, the control devices 10 and 20 are included in the communication frame transmitted by the train information management system 4 that is determined to be the previously permitted instruction device, and the history is stored in the storage unit 14 based on the control instruction indicating the output instruction. Is read out and a communication frame including a history as data is transmitted to the train information management system 4.
  • the operation of the control system 1 will be described by taking as an example the case where the train information management system 4 instructs the control device 10 to output a history.
  • the control system 1 determines whether or not the train information management system 4 is a pre-authorized instruction device by performing the authentication process shown in FIG. 3 in order to suppress the output of the history according to the unauthorized access. ..
  • the train information management system 4 transmits a communication frame including a user ID to the control device 10 from the transmitting/receiving unit.
  • the communication unit 11 Upon receiving the communication frame including the user ID, the communication unit 11 sends the user ID to the authentication unit 12.
  • the authentication unit 12 generates a challenge code composed of random numbers.
  • the communication unit 11 transmits a communication frame including the challenge code to the train information management system 4.
  • the authentication unit 12 also acquires a password corresponding to the user ID based on the correspondence table shown in FIG. 2, and generates a response code from the password and the generated challenge code.
  • the train information management system 4 when the train information management system 4 receives the communication frame including the challenge code from the control device 10, the train information management system 4 generates a response code from the challenge code and the password held in advance according to a specific algorithm. Then, the train information management system 4 transmits a communication frame including the response code to the control device 10.
  • the communication unit 11 When the communication unit 11 receives the communication frame including the response code, the communication unit 11 sends the response code to the authentication unit 12. Then, the authentication unit 12 determines whether the generated response code and the response code acquired from the communication unit 11 match, and sends the determination result to the communication unit 11. When the authentication unit 12 determines that the generated response code matches the response code acquired from the communication unit 11, the communication unit 11 transmits a communication frame including the determination result to the train information management system 4. If the authentication unit 12 determines that the generated response code does not match the response code acquired from the communication unit 11, the communication unit 11 discards the communication frame received from the train information management system 4.
  • the train information management system 4 After receiving the determination result, transmits a communication frame including a control instruction indicating an output instruction to the control device 10 from the transmission/reception unit.
  • the control device 10 starts the control process and the update process shown in FIG. Specifically, the communication unit 11 sends the control instruction included in the communication frame received from the train information management system 4 to the control unit 13.
  • the control unit 13 included in the control device 10 controls the signal sent to the brake control valve 5 and the pressure value acquired from the pressure sensor while controlling the brake control valve 5.
  • the history is stored in the storage unit 14.
  • the control unit 13 acquires the control instruction indicating the output instruction from the communication unit 11
  • the control unit 13 reads the history stored in the storage unit 14 and sends the history to the communication unit 11.
  • the communication unit 11 generates a communication frame including history as data and transmits the communication frame to the train information management system 4.
  • the maintenance terminal 3 sends the authentication information and the update information to the control devices 10 and 20, but the maintenance terminal 3 may send the control instruction to the control devices 10 and 20.
  • the maintenance terminal 3 may transmit the communication frame including the control instruction indicating the above-described output instruction to the control devices 10 and 20.
  • the control devices 10 and 20 store the history from the storage unit 14 based on the control instruction that is included in the communication frame transmitted by the maintenance terminal 3 that is determined to be the previously permitted instruction device and that indicates the output instruction.
  • the communication frame including the read and history as data is transmitted to the maintenance terminal 3.
  • FIG. 9 is a diagram illustrating a hardware configuration example of the control devices 10 and 20 according to the embodiment.
  • the control devices 10 and 20 include a processor 31, a memory 32, and an interface 33 as a hardware configuration that controls each unit. Each function of these devices is realized by the processor 31 executing a program stored in the memory 32.
  • the interface 33 is for connecting each device and establishing communication, and may be composed of a plurality of types of interfaces as necessary.
  • the control devices 10 and 20 are connected to the vehicle network 2 via the interface 33 and communicate with the maintenance terminal 3 and the train information management system 4 connected to the vehicle network 2. Further, the control devices 10 and 20 are connected to the brake control valve 5 and the speed sensor 6 via the interface 33.
  • FIG. 9 shows an example in which the processor 31 and the memory 32 are each configured as one, a plurality of processors 31 and a plurality of memories 32 may cooperate to execute each function.
  • the central part that performs control processing which is composed of the processor 31, the memory 32, and the interface 33, can be realized by using a normal computer system instead of a dedicated system.
  • a computer-readable recording medium such as a flexible disk, a CD-ROM (Compact Disc Read-Only Memory), a DVD-ROM (Digital Versatile Disc Read-Only Memory), etc.
  • the control devices 10 and 20 that execute the above-described processing may be configured by storing and distributing the program in a computer, and installing the computer program in the computer.
  • the control programs 10 and 20 may be configured by storing the computer program in a storage device included in a server device on a communication network and downloading the computer program by an ordinary computer system.
  • control devices 10 and 20 when the functions of the control devices 10 and 20 are realized by sharing of an OS (Operating System) and application programs or by cooperation between the OS and application programs, only the application program portion is recorded on a recording medium or It may be stored in a storage device.
  • OS Operating System
  • the computer program may be posted on a bulletin board (BBS: Bulletin Board System) on the communication network and distributed via the communication network. Then, the above-mentioned processing may be executed by activating this computer program and executing it under the control of the OS in the same manner as other application programs.
  • BSS Bulletin Board System
  • 1 control system 1 control system, 2 vehicle network, 3, 7 maintenance terminal, 4 train information management system, 5 brake control valve, 6 speed sensor, 10, 20 control device, 11 communication unit, 12 authentication unit, 13 control unit, 14 memory Section, 15 update section, 31 processor, 32 memory, 33 interface.

Abstract

A control device (10) that comprises: a communication part (11) that receives authentication information, control instructions, and update instructions from at least one instruction device; an authentication part (12) that determines whether an instruction device that has transmitted authentication information is a pre-authorized instruction device; a storage part (14) that stores control information; a control part (13) that, in accordance with a control command that has been transmitted by an instruction device that has been determined to be a pre-authorized instruction device, retrieves the control information that is stored at the storage part (14) and executes control that is based on the retrieved control information; and an updating part (15) that, in accordance with an update command that has been transmitted by the instruction device that has been determined to be a pre-authorized instruction device, updates the control information that is stored at the storage part (14).

Description

車両用制御装置、車両用制御システム、およびプログラムVehicle control device, vehicle control system, and program
 この発明は、車両用制御装置、車両用制御システム、およびプログラムに関する。 The present invention relates to a vehicle control device, a vehicle control system, and a program.
 鉄道車両は、機械ブレーキ、電力変換装置等の複数の装置と、それぞれが対応する装置を制御する複数の制御機器、例えば、ブレーキ制御器、スイッチング制御部等とで構成される車載システムを備える。これらの複数の装置と複数の制御機器とは、車載ネットワークで互いに接続されている。この種の車載システムの一例が、特許文献1に開示されている。 Railway vehicles are equipped with an in-vehicle system including a plurality of devices such as mechanical brakes and electric power converters, and a plurality of control devices for controlling the devices corresponding to each, for example, a brake controller and a switching control unit. The plurality of devices and the plurality of control devices are connected to each other via an in-vehicle network. An example of this type of vehicle-mounted system is disclosed in Patent Document 1.
特開2016-143945号公報JP, 2016-143945, A
 特許文献1に開示される車載システムを構成する車載ネットワークには、保守端末を接続することができる。保守員は、保守作業時に保守端末を車載ネットワークに接続し、保守端末を用いて、制御装置のソフトウェアの更新、制御装置からのログの取得等の保守作業を行う。詳細には、保守端末は、制御装置のソフトウェアを更新するための保守情報を制御装置に送信する。制御装置は、保守情報に基づいて、ソフトウェアを更新する。 A maintenance terminal can be connected to the in-vehicle network that constitutes the in-vehicle system disclosed in Patent Document 1. During maintenance work, the maintenance staff connects the maintenance terminal to the in-vehicle network, and uses the maintenance terminal to perform maintenance work such as updating the software of the control device and acquiring logs from the control device. Specifically, the maintenance terminal sends maintenance information for updating the software of the control device to the control device. The control device updates the software based on the maintenance information.
 この制御装置に対する不正なアクセス、例えば、車載ネットワークに接続された不正な外部端末から制御装置に対する不正な保守情報の送信があると、制御装置は、不正な保守情報に基づいて、ソフトウェアを更新する可能性がある。この結果、制御装置による制御が所望の制御と異なることがある。 If there is an unauthorized access to the control device, for example, an unauthorized external terminal connected to the in-vehicle network sends unauthorized maintenance information to the control device, the control device updates the software based on the unauthorized maintenance information. there is a possibility. As a result, the control performed by the control device may differ from the desired control.
 本発明は上述の事情に鑑みてなされたものであり、車両用制御装置が不正なアクセスに従って制御情報を更新することを抑制することを目的とする。 The present invention has been made in view of the above circumstances, and an object thereof is to prevent the vehicle control device from updating the control information in accordance with an unauthorized access.
 上記目的を達成するために、本発明の車両用制御装置は、記憶部と、通信部と、認証部と、更新部とを備える。記憶部は、制御情報を記憶する。通信部は、車両用ネットワークを介して接続された少なくとも1つの指示装置から、認証情報と、記憶部に記憶されている制御情報の更新を指示する更新指示とを受信する。認証部は、認証情報に基づいて、認証情報を送信した指示装置が、予め許可された指示装置であるか否かを判別する。更新部は、認証部で予め許可された指示装置であると判別された指示装置が送信した更新指示に従って記憶部に記憶されている制御情報を更新する。 In order to achieve the above object, the vehicle control device of the present invention includes a storage unit, a communication unit, an authentication unit, and an updating unit. The storage unit stores the control information. The communication unit receives the authentication information and the update instruction for updating the control information stored in the storage unit from at least one instruction device connected via the vehicle network. The authentication unit determines, based on the authentication information, whether the instruction device that has transmitted the authentication information is a previously permitted instruction device. The update unit updates the control information stored in the storage unit in accordance with the update instruction transmitted by the instruction device that has been determined by the authentication unit to be a previously permitted instruction device.
 本発明に係る車両用制御装置は、認証情報に基づいて、認証情報を送信した指示装置が予め許可された指示装置であるか否かを判別する。この車両用制御装置は、予め許可された指示装置であると判別された指示装置が送信した更新指示に従って、記憶部に記憶されている制御情報を更新する。車両用制御装置は、予め許可された指示装置であると判別された指示装置が送信した更新指示に従って制御情報を更新するため、車両用制御装置が不正なアクセスに従って制御情報を更新することを抑制可能である。 The vehicle control device according to the present invention determines, based on the authentication information, whether or not the instruction device that has transmitted the authentication information is a previously permitted instruction device. The vehicle control device updates the control information stored in the storage unit according to the update instruction transmitted by the instruction device that is determined to be the previously permitted instruction device. Since the vehicle control device updates the control information in accordance with the update instruction transmitted by the instruction device that is determined to be the previously permitted instruction device, it is possible to prevent the vehicle control device from updating the control information according to an unauthorized access. It is possible.
本発明の実施の形態1に係る車両用制御システムのブロック図Block diagram of a vehicle control system according to Embodiment 1 of the present invention 実施の形態1に係る車両用制御装置が保持しているユーザIDとパスワードの対応表の例を示す図The figure which shows the example of the correspondence table of the user ID and the password which the vehicle control apparatus which concerns on Embodiment 1 hold|maintains. 実施の形態1に係る車両用制御システムが行う認証処理のシーケンス図Sequence diagram of authentication processing performed by the vehicle control system according to the first embodiment 実施の形態1に係る車両用制御装置が行う制御処理および更新処理のフローチャートFlowchart of control processing and update processing performed by the vehicle control device according to the first embodiment 本発明の実施の形態2に係る車両用制御システムのブロック図Block diagram of a vehicle control system according to Embodiment 2 of the present invention 実施の形態2に係る車両用制御装置が行う制御処理および更新処理のフローチャートFlowchart of control processing and update processing performed by the vehicle control device according to the second embodiment 実施の形態に係る車両用制御装置が行う制御処理および更新処理の変形例のフローチャートThe flowchart of the modification of the control process and update process which the vehicle control apparatus which concerns on embodiment performs. 実施の形態に係る車両用制御システムの変形例のブロック図Block diagram of a modification of the vehicle control system according to the embodiment 実施の形態に係る車両用制御装置のハードウェアの構成を示す図The figure which shows the structure of the hardware of the vehicle control apparatus which concerns on embodiment.
 以下、本発明の実施の形態に係る鉄道車両用制御装置および鉄道車両用制御システムについて図面を参照して詳細に説明する。なお図中、同一または同等の部分には同一の符号を付す。 Hereinafter, a railway vehicle control device and a railway vehicle control system according to an embodiment of the present invention will be described in detail with reference to the drawings. In the drawings, the same or equivalent parts are designated by the same reference numerals.
 (実施の形態1)
 鉄道車両は、ブレーキ機器、電力変換機器等の車載機器を制御する車両用制御システムを備える。図1に示す実施の形態1に係る車両用制御システム(以下、単に制御システムという)1は、車載機器を制御する車両用制御装置(以下、単に制御装置という)10と、制御装置10に対して、認証情報と、制御装置が記憶している制御情報に基づく制御の実行を指示する制御指示および制御情報の更新を指示する更新指示の少なくともいずれかとを送信する少なくとも1つの指示装置と、を備える。なお制御情報は、車載機器を制御するための制御プログラム、制御スクリプト等を含む。更新指示は、更新後の制御情報を含む。制御装置10の一例として、機械ブレーキを制御するブレーキ制御装置で構成される制御装置10を備える制御システム1を例にして、実施の形態1に係る制御システム1について説明する。 (Embodiment 1)
A railway vehicle includes a vehicle control system that controls in-vehicle devices such as brake devices and power conversion devices. A vehicle control system (hereinafter, simply referred to as a control system) 1 according to a first embodiment shown in FIG. 1 includes a vehicle control device (hereinafter, simply referred to as a control device) 10 for controlling an in-vehicle device and a control device 10. And at least one instruction device for transmitting the authentication information and at least one of a control instruction for instructing execution of control based on the control information stored in the control device and an update instruction for instructing update of the control information. Prepare The control information includes a control program for controlling the in-vehicle device, a control script, and the like. The update instruction includes the updated control information. As an example of the control device 10, the control system 1 including the control device 10 including a brake control device that controls a mechanical brake will be described as an example of the control system 1 according to the first embodiment.
 実施の形態1では、制御システム1は、指示装置として、制御装置10が記憶している制御情報を更新する保守作業を行う保守端末3と、運転指令の送受信、制御装置10に対する制御指示の送信、制御装置からログの取得等を行う列車情報管理システム(TIMS:Train Information Management System)4と、を備える。制御システム1は、さらに、図示しない空気溜めから供給される空気を圧縮して中継弁に供給するブレーキ制御弁5と、鉄道車両の車軸に取り付けられて、車軸の回転速度を検知する速度センサ6と、を備える。 In the first embodiment, the control system 1 serves as an instruction device, the maintenance terminal 3 that performs maintenance work for updating the control information stored in the control device 10, transmission/reception of operation commands, and transmission of control instructions to the control device 10. , A train information management system (TIMS: Train Information Management System) 4 for acquiring logs from the control device. The control system 1 further includes a brake control valve 5 that compresses air supplied from an air reservoir (not shown) and supplies it to a relay valve, and a speed sensor 6 that is attached to an axle of a railway vehicle and that detects a rotation speed of the axle. And
 保守端末3と、列車情報管理システム4と、制御装置10とは、互いに車両用ネットワーク2で接続されている。車両用ネットワーク2は、Ethernet(登録商標)、CAN(Controller Area Network:コントローラエリアネットワーク)等の規格で定められた通信網で構成される。なお保守端末3、列車情報管理システム4、および制御装置10は互いに、上記規格で定められた通信フレームを送受信する。 The maintenance terminal 3, the train information management system 4, and the control device 10 are connected to each other via the vehicle network 2. The vehicle network 2 is composed of a communication network defined by standards such as Ethernet (registered trademark) and CAN (Controller Area Network). The maintenance terminal 3, the train information management system 4, and the control device 10 mutually transmit and receive communication frames defined by the above-mentioned standard.
 制御装置10が、チャレンジアンドレスポンス方式を用いて、認証情報を送信した保守端末3または列車情報管理システム4が、予め許可された指示装置であるか否かを判別する場合を例にして、制御システム1の各部について説明する。 As an example, the control device 10 uses a challenge-and-response method to determine whether the maintenance terminal 3 or the train information management system 4 that has transmitted the authentication information is a previously permitted instruction device. Each part of the system 1 will be described.
 保守端末3は、保守員によって車両用ネットワーク2に適宜接続され、表示部と、入力部と、送受信部と、CPU(Central Processing Unit:中央処理装置)、メモリ等を有する制御回路等とで構成される装置であって、例えばPC(Personal Computer:パーソナルコンピュータ)、タブレット端末等の持ち運び可能な端末で構成される。また保守員は、鉄道車両の停止時に、保守端末3を車両用ネットワーク2に適宜接続し、保守端末3を操作して制御装置10が記憶している制御情報を更新する保守動作を行う。具体的には、保守端末3は、マウス、キーボード、タッチパネル等の入力部を介して入力された指示に応じて、メモリに記憶されたプログラムを実行することで、後述する制御装置10に対して、制御装置10が記憶している制御情報の更新を指示する更新指示を送信する。 The maintenance terminal 3 is appropriately connected to the vehicular network 2 by a maintenance staff, and includes a display unit, an input unit, a transmission/reception unit, a CPU (Central Processing Unit), a control circuit having a memory, and the like. And a portable terminal such as a PC (Personal Computer) or a tablet terminal. Further, the maintenance staff appropriately connects the maintenance terminal 3 to the vehicle network 2 and operates the maintenance terminal 3 to perform the maintenance operation of updating the control information stored in the control device 10 when the railway vehicle is stopped. Specifically, the maintenance terminal 3 executes a program stored in the memory in response to an instruction input via an input unit such as a mouse, a keyboard, a touch panel, etc. An update instruction for instructing the update of the control information stored in the control device 10 is transmitted.
 保守端末3は、保守員によって車両用ネットワーク2に適宜接続されるため、許可されていない端末が車両用ネットワーク2に接続され、許可されていない端末から制御装置10に対する不正なアクセスが生じることがある。そこで、制御装置10が不正なアクセスに従って動作することを抑制するため、制御装置10は、指示装置の認証を行う。具体的には、保守動作を開始する際に、保守端末3は、送受信部から認証情報を制御装置10に送信し、認証を要求する。詳細には、保守端末3は、ユーザIDを含む通信フレームを制御装置10に送信する。なおユーザIDは、指示装置を一意に特定するIDである。指示装置には、指示装置ごとにユニークなユーザIDとパスワードとが予め割り当てられており、各指示装置は、割り当てられたユーザIDとパスワードを保持している。換言すれば、保守端末3には、自端末に割り当てられたユーザIDとパスワードとを保持している。後述するように、制御装置10は、ユーザIDを含む通信フレームを受信すると、チャレンジコードを生成する。保守端末3は、制御装置10からチャレンジコードを含む通信フレームを受信すると、チャレンジコードと予め保持しているパスワードとから、特定のアルゴリズムに従って、レスポンスコードを生成し、認証情報としてレスポンスコードを含む通信フレームを制御装置10に送信する。なお保守端末3は、この特定のアルゴリズムを予め保持しており、特定のアルゴリズムは後述する制御装置10が有する認証部12が予め保持しているアルゴリズムと同一である。 Since the maintenance terminal 3 is appropriately connected to the vehicle network 2 by a maintenance person, an unauthorized terminal may be connected to the vehicle network 2, and an unauthorized access to the control device 10 may occur from the unauthorized terminal. is there. Therefore, in order to prevent the control device 10 from operating according to an unauthorized access, the control device 10 authenticates the instruction device. Specifically, when starting the maintenance operation, the maintenance terminal 3 transmits the authentication information from the transmission/reception unit to the control device 10 and requests the authentication. Specifically, the maintenance terminal 3 transmits a communication frame including the user ID to the control device 10. The user ID is an ID that uniquely identifies the pointing device. A unique user ID and password are assigned to the pointing device in advance, and each pointing device holds the assigned user ID and password. In other words, the maintenance terminal 3 holds the user ID and password assigned to its own terminal. As will be described later, when the control device 10 receives the communication frame including the user ID, the control device 10 generates a challenge code. Upon receiving the communication frame including the challenge code from the control device 10, the maintenance terminal 3 generates a response code from the challenge code and the password held in advance according to a specific algorithm, and performs communication including the response code as the authentication information. The frame is transmitted to the control device 10. The maintenance terminal 3 holds this specific algorithm in advance, and the specific algorithm is the same as the algorithm held in advance by the authentication unit 12 included in the control device 10 described later.
 その後、後述するように、制御装置10は、チャレンジコードから生成したレスポンスコードと、保守端末3が送信したレスポンスコードとが一致するか否かを判別する。制御装置10は、チャレンジコードから生成したレスポンスコードと、保守端末3が送信したレスポンスコードとが一致すると判別した場合、判別結果を保守端末3に送信する。保守端末3は、この判別結果を受信した後、送受信部から、更新指示を含む通信フレームを制御装置10に送信する。 After that, as will be described later, the control device 10 determines whether or not the response code generated from the challenge code and the response code transmitted by the maintenance terminal 3 match. When determining that the response code generated from the challenge code and the response code transmitted by the maintenance terminal 3 match, the control device 10 transmits the determination result to the maintenance terminal 3. After receiving the determination result, the maintenance terminal 3 transmits the communication frame including the update instruction to the control device 10 from the transmission/reception unit.
 列車情報管理システム4は、表示部と、入力部と、送受信部と、CPU、メモリ等を有する制御回路等とで構成される。列車情報管理システム4は、運転台に設けられたマスターコントローラから入力された運転指令を取得し、運転指令に応じて、メモリに記憶されたプログラムを実行する。詳細には、列車情報管理システム4は、運転指令に応じて、制御装置10に対して、制御装置10が有する記憶部14が記憶している制御情報に基づいた制御の実行を指示する指示動作を行う。なお運転指令は、一例として、鉄道車両の加速を指示する力行指令、鉄道車両の減速を指示するブレーキ指令等を含むことができる。この場合、力行指令は、鉄道車両の目標加速度を含み、ブレーキ指令は、鉄道車両の目標減速度を含む。一例として、列車情報管理システム4は、運転指令がブレーキ指令を含む場合、制御装置10に対して、ブレーキの制御を指示する。 The train information management system 4 includes a display unit, an input unit, a transmission/reception unit, a control circuit having a CPU, a memory, and the like. The train information management system 4 acquires a driving command input from a master controller provided in a driver's cab, and executes a program stored in a memory according to the driving command. Specifically, the train information management system 4 instructs the control device 10 to execute control based on the control information stored in the storage unit 14 included in the control device 10, in response to the operation command. I do. Note that the driving command can include, for example, a powering command for instructing acceleration of the railway vehicle, a braking command for instructing deceleration of the railway vehicle, and the like. In this case, the power running command includes the target acceleration of the railway vehicle, and the brake command includes the target deceleration of the railway vehicle. As an example, when the driving command includes the brake command, the train information management system 4 instructs the control device 10 to control the brake.
 列車情報管理システム4にブレーキの制御を指示された制御装置10によって制御されるブレーキ制御弁5について説明する。ブレーキ制御弁5は、図示しない空気溜めから供給される空気を圧縮して中継弁に送る。中継弁は、ブレーキ制御弁5が出力する空気の圧力を指令圧として、空気溜めから供給される空気を圧縮して、機械ブレーキ装置が有するブレーキシリンダに送る。ブレーキシリンダの内部の圧力が上昇して、機械ブレーキ装置が有するブレーキシューが車輪に押し付けられることで、ブレーキ力が生じる。 The brake control valve 5 controlled by the control device 10 instructed to control the brake by the train information management system 4 will be described. The brake control valve 5 compresses the air supplied from an air reservoir (not shown) and sends it to the relay valve. The relay valve compresses the air supplied from the air reservoir using the pressure of the air output from the brake control valve 5 as a command pressure, and sends the compressed air to the brake cylinder of the mechanical brake device. The pressure inside the brake cylinder rises, and the brake shoe of the mechanical brake device is pressed against the wheels to generate a braking force.
 速度センサ6は、車軸に取り付けられたPG(Pulse Generator:パルスジェネレータ)を有する。速度センサ6は、PGが出力するパルス信号から車軸の回転速度を算出し、制御装置10に出力する。 The speed sensor 6 has a PG (Pulse Generator) attached to the axle. The speed sensor 6 calculates the rotation speed of the axle from the pulse signal output from the PG and outputs it to the control device 10.
 制御装置10は、保守端末3または列車情報管理システム4から、認証情報と制御指示および更新指示の少なくともいずれかとを受信する通信部11と、認証情報を送信した保守端末3または列車情報管理システム4が、予め許可された指示装置であるか否かを判別する認証部12と、予め許可された指示装置であると判別された保守端末3または列車情報管理システム4が送信した制御指令に応じてブレーキ制御弁5を制御する制御部13と、制御情報を記憶している記憶部14と、予め許可された指示装置であると判別された保守端末3または列車情報管理システム4が送信した更新指令に応じて記憶部14に記憶されている制御情報を更新する更新部15と、を備える。 The control device 10 includes a communication unit 11 that receives authentication information and at least one of a control instruction and an update instruction from the maintenance terminal 3 or the train information management system 4, and the maintenance terminal 3 or the train information management system 4 that has transmitted the authentication information. In accordance with a control command transmitted by the authentication unit 12 that determines whether or not the instruction device is permitted in advance, and the maintenance terminal 3 or the train information management system 4 that is determined to be the instruction device permitted in advance. A control unit 13 that controls the brake control valve 5, a storage unit 14 that stores control information, and an update command transmitted by the maintenance terminal 3 or the train information management system 4 that is determined to be a previously permitted instruction device. And an updating unit 15 that updates the control information stored in the storage unit 14 in accordance with the above.
 通信部11は、保守端末3または列車情報管理システム4から認証情報を含む通信フレームを受信すると、通信フレームに含まれる認証情報を認証部12に送る。認証情報は、ユーザID、レスポンスコード等を含む。また通信部11は、後述する認証部12で、予め許可された指示装置であると判別された指示装置から制御指示を含む通信フレームを受信すると、この通信フレームに含まれる制御指示を制御部13に送る。また、通信部11は、認証部12で、予め許可された指示装置であると判別された指示装置から更新指示を含む通信フレームを受信すると、この通信フレームに含まれる更新指示を更新部15に送る。 When the communication unit 11 receives the communication frame including the authentication information from the maintenance terminal 3 or the train information management system 4, the communication unit 11 sends the authentication information included in the communication frame to the authentication unit 12. The authentication information includes a user ID and a response code. Further, when the communication unit 11 receives a communication frame including a control instruction from an instruction device that is determined to be a previously permitted instruction device by the authentication unit 12 described later, the communication unit 11 outputs the control instruction included in the communication frame to the control unit 13. Send to. Further, when the authentication unit 12 receives the communication frame including the update instruction from the instruction device that is determined to be the previously permitted instruction device, the communication unit 11 causes the update unit 15 to include the update instruction included in the communication frame. send.
 なお通信部11は、認証部12で、予め許可された指示装置でないと判別された保守端末3または列車情報管理システム4から通信フレームを受信すると、この通信フレームを破棄する。 Note that the communication unit 11 discards the communication frame when the authentication unit 12 receives the communication frame from the maintenance terminal 3 or the train information management system 4 which is determined not to be a previously permitted instruction device.
 また通信部11は、認証部12、制御部13、および更新部15から取得したデータから通信フレームを生成し、通信フレームを保守端末3または列車情報管理システム4に送信する。詳細には、通信部11は、認証部12から、チャレンジコードを取得すると、チャレンジコードを含む通信フレームを生成し、この通信フレームを保守端末3または列車情報管理システム4に送信する。また通信部11は、後述する制御部13から制御情報に基づく制御の実行が完了した旨の通知を取得すると、制御情報に基づく制御の実行の完了通知を含む通信フレームを生成し、この通信フレームを保守端末3または列車情報管理システム4に送信する。また通信部11は、後述する更新部15から更新処理が完了した旨の通知を取得すると、更新処理の完了通知を含む通信フレームを生成し、この通信フレームを保守端末3または列車情報管理システム4に送信する。 The communication unit 11 also generates a communication frame from the data acquired from the authentication unit 12, the control unit 13, and the update unit 15, and transmits the communication frame to the maintenance terminal 3 or the train information management system 4. Specifically, when the communication unit 11 acquires the challenge code from the authentication unit 12, the communication unit 11 generates a communication frame including the challenge code and transmits the communication frame to the maintenance terminal 3 or the train information management system 4. Further, when the communication unit 11 acquires a notification indicating that the execution of the control based on the control information is completed from the control unit 13 described later, the communication unit 11 generates a communication frame including a notification of the completion of the execution of the control based on the control information, and this communication frame Is transmitted to the maintenance terminal 3 or the train information management system 4. In addition, when the communication unit 11 acquires a notification indicating that the update process is completed from the update unit 15 described below, the communication unit 11 generates a communication frame including a notification of the completion of the update process, and this communication frame is used as the maintenance terminal 3 or the train information management system 4. Send to.
 認証部12は、通信部11から取得した認証情報に基づいて、認証情報を送信した保守端末3または列車情報管理システム4が予め許可された指示装置であるか否かを判別する。なお認証部12は、保守端末3および列車情報管理システム4に割り当てられたユニークなユーザIDとパスワードとを予め保持している。認証部12が予め保持しているユーザIDとパスワードの対応表の例を図2に示す。具体的には、認証部12は、予め許可された指示装置である保守端末3または列車情報管理システム4ごとに、ユーザIDと、ユーザIDに対応付けられたパスワードとを保持している。 The authentication unit 12 determines, based on the authentication information acquired from the communication unit 11, whether the maintenance terminal 3 or the train information management system 4 that has transmitted the authentication information is a previously permitted instruction device. The authentication unit 12 holds in advance a unique user ID and password assigned to the maintenance terminal 3 and the train information management system 4. FIG. 2 shows an example of a correspondence table of user IDs and passwords that the authentication unit 12 holds in advance. Specifically, the authentication unit 12 holds a user ID and a password associated with the user ID for each maintenance terminal 3 or train information management system 4 that is a previously permitted instruction device.
 詳細には、認証部12は、通信部11から、認証情報としてユーザIDを取得すると、乱数で構成されるチャレンジコードを生成して、通信部11に送る。また認証部12は、図2に示す対応表に基づき、取得したユーザIDに対応するパスワードを取得する。そして、認証部12は、パスワードとチャレンジコードから、特定のアルゴリズムに従って、レスポンスコードを生成する。なお認証部12は、この特定のアルゴリズムを予め保持しており、特定のアルゴリズムは、上述した保守端末3および列車情報管理システム4が予め保持しているアルゴリズムと同一である。 Specifically, when the authentication unit 12 acquires the user ID as the authentication information from the communication unit 11, the authentication unit 12 generates a challenge code composed of random numbers and sends the challenge code to the communication unit 11. The authentication unit 12 also acquires the password corresponding to the acquired user ID based on the correspondence table shown in FIG. Then, the authentication unit 12 generates a response code from the password and the challenge code according to a specific algorithm. The authenticating unit 12 holds this specific algorithm in advance, and the specific algorithm is the same as the algorithm held in advance by the maintenance terminal 3 and the train information management system 4 described above.
 その後、認証部12は、通信部11から、認証情報としてレスポンスコードを取得すると、生成したレスポンスコードと取得したレスポンスコードとが一致するか否かを判別し、判別結果を通信部11に送信する。生成したレスポンスコードと取得したレスポンスコードが一致するということは、認証情報を送信した保守端末3または列車情報管理システム4が、認証部12が保持している特定のアルゴリズムと同じアルゴリズムを保持しているということを意味する。したがって、生成したレスポンスコードと取得したレスポンスコードが一致する場合は、認証情報を送信した保守端末3または列車情報管理システム4が予め許可された指示装置であるとみなすことができる。 After that, when the authentication unit 12 acquires the response code as the authentication information from the communication unit 11, the authentication unit 12 determines whether the generated response code matches the acquired response code, and transmits the determination result to the communication unit 11. .. That the generated response code and the acquired response code match means that the maintenance terminal 3 or the train information management system 4 that has transmitted the authentication information holds the same algorithm as the specific algorithm held by the authentication unit 12. Means that Therefore, when the generated response code and the acquired response code match, the maintenance terminal 3 or the train information management system 4 that has transmitted the authentication information can be regarded as a previously permitted instruction device.
 制御部13は、通信部11から取得した制御指示に応じて、記憶部14から制御情報を読み出し、制御情報に基づく制御を実行する。制御部13が実行する制御情報に基づく制御の一例として、ブレーキ制御について説明する。制御部13は、通信部11から制御指示を取得すると、ブレーキ制御を開始する。なお列車情報管理システム4から通信部11が取得した制御指示には、鉄道車両の目標減速度が含まれるものとする。
 制御部13は、図示しない応荷重弁から取得した鉄道車両の重量と、目標減速度とから、目標減速度を得るために必要なブレーキ力を算出する。そして、制御部13は、必要なブレーキ力と、機械ブレーキ装置が有するブレーキシューと車輪との接触面の摩擦係数とから、ブレーキ制御弁5が出力する空気の圧力の目標値を算出する。次に、制御部13は、この目標値に基づいて、ブレーキ制御弁5を制御し、ブレーキ制御弁5の出力する空気の圧力を目標値に近づける。なお制御部13は、ブレーキ制御弁5が出力する空気の圧力値を検知する圧力センサから、ブレーキ制御弁5が出力する空気の圧力値を取得し、この圧力値に基づいてフィードバック制御をする。 The control unit 13 reads the control information from the storage unit 14 according to the control instruction acquired from the communication unit 11, and executes the control based on the control information. Brake control will be described as an example of control based on control information executed by the control unit 13. When the control unit 13 acquires the control instruction from the communication unit 11, the control unit 13 starts the brake control. The control instruction acquired by the communication unit 11 from the train information management system 4 includes the target deceleration of the railway vehicle.
The control unit 13 calculates the braking force required to obtain the target deceleration from the weight of the railway vehicle acquired from the variable load valve (not shown) and the target deceleration. Then, the control unit 13 calculates the target value of the air pressure output by the brake control valve 5 from the necessary braking force and the friction coefficient of the contact surface between the brake shoe and the wheel of the mechanical braking device. Next, the control unit 13 controls the brake control valve 5 based on this target value to bring the pressure of the air output from the brake control valve 5 close to the target value. The control unit 13 acquires the pressure value of air output by the brake control valve 5 from a pressure sensor that detects the pressure value of air output by the brake control valve 5, and performs feedback control based on this pressure value.
 記憶部14は、制御情報を記憶している。なお制御情報に基づく制御は、ブレーキ制御弁5の制御、ブレーキ制御弁5の制御を行っている間に記録したブレーキ制御弁5の制御の履歴の読み出し等を含む。ブレーキ制御弁5の制御の履歴は、例えば、ブレーキ制御弁5に送信したデータ、ブレーキ制御弁5が出力する空気の圧力の目標値、ブレーキ制御弁5が出力する空気の圧力値等を含む。
 更新部15は、通信部11から取得した更新指示に応じて、記憶部14に記憶されている制御情報を更新する。更新指示は、制御情報の更新情報を含む。 The storage unit 14 stores control information. The control based on the control information includes the control of the brake control valve 5, the reading of the control history of the brake control valve 5 recorded during the control of the brake control valve 5, and the like. The control history of the brake control valve 5 includes, for example, data transmitted to the brake control valve 5, a target value of air pressure output by the brake control valve 5, an air pressure value output by the brake control valve 5, and the like.
The update unit 15 updates the control information stored in the storage unit 14 according to the update instruction acquired from the communication unit 11. The update instruction includes update information of the control information.
 上記構成を有する制御システム1が行う制御処理について説明する。なお制御システム1が有する制御装置10が行う制御処理の一例として、ブレーキ制御を用い、制御システム1が行う制御処理について説明する。保守端末3は、保守員の操作に応じて、図3に示す認証処理を開始する。 The control process performed by the control system 1 having the above configuration will be described. As an example of the control process performed by the control device 10 included in the control system 1, the control process performed by the control system 1 using brake control will be described. The maintenance terminal 3 starts the authentication process shown in FIG. 3 according to the operation of the maintenance personnel.
 制御システム1は、不正なアクセスに従って制御情報を更新することを抑制するために、制御情報を更新する前に、保守端末3が、予め許可された指示装置であるか否かを判別する認証処理を行う。保守端末3は、ユーザIDを含む通信フレームを制御装置10に送信する(ステップSq1)。通信部11は、ユーザIDを含む通信フレームを受信すると、ユーザIDを認証部12に送る。そして、認証部12が、乱数で構成されるチャレンジコードを生成する(ステップSq2)。その後、通信部11は、チャレンジコードを含む通信フレームを保守端末3に送信する(ステップSq3)。また認証部12は、図2に示す対応表に基づき、ユーザIDに対応するパスワードを取得し、パスワードとステップSq2で生成したチャレンジコードとから、レスポンスコードを生成する(ステップSq4)。 In order to prevent the control system 1 from updating the control information according to an unauthorized access, the control system 1 determines whether the maintenance terminal 3 is a pre-authorized instruction device before updating the control information. I do. The maintenance terminal 3 transmits a communication frame including the user ID to the control device 10 (step Sq1). Upon receiving the communication frame including the user ID, the communication unit 11 sends the user ID to the authentication unit 12. Then, the authentication unit 12 generates a challenge code composed of random numbers (step Sq2). After that, the communication unit 11 transmits a communication frame including the challenge code to the maintenance terminal 3 (step Sq3). In addition, the authentication unit 12 acquires the password corresponding to the user ID based on the correspondence table shown in FIG. 2, and generates a response code from the password and the challenge code generated in step Sq2 (step Sq4).
 その後、保守端末3は、制御装置10からチャレンジコードを含む通信フレームを受信すると、チャレンジコードと予め保持しているパスワードとから、特定のアルゴリズムに従って、レスポンスコードを生成する(ステップSq5)。そして、保守端末3は、レスポンスコードを含む通信フレームを制御装置10に送信する(ステップSq6)。 After that, when the maintenance terminal 3 receives the communication frame including the challenge code from the control device 10, the maintenance terminal 3 generates a response code from the challenge code and the password held in advance according to a specific algorithm (step Sq5). Then, the maintenance terminal 3 transmits a communication frame including the response code to the control device 10 (step Sq6).
 通信部11は、レスポンスコードを含む通信フレームを受信すると、レスポンスコードを認証部12に送る。そして、認証部12は、ステップSq4で生成したレスポンスコードと、通信部11から取得したレスポンスコードとが一致するか否かを判別し、判別結果を通信部11に送る(ステップSq7)。通信部11は、認証部12が、ステップSq4で生成されたレスポンスコードと、通信部11から取得したレスポンスコードとが一致すると判別した場合、判別結果を含む通信フレームを保守端末3に送信する(ステップSq8)。ステップSq8の処理が終了すると、制御システム1は認証処理を終了する。また通信部11は、認証部12が、ステップSq4で生成されたレスポンスコードと、通信部11から取得したレスポンスコードとが一致しないと判別した場合、ステップSq8の処理は行わず、保守端末3から受信した通信フレームを破棄する。 When the communication unit 11 receives the communication frame including the response code, the communication unit 11 sends the response code to the authentication unit 12. Then, the authentication unit 12 determines whether or not the response code generated in step Sq4 and the response code acquired from the communication unit 11 match, and sends the determination result to the communication unit 11 (step Sq7). When the authentication unit 12 determines that the response code generated in step Sq4 and the response code acquired from the communication unit 11 match, the communication unit 11 transmits a communication frame including the determination result to the maintenance terminal 3 ( Step Sq8). When the process of step Sq8 ends, the control system 1 ends the authentication process. When the authentication unit 12 determines that the response code generated in step Sq4 and the response code acquired from the communication unit 11 do not match, the communication unit 11 does not perform the process of step Sq8, and the maintenance terminal 3 does not perform the process. Discard the received communication frame.
 図3に示す処理が行われた結果、認証部12が生成したレスポンスコードと保守端末3または列車情報管理システム4が送信したレスポンスコードが一致したと判別された場合に、制御システム1が行う制御処理および更新処理について図4を用いて説明する。このとき、保守端末3または列車情報管理システム4が予め許可された指示装置であるとみなすことができる。 Control performed by the control system 1 when it is determined that the response code generated by the authentication unit 12 and the response code transmitted by the maintenance terminal 3 or the train information management system 4 match as a result of the processing illustrated in FIG. The process and the update process will be described with reference to FIG. At this time, it can be considered that the maintenance terminal 3 or the train information management system 4 is a previously permitted instruction device.
 まず保守端末3が制御装置10に対して、制御装置10が記憶している制御情報の更新を指示する場合について説明する。保守端末3は、制御装置10から図3のステップSq8に示す判別結果を受信すると、更新指示を含む通信フレームを制御装置10に送信する。制御装置10は、図3のステップSq8で送信した判別結果の送信先である保守端末3から更新指示を含む通信フレームを受信すると、図4に示す制御処理および更新処理を開始する。 First, the case where the maintenance terminal 3 instructs the control device 10 to update the control information stored in the control device 10 will be described. When the maintenance terminal 3 receives the determination result shown in step Sq8 of FIG. 3 from the control device 10, the maintenance terminal 3 transmits a communication frame including an update instruction to the control device 10. When the control device 10 receives the communication frame including the update instruction from the maintenance terminal 3 which is the transmission destination of the determination result transmitted in step Sq8 of FIG. 3, the control device 10 starts the control process and the update process shown in FIG.
 通信部11は、予め許可された指示装置である保守端末3から受信した通信フレームが更新指示を含む場合(ステップS11;Yes)、更新指示を更新部15に送る。
 そして、更新部15は、更新指示に従って、記憶部14に記憶されている制御情報を更新する(ステップS12)。そして、更新部15は、更新処理が完了すると、更新処理が完了した旨の通知を通信部11に送り、通信部11は制御情報の更新処理の完了通知を含む通信フレームを生成し、この通信フレームを保守端末3に送信する。制御装置10は、ステップS12の処理が終了すると、制御処理および更新処理を終了する。 When the communication frame received from the maintenance terminal 3, which is a previously permitted instruction device, includes an update instruction (step S11; Yes), the communication unit 11 sends the update instruction to the update unit 15.
Then, the update unit 15 updates the control information stored in the storage unit 14 according to the update instruction (step S12). Then, when the updating process is completed, the updating unit 15 sends a notification that the updating process is completed to the communication unit 11, and the communication unit 11 generates a communication frame including a completion notification of the updating process of the control information, and this communication The frame is transmitted to the maintenance terminal 3. When the process of step S12 ends, the control device 10 ends the control process and the update process.
 次に、列車情報管理システム4が制御装置10に対して、制御装置10が有する記憶部14が記憶している制御情報に基づく制御の実行を指示する場合について説明する。なおブレーキ指令に基づく制御は速やかに行われる必要があるため、制御装置10は、ブレーキを指示する制御指令を送信した指示装置についての認証処理を行わない。列車情報管理システム4は、運転指令がブレーキ指令を含む場合、制御指示を含む通信フレームを制御装置10に送信する。制御装置10は、列車情報管理システム4から制御指示を含む通信フレームを受信すると、図4に示す制御処理および更新処理を開始する。通信部11は、列車情報管理システム4から受信した通信フレームが制御指示を含む、すなわち、通信フレームが更新指示を含まない場合(ステップS11;No)、制御指示を制御部13に送る。 Next, a case where the train information management system 4 instructs the control device 10 to execute control based on the control information stored in the storage unit 14 of the control device 10 will be described. Since the control based on the brake command needs to be performed promptly, the control device 10 does not perform the authentication process for the instruction device that has transmitted the control command for instructing the brake. The train information management system 4 transmits a communication frame including a control instruction to the control device 10 when the driving instruction includes the brake instruction. When receiving the communication frame including the control instruction from the train information management system 4, the control device 10 starts the control process and the update process shown in FIG. When the communication frame received from the train information management system 4 includes a control instruction, that is, when the communication frame does not include an update instruction (step S11; No), the communication unit 11 sends the control instruction to the control unit 13.
 そして、制御部13は、制御指示に従って、記憶部14に記憶されている制御情報を読み出し、制御情報に基づく制御を実行する(ステップS13)。そして、制御部13は、制御情報に基づく制御の実行が完了すると、制御情報に基づく制御の実行が完了した旨の通知を通信部11に送り、通信部11は、制御情報に基づく制御の実行の完了通知を含む通信フレームを生成し、この通信フレームを列車情報管理システム4に送信する。制御装置10は、ステップS13の処理が終了すると、制御処理および更新処理を終了する。 Then, the control unit 13 reads the control information stored in the storage unit 14 according to the control instruction, and executes control based on the control information (step S13). Then, when the execution of the control based on the control information is completed, the control unit 13 sends a notification to the communication unit 11 that the execution of the control based on the control information is completed, and the communication unit 11 executes the control based on the control information. A communication frame including a completion notification of is generated, and this communication frame is transmitted to the train information management system 4. When the process of step S13 ends, the control device 10 ends the control process and the update process.
 以上説明した通り、実施の形態1に係る制御装置10は、保守端末3または列車情報管理システム4から送信された認証情報に基づいて、認証情報を送信した保守端末3または列車情報管理システム4が予め許可された指示装置であるか否かを判別する。そして、制御装置10は、予め許可された指示装置であると判別された保守端末3または列車情報管理システム4が送信した更新指示に従って動作するため、不正なアクセスに従って制御情報を更新することを抑制することが可能である。 As described above, in the control device 10 according to the first embodiment, the maintenance terminal 3 or the train information management system 4 that has transmitted the authentication information is based on the authentication information transmitted from the maintenance terminal 3 or the train information management system 4. It is determined whether the pointing device has been permitted in advance. Then, the control device 10 operates in accordance with the update instruction transmitted by the maintenance terminal 3 or the train information management system 4 that is determined to be a previously permitted instruction device, and thus suppresses updating the control information according to unauthorized access. It is possible to
 (実施の形態2)
 保守端末3による保守動作は、鉄道車両の停止時に行われる。そこで、実施の形態2では、制御装置への不正なアクセスをより確実に防止するために、鉄道車両が停止されている場合にのみ、記憶部14に記憶されている制御情報を更新する制御装置について説明する。なお列車情報管理システム4による制御装置の制御は、例えば、ブレーキ制御のように、鉄道車両の走行時に行われる制御を含む。そのため、制御装置は、鉄道車両が停止しているか否かによらず、予め許可された指示装置である列車情報管理システム4から制御指示を含む通信フレームを受信した場合、制御指示に従って動作する。 (Embodiment 2)
The maintenance operation by the maintenance terminal 3 is performed when the railway vehicle is stopped. Therefore, in the second embodiment, in order to prevent unauthorized access to the control device more reliably, the control device that updates the control information stored in the storage unit 14 only when the railway vehicle is stopped. Will be described. The control of the control device by the train information management system 4 includes, for example, control performed during traveling of the railway vehicle, such as brake control. Therefore, the control device operates according to the control instruction when the communication frame including the control instruction is received from the train information management system 4, which is a previously permitted instruction device, regardless of whether or not the railway vehicle is stopped.
 図5に示す実施の形態2に係る制御装置20の基本構成は、実施の形態1に係る制御装置10の基本構成と同じである。ただし、制御装置20が有する更新部15は、鉄道車両が停止しているか否か判別し、鉄道車両が停止していると判別した場合に、認証部12で予め許可された指示装置であると判別された保守端末3から送信された更新指示に従って、記憶部14に記憶されている制御情報を更新する点で、制御装置10が有する更新部15と異なる。 The basic configuration of the control device 20 according to the second embodiment shown in FIG. 5 is the same as the basic configuration of the control device 10 according to the first embodiment. However, the updating unit 15 included in the control device 20 determines whether the railway vehicle is stopped, and when it is determined that the railway vehicle is stopped, the updating unit 15 is an instruction device that is permitted in advance by the authentication unit 12. This is different from the update unit 15 included in the control device 10 in that the control information stored in the storage unit 14 is updated according to the determined update instruction transmitted from the maintenance terminal 3.
 詳細には、更新部15は、通信部11から更新指示を取得すると、速度センサ6から車軸の回転速度を取得する。そして、更新部15は、車軸の回転速度が基準速度以下であるか否かを判別する。なお基準速度は、鉄道車両が停止しているとみなせる程度に十分に小さい値である。更新部15は、車軸の回転速度が基準速度以下であると判別した場合、すなわち、鉄道車両が停止していると判別した場合に、通信部11から取得した更新指示に応じて、記憶部14に記憶されている制御情報を更新する。換言すれば、車軸の回転速度が基準速度より大きい場合は、認証部12で予め許可された指示装置であると判別された保守端末3から送信された更新指示であっても、更新部15は、この更新指示を破棄する。 Specifically, when the update unit 15 acquires the update instruction from the communication unit 11, the update unit 15 acquires the rotation speed of the axle from the speed sensor 6. Then, the updating unit 15 determines whether or not the rotation speed of the axle is equal to or lower than the reference speed. Note that the reference speed is a value that is sufficiently small that it can be considered that the railway vehicle is stopped. When the updating unit 15 determines that the rotation speed of the axle is less than or equal to the reference speed, that is, when the railway vehicle is stopped, the updating unit 15 responds to the updating instruction acquired from the communication unit 11 and stores the storage unit 14 therein. The control information stored in is updated. In other words, when the rotation speed of the axle is higher than the reference speed, the updating unit 15 transmits the update instruction even if the update instruction is transmitted from the maintenance terminal 3 which is determined by the authentication unit 12 to be a previously permitted instruction device. , Discard this update instruction.
 実施の形態2に係る制御システム1の動作について、図6を用いて説明する。なお実施の形態2に係る制御システム1が行う認証処理は、図3に示す実施の形態1に係る制御システム1が行う認証処理と同じである。制御装置20は、実施の形態1と同様に、判別結果の送信先である保守端末3から更新指示を含む通信フレームを受信すると、図6に示す制御処理および更新処理を開始する。ステップS11~S13の処理は、図4に示す制御装置10が行う処理と同様である。 The operation of the control system 1 according to the second embodiment will be described with reference to FIG. The authentication process performed by the control system 1 according to the second embodiment is the same as the authentication process performed by the control system 1 according to the first embodiment shown in FIG. Similarly to the first embodiment, when the control device 20 receives the communication frame including the update instruction from the maintenance terminal 3 which is the transmission destination of the determination result, the control device 20 starts the control process and the update process shown in FIG. 6. The processing of steps S11 to S13 is the same as the processing performed by the control device 10 shown in FIG.
 通信部11は、予め許可された指示装置である保守端末3から、更新指示を含む通信フレームを受信すると(ステップS11;Yes)、更新指示を更新部15に送る。そして、更新部15は、通信部11から更新指示を取得すると、速度センサ6から車軸の回転速度を取得する(ステップS14)。そして、更新部15は、取得した車軸の回転速度が基準速度以下であるか否かを判別する(ステップS15)。更新部15は、車輪の回転速度が基準速度以下でない場合(ステップS15;No)、ステップS12の処理を行わず、制御装置20は、制御処理および更新処理を終了する。一方、更新部15は、車輪の回転速度が基準速度以下である場合(ステップS15;Yes)、ステップS12の処理を行う。 When the communication unit 11 receives a communication frame including an update instruction from the maintenance terminal 3 which is a previously permitted instruction device (step S11; Yes), the communication unit 11 sends the update instruction to the update unit 15. Then, when the update unit 15 acquires the update instruction from the communication unit 11, the update unit 15 acquires the rotation speed of the axle from the speed sensor 6 (step S14). Then, the updating unit 15 determines whether or not the acquired rotation speed of the axle is equal to or lower than the reference speed (step S15). When the rotation speed of the wheels is not equal to or lower than the reference speed (step S15; No), the update unit 15 does not perform the process of step S12, and the control device 20 ends the control process and the update process. On the other hand, when the rotation speed of the wheels is equal to or lower than the reference speed (step S15; Yes), the update unit 15 performs the process of step S12.
 以上説明した通り、実施の形態2に係る制御装置20は、車軸の回転速度が基準速度以下ある場合に、予め許可された指示装置であると判別された保守端末3から送信された更新指示に従って、記憶部14に記憶されている制御情報を更新する。換言すれば、認証部12で予め許可された指示装置であると判別された保守端末3から送信された更新指示であっても、車軸の回転速度が基準速度以下でない場合は、制御情報を更新しない。この結果、鉄道車両の走行時に、制御装置20に送信された不正な更新指示に従って、制御装置20が記憶部14に記憶されている制御情報を更新することが防止される。 As described above, the control device 20 according to the second embodiment follows the update instruction transmitted from the maintenance terminal 3 that is determined to be the previously permitted instruction device when the rotation speed of the axle is equal to or lower than the reference speed. The control information stored in the storage unit 14 is updated. In other words, the control information is updated if the rotation speed of the axle is not less than or equal to the reference speed even if the update instruction is transmitted from the maintenance terminal 3 which is determined by the authentication unit 12 as a previously permitted instruction device. do not do. As a result, it is possible to prevent the control device 20 from updating the control information stored in the storage unit 14 in accordance with the illegal update instruction transmitted to the control device 20 when the railway vehicle is traveling.
 本発明は、上述の実施の形態に限られず、様々な変形が可能である。
 一例として、制御装置20は、鉄道車両が停止しているか否かを判別する方法は任意である。そして、制御装置20は、鉄道車両が停止していると判別した場合に、記憶部14に記憶されている制御情報を更新すればよい。一例として、制御装置20は、車軸の回転速度と運転指令に基づいて、鉄道車両が停止しているか否かを判別し、鉄道車両が停止していると判別した場合に、記憶部14に記憶されている制御情報を更新してもよい。 The present invention is not limited to the above-mentioned embodiment, and various modifications can be made.
As an example, the control device 20 may determine any method for determining whether or not the railway vehicle is stopped. Then, the control device 20 may update the control information stored in the storage unit 14 when it is determined that the railway vehicle is stopped. As an example, the control device 20 determines whether or not the railroad vehicle is stopped based on the rotation speed of the axle and the driving command, and when it is determined that the railroad vehicle is stopped, the control unit 20 stores it in the storage unit 14. You may update the control information currently provided.
 車軸の回転速度と運転指令に基づいて、鉄道車両が停止しているか否かを判別する方法の詳細について説明する。制御装置20は、運転台に設けられたマスターコントローラまたは列車情報管理システム4から運転指令を取得し、図示しないメモリに記憶すればよい。そして、更新部15は、車軸の回転速度が基準速度以下であって、かつ、直近で記憶された運転指令がブレーキ指令を含むと判別した場合、すなわち、鉄道車両が停止していると判別した場合に、通信部11から取得した更新指示に応じて、記憶部14に記憶されている制御情報を更新してもよい。 Detailed description of the method for determining whether or not the railway vehicle is stopped based on the rotation speed of the axle and the operation command. The control device 20 may acquire the operation command from the master controller provided in the driver's cab or the train information management system 4 and store the operation command in a memory (not shown). Then, the updating unit 15 determines that the rotation speed of the axle is equal to or lower than the reference speed and that the most recently stored operation command includes the brake command, that is, that the railway vehicle is stopped. In this case, the control information stored in the storage unit 14 may be updated according to the update instruction acquired from the communication unit 11.
 車軸の回転速度と運転指令に基づいて、鉄道車両が停止しているか否かを判別し、鉄道車両が停止していると判別した場合に、制御情報を更新する制御装置20の動作について、図7を用いて説明する。なお制御装置20が行う認証処理は、実施の形態1,2と同様である。制御装置20は、実施の形態1と同様に、判別結果の送信先である保守端末3から更新指示を含む通信フレームを受信すると、図7に示す制御処理および更新処理を開始する。ステップS11~S15の処理は、図6に示す制御装置20が行う処理と同様である。通信部11は、予め許可された指示装置である保守端末3から、更新指示を含む通信フレームを受信すると(ステップS11;Yes)、更新指示を更新部15に送る。さらに通信部11は、運転台に設けられたマスターコントローラまたは列車情報管理システム4から運転指令を読み出し(ステップS16)、更新部15に送る。 Based on the rotation speed of the axle and the driving command, it is determined whether or not the railway vehicle is stopped, and when it is determined that the railway vehicle is stopped, the operation of the control device 20 that updates the control information will be described. This will be described using 7. The authentication process performed by the control device 20 is the same as in the first and second embodiments. Similarly to the first embodiment, when the control device 20 receives the communication frame including the update instruction from the maintenance terminal 3 which is the transmission destination of the determination result, the control device 20 starts the control process and the update process shown in FIG. 7. The processing of steps S11 to S15 is the same as the processing performed by the control device 20 shown in FIG. When the communication unit 11 receives the communication frame including the update instruction from the maintenance terminal 3 which is a previously permitted instruction device (step S11; Yes), the communication unit 11 sends the update instruction to the update unit 15. Further, the communication unit 11 reads out a driving command from the master controller provided in the driver's cab or the train information management system 4 (step S16) and sends it to the updating unit 15.
 更新部15は、車軸の回転速度が基準速度以下である場合(ステップS15;Yes)、運転指令がブレーキ指令を含むか否かを判別する(ステップS17)。更新部15は、運転指令がブレーキ指令を含まないと判別した場合(ステップS17;No)、ステップS12の処理を行わず、制御装置20は、制御処理および更新処理を終了する。一方、更新部15は、運転指令がブレーキ指令を含むと判別した場合(ステップS17;Yes)、ステップS12の処理を行う。 When the rotation speed of the axle is equal to or lower than the reference speed (step S15; Yes), the update unit 15 determines whether the driving command includes the brake command (step S17). When the update unit 15 determines that the operation command does not include the brake command (step S17; No), the process of step S12 is not performed, and the control device 20 ends the control process and the update process. On the other hand, when the update unit 15 determines that the operation command includes the brake command (step S17; Yes), the update unit 15 performs the process of step S12.
 制御システム1の構成は、上述の例に限られない。指示装置と制御装置10,20とが通信可能であれば、指示装置と制御装置10,20とを接続する方法は任意である。
 一例として、図8に示すように、制御装置10は、保守端末3に車両用ネットワーク2を介して接続され、列車情報管理システム4を介して保守端末7に接続されてもよい。このとき、列車情報管理システム4と保守端末7とは、保守用のLAN(Local Area Network:ローカルエリアネットワーク)で接続されてもよい。列車情報管理システム4が、保守端末7から送信された通信フレームを制御装置10に送信し、制御装置10から送信された保守端末7への通信フレームを、保守端末7に送信することで、保守端末7は、制御装置10が記憶している制御情報を更新する保守動作を行うことができる。
 さらに制御装置10,20は、車両用ネットワーク2を介して、3つ以上の指示装置に接続されてもよい。 The configuration of the control system 1 is not limited to the above example. As long as the pointing device and the control devices 10 and 20 can communicate with each other, the method of connecting the pointing device and the control devices 10 and 20 is arbitrary.
As an example, as shown in FIG. 8, the control device 10 may be connected to the maintenance terminal 3 via the vehicle network 2 and to the maintenance terminal 7 via the train information management system 4. At this time, the train information management system 4 and the maintenance terminal 7 may be connected by a maintenance LAN (Local Area Network). The train information management system 4 transmits the communication frame transmitted from the maintenance terminal 7 to the control device 10, and transmits the communication frame to the maintenance terminal 7 transmitted from the control device 10 to the maintenance terminal 7, thereby performing maintenance. The terminal 7 can perform a maintenance operation of updating the control information stored in the control device 10.
Further, the control devices 10 and 20 may be connected to three or more indicating devices via the vehicle network 2.
 制御装置10,20が、認証情報を送信した指示装置が予め許可された指示装置であるか否かを判別する方法は、上述の例に限られず、通信フレームに含まれる認証情報に基づいて認証を行う方法であれば、任意である。一例として、制御装置10,20は、SSL(Secure Sockets Layer)クライアント証明書、EAP(Extensible Authentication Protocol:拡張認証プロトコル)を利用したユーザ認証等に基づいて、認証情報を送信した指示装置が予め許可された指示装置であるか否かを判別してもよい。 The method for the control devices 10 and 20 to determine whether or not the instruction device that has transmitted the authentication information is a previously permitted instruction device is not limited to the above-described example, and the authentication is performed based on the authentication information included in the communication frame. Any method can be used. As an example, the control devices 10 and 20 are pre-authorized by the instruction device that has transmitted the authentication information based on user authentication using SSL (Secure Sockets Layer) client certificate, EAP (Extensible Authentication Protocol) It may be determined whether or not it is the designated pointing device.
 制御装置10,20は、ブレーキ制御装置に限られず、鉄道車両に搭載された機器を制御する任意の制御装置で構成される。一例として、制御装置10,20は、VVVF(Variable Voltage Variable Frequency:可変電圧可変周波数)インバータを制御するVVVFインバータ制御装置、静止形インバータを制御する静止形インバータ制御装置等で構成されてもよい。 The control devices 10 and 20 are not limited to the brake control device, and are configured by any control device that controls the equipment mounted on the railway vehicle. As an example, the control devices 10 and 20 may be configured by a VVVF inverter control device that controls a VVVF (Variable Voltage Variable Frequency) inverter, a static inverter control device that controls a static inverter, or the like.
 また指示装置から制御装置10,20に対する制御指示は、ブレーキ制御に限られず、制御装置10,20の動作を指示する任意の指示である。一例として、制御指示は、記憶部14に記憶されている履歴の出力を指示する出力指示を含むことができる。この場合、列車情報管理システム4は、制御装置10,20に対して、出力指示を示す制御指示を含む通信フレームを送ってもよい。そして、制御装置10,20は、予め許可された指示装置であると判別された列車情報管理システム4が送信した通信フレームに含まれ、出力指示を示す制御指示に基づいて、記憶部14から履歴を読み出し、履歴をデータとして含む通信フレームを列車情報管理システム4に送信する。 The control instruction from the instruction device to the control devices 10 and 20 is not limited to the brake control, but is an arbitrary instruction to instruct the operation of the control devices 10 and 20. As an example, the control instruction can include an output instruction for instructing the output of the history stored in storage unit 14. In this case, the train information management system 4 may send a communication frame including a control instruction indicating an output instruction to the control devices 10 and 20. Then, the control devices 10 and 20 are included in the communication frame transmitted by the train information management system 4 that is determined to be the previously permitted instruction device, and the history is stored in the storage unit 14 based on the control instruction indicating the output instruction. Is read out and a communication frame including a history as data is transmitted to the train information management system 4.
 列車情報管理システム4が制御装置10に履歴の出力を指示する場合を例にして、制御システム1の動作について説明する。制御システム1は、不正なアクセスに従って履歴を出力することを抑制するために、図3に示す認証処理を行って、列車情報管理システム4が予め許可された指示装置であるか否かを判別する。具体的には、列車情報管理システム4は、送受信部から、ユーザIDを含む通信フレームを制御装置10に送信する。通信部11は、ユーザIDを含む通信フレームを受信すると、ユーザIDを認証部12に送る。そして、認証部12が、乱数で構成されるチャレンジコードを生成する。その後、通信部11は、チャレンジコードを含む通信フレームを列車情報管理システム4に送信する。また認証部12は、図2に示す対応表に基づき、ユーザIDに対応するパスワードを取得し、パスワードと、生成したチャレンジコードとから、レスポンスコードを生成する。 The operation of the control system 1 will be described by taking as an example the case where the train information management system 4 instructs the control device 10 to output a history. The control system 1 determines whether or not the train information management system 4 is a pre-authorized instruction device by performing the authentication process shown in FIG. 3 in order to suppress the output of the history according to the unauthorized access. .. Specifically, the train information management system 4 transmits a communication frame including a user ID to the control device 10 from the transmitting/receiving unit. Upon receiving the communication frame including the user ID, the communication unit 11 sends the user ID to the authentication unit 12. Then, the authentication unit 12 generates a challenge code composed of random numbers. After that, the communication unit 11 transmits a communication frame including the challenge code to the train information management system 4. The authentication unit 12 also acquires a password corresponding to the user ID based on the correspondence table shown in FIG. 2, and generates a response code from the password and the generated challenge code.
 その後、列車情報管理システム4は、制御装置10からチャレンジコードを含む通信フレームを受信すると、チャレンジコードと予め保持しているパスワードとから、特定のアルゴリズムに従って、レスポンスコードを生成する。そして、列車情報管理システム4は、レスポンスコードを含む通信フレームを制御装置10に送信する。 After that, when the train information management system 4 receives the communication frame including the challenge code from the control device 10, the train information management system 4 generates a response code from the challenge code and the password held in advance according to a specific algorithm. Then, the train information management system 4 transmits a communication frame including the response code to the control device 10.
 通信部11は、レスポンスコードを含む通信フレームを受信すると、レスポンスコードを認証部12に送る。そして、認証部12は、生成したレスポンスコードと、通信部11から取得したレスポンスコードとが一致するか否かを判別し、判別結果を通信部11に送る。通信部11は、認証部12が、生成したレスポンスコードと、通信部11から取得したレスポンスコードとが一致すると判別した場合、判別結果を含む通信フレームを列車情報管理システム4に送信する。また通信部11は、認証部12が、生成したレスポンスコードと、通信部11から取得したレスポンスコードとが一致しないと判別した場合、列車情報管理システム4から受信した通信フレームを破棄する。 When the communication unit 11 receives the communication frame including the response code, the communication unit 11 sends the response code to the authentication unit 12. Then, the authentication unit 12 determines whether the generated response code and the response code acquired from the communication unit 11 match, and sends the determination result to the communication unit 11. When the authentication unit 12 determines that the generated response code matches the response code acquired from the communication unit 11, the communication unit 11 transmits a communication frame including the determination result to the train information management system 4. If the authentication unit 12 determines that the generated response code does not match the response code acquired from the communication unit 11, the communication unit 11 discards the communication frame received from the train information management system 4.
 上述の認証処理の結果、列車情報管理システム4は、判別結果を受信した後、送受信部から、出力指示を示す制御指示を含む通信フレームを制御装置10に送信する。制御装置10は、列車情報管理システム4から制御指示を含む通信フレームを受信すると、図4に示す制御処理および更新処理を開始する。具体的には、通信部11は、列車情報管理システム4から受信した通信フレームが含む制御指示を制御部13に送る。 As a result of the above-mentioned authentication processing, the train information management system 4, after receiving the determination result, transmits a communication frame including a control instruction indicating an output instruction to the control device 10 from the transmission/reception unit. When receiving the communication frame including the control instruction from the train information management system 4, the control device 10 starts the control process and the update process shown in FIG. Specifically, the communication unit 11 sends the control instruction included in the communication frame received from the train information management system 4 to the control unit 13.
 なお履歴の出力を可能にするために、制御装置10が有する制御部13は、ブレーキ制御弁5を制御している間に、ブレーキ制御弁5に送った信号、圧力センサから取得した圧力値を履歴として記憶部14に記憶しておく。そして、制御部13は、通信部11から、出力指示を示す制御指示を取得すると、記憶部14に記憶した履歴を読み出して通信部11に送る。通信部11は、履歴をデータとして含む通信フレームを生成し、列車情報管理システム4に送信する。 In order to enable the output of the history, the control unit 13 included in the control device 10 controls the signal sent to the brake control valve 5 and the pressure value acquired from the pressure sensor while controlling the brake control valve 5. The history is stored in the storage unit 14. Then, when the control unit 13 acquires the control instruction indicating the output instruction from the communication unit 11, the control unit 13 reads the history stored in the storage unit 14 and sends the history to the communication unit 11. The communication unit 11 generates a communication frame including history as data and transmits the communication frame to the train information management system 4.
 上述の実施の形態では、保守端末3は、認証情報と更新情報とを制御装置10,20に送信していたが、保守端末3は制御指示を制御装置10,20に送信してもよい。一例として、保守端末3は、上述した出力指示を示す制御指示を含む通信フレームを制御装置10,20に送信してもよい。この場合、制御装置10,20は、予め許可された指示装置であると判別された保守端末3が送信した通信フレームに含まれ、出力指示を示す制御指示に基づいて、記憶部14から履歴を読み出し、履歴をデータとして含む通信フレームを保守端末3に送信する。 In the above-described embodiment, the maintenance terminal 3 sends the authentication information and the update information to the control devices 10 and 20, but the maintenance terminal 3 may send the control instruction to the control devices 10 and 20. As an example, the maintenance terminal 3 may transmit the communication frame including the control instruction indicating the above-described output instruction to the control devices 10 and 20. In this case, the control devices 10 and 20 store the history from the storage unit 14 based on the control instruction that is included in the communication frame transmitted by the maintenance terminal 3 that is determined to be the previously permitted instruction device and that indicates the output instruction. The communication frame including the read and history as data is transmitted to the maintenance terminal 3.
 図9は、実施の形態に係る制御装置10,20のハードウェアの構成例を示す図である。制御装置10,20は、各部を制御するハードウェア構成としてプロセッサ31、メモリ32、およびインターフェース33を備える。これらの装置の各機能は、プロセッサ31がメモリ32に記憶されたプログラムを実行することにより実現される。インターフェース33は各装置を接続し、通信を確立させるためのものであり、必要に応じて複数の種類のインターフェースで構成されてもよい。制御装置10,20は、インターフェース33を介して、車両用ネットワーク2に接続し、車両用ネットワーク2に接続された保守端末3および列車情報管理システム4と通信を行う。また制御装置10,20は、インターフェース33を介して、ブレーキ制御弁5および速度センサ6に接続される。図9では、プロセッサ31およびメモリ32をそれぞれ1つで構成する例を示しているが、複数のプロセッサ31および複数のメモリ32が連携して各機能を実行してもよい。 FIG. 9 is a diagram illustrating a hardware configuration example of the control devices 10 and 20 according to the embodiment. The control devices 10 and 20 include a processor 31, a memory 32, and an interface 33 as a hardware configuration that controls each unit. Each function of these devices is realized by the processor 31 executing a program stored in the memory 32. The interface 33 is for connecting each device and establishing communication, and may be composed of a plurality of types of interfaces as necessary. The control devices 10 and 20 are connected to the vehicle network 2 via the interface 33 and communicate with the maintenance terminal 3 and the train information management system 4 connected to the vehicle network 2. Further, the control devices 10 and 20 are connected to the brake control valve 5 and the speed sensor 6 via the interface 33. Although FIG. 9 shows an example in which the processor 31 and the memory 32 are each configured as one, a plurality of processors 31 and a plurality of memories 32 may cooperate to execute each function.
 その他、上記のハードウェア構成およびフローチャートは一例であり、任意に変更および修正が可能である。 In addition, the above hardware configuration and flowcharts are examples, and can be arbitrarily changed and modified.
 プロセッサ31、メモリ32,およびインターフェース33で構成される制御処理を行う中心となる部分は、専用のシステムによらず、通常のコンピュータシステムを用いて実現可能である。上述の動作を実行するためのコンピュータプログラムを、コンピュータが読み取り可能な記録媒体、例えば、フレキシブルディスク、CD-ROM(Compact Disc Read-Only Memory)、DVD-ROM(Digital Versatile Disc Read-Only Memory)等に格納して配布し、上記コンピュータプログラムをコンピュータにインストールすることにより、上述の処理を実行する制御装置10,20を構成してもよい。また、通信ネットワーク上のサーバ装置が有する記憶装置に上記コンピュータプログラムを格納しておき、通常のコンピュータシステムがダウンロードすることで制御装置10,20を構成してもよい。 The central part that performs control processing, which is composed of the processor 31, the memory 32, and the interface 33, can be realized by using a normal computer system instead of a dedicated system. A computer-readable recording medium, such as a flexible disk, a CD-ROM (Compact Disc Read-Only Memory), a DVD-ROM (Digital Versatile Disc Read-Only Memory), etc. Alternatively, the control devices 10 and 20 that execute the above-described processing may be configured by storing and distributing the program in a computer, and installing the computer program in the computer. Alternatively, the control programs 10 and 20 may be configured by storing the computer program in a storage device included in a server device on a communication network and downloading the computer program by an ordinary computer system.
 また、制御装置10,20の機能を、OS(Operating System:オペレーティングシステム)とアプリケーションプログラムの分担、またはOSとアプリケーションプログラムとの協働により実現する場合などには、アプリケーションプログラム部分のみを記録媒体または記憶装置に格納してもよい。 Further, when the functions of the control devices 10 and 20 are realized by sharing of an OS (Operating System) and application programs or by cooperation between the OS and application programs, only the application program portion is recorded on a recording medium or It may be stored in a storage device.
 また、搬送波にコンピュータプログラムを重畳し、通信ネットワークを介して配信することも可能である。通信ネットワーク上の掲示板(BBS:Bulletin Board System)に上記コンピュータプログラムを掲示し、通信ネットワークを介して上記コンピュータプログラムを配信してもよい。そして、このコンピュータプログラムを起動し、OSの制御下で、他のアプリケーションプログラムと同様に実行することにより、上述の処理を実行してもよい。 It is also possible to superimpose a computer program on a carrier wave and distribute it via a communication network. The computer program may be posted on a bulletin board (BBS: Bulletin Board System) on the communication network and distributed via the communication network. Then, the above-mentioned processing may be executed by activating this computer program and executing it under the control of the OS in the same manner as other application programs.
 本発明は、本発明の広義の精神と範囲を逸脱することなく、様々な実施の形態及び変形が可能とされるものである。また、上述した実施の形態は、この発明を説明するためのものであり、本発明の範囲を限定するものではない。すなわち、本発明の範囲は、実施の形態ではなく、特許請求の範囲によって示される。そして、特許請求の範囲内及びそれと同等の発明の意義の範囲内で施される様々な変形が、この発明の範囲内とみなされる。 The present invention allows various embodiments and modifications without departing from the broad spirit and scope of the present invention. Further, the above-described embodiments are for explaining the present invention and do not limit the scope of the present invention. That is, the scope of the present invention is shown not by the embodiments but by the claims. Various modifications made within the scope of the claims and the scope of the invention equivalent thereto are considered to be within the scope of the present invention.
 1 制御システム、2 車両用ネットワーク、3,7 保守端末、4 列車情報管理システム、5 ブレーキ制御弁、6 速度センサ、10,20 制御装置、11 通信部、12 認証部、13 制御部、14 記憶部、15 更新部、31 プロセッサ、32 メモリ、33 インターフェース。 1 control system, 2 vehicle network, 3, 7 maintenance terminal, 4 train information management system, 5 brake control valve, 6 speed sensor, 10, 20 control device, 11 communication unit, 12 authentication unit, 13 control unit, 14 memory Section, 15 update section, 31 processor, 32 memory, 33 interface.

Claims (8)

  1.  制御情報を記憶する記憶部と、
     車両用ネットワークを介して接続された少なくとも1つの指示装置から、認証情報と、前記記憶部に記憶されている前記制御情報の更新を指示する更新指示とを受信する通信部と、
     前記認証情報に基づいて、前記認証情報を送信した前記指示装置が、予め許可された指示装置であるか否かを判別する認証部と、
     前記認証部で前記予め許可された指示装置であると判別された前記指示装置が送信した前記更新指示に従って前記記憶部に記憶されている前記制御情報を更新する更新部と、
     を備える車両用制御装置。     A storage unit for storing control information,
    A communication unit for receiving authentication information and an update instruction for updating the control information stored in the storage unit from at least one instruction device connected via a vehicle network;
    An authentication unit that determines whether the pointing device that has transmitted the authentication information is a previously permitted pointing device based on the authentication information;
    An updating unit that updates the control information stored in the storage unit according to the update instruction transmitted by the instruction device that is determined to be the previously permitted instruction device by the authentication unit,
    And a vehicle control device.
  2.  鉄道車両に搭載され、
     前記更新部は、前記鉄道車両が停止しているか否かを判別し、前記鉄道車両が停止していると判別した場合、前記認証部で前記予め許可された指示装置であると判別された前記指示装置が送信した前記更新指示に従って前記記憶部に記憶された前記制御情報を更新する、
     請求項1に記載の車両用制御装置。     It is installed in railway vehicles,
    The update unit determines whether or not the railway vehicle is stopped, and when it is determined that the railway vehicle is stopped, the authentication unit determines that the instruction device has been permitted in advance. Updating the control information stored in the storage unit according to the update instruction transmitted by the instruction device,
    The vehicle control device according to claim 1.
  3.  前記更新部は、前記鉄道車両の速度を取得し、前記鉄道車両の速度が基準速度以下である場合、前記鉄道車両が停止していると判別する、
     請求項2に記載の車両用制御装置。     The update unit acquires the speed of the railway vehicle, and when the speed of the railway vehicle is equal to or lower than a reference speed, determines that the railway vehicle is stopped,
    The vehicle control device according to claim 2.
  4.  前記更新部は、前記鉄道車両の速度と、前記鉄道車両の加速を指示する力行指令または前記鉄道車両の減速を指示するブレーキ指令を含む運転指令とを取得し、前記鉄道車両の速度が基準速度以下であって、かつ、前記運転指令が前記ブレーキ指令を含む場合、前記鉄道車両が停止していると判別する、
     請求項2に記載の車両用制御装置。     The update unit obtains a speed of the railway vehicle and a driving command including a powering instruction that instructs acceleration of the railway vehicle or a brake instruction that decelerates the railway vehicle, and the speed of the railway vehicle is a reference speed. If the following, and if the operation command includes the brake command, it is determined that the railway vehicle is stopped,
    The vehicle control device according to claim 2.
  5.  前記通信部は、前記認証情報と、前記更新指示と、前記制御情報に基づく制御の実行を指示する制御指示とを受信し、
     前記制御指示が実行を指示する前記制御に用いられる前記制御情報を前記記憶部から読み出し、読み出した前記制御情報に基づいて前記制御を行う制御部をさらに備える、
     請求項1から4のいずれか1項に記載の車両用制御装置。     The communication unit receives the authentication information, the update instruction, and a control instruction instructing execution of control based on the control information,
    The control instruction further includes a control unit that reads the control information used for the control for instructing execution from the storage unit and performs the control based on the read control information.
    The vehicle control device according to any one of claims 1 to 4.
  6.  前記記憶部は、前記制御部が行う前記制御の履歴を記憶し、
     前記制御指示は、前記履歴の出力を指示する出力指示を含み、
     前記制御部は、前記制御指示が前記出力指示を示す場合、前記出力指示を示す前記制御指示を送信した前記指示装置が前記認証部で前記予め許可された指示装置であると判別された場合に、前記記憶部から前記履歴を読み出し、読み出した前記履歴を出力する、
     請求項5に記載の車両用制御装置。     The storage unit stores a history of the control performed by the control unit,
    The control instruction includes an output instruction for instructing output of the history,
    When the control instruction indicates the output instruction, the control unit determines that the instruction device that has transmitted the control instruction indicating the output instruction is the instruction device permitted by the authentication unit in advance. Reading the history from the storage unit and outputting the read history.
    The vehicle control device according to claim 5.
  7.  請求項1から6のいずれか1項に記載の車両用制御装置と、
     前記車両用制御装置に車両用ネットワークを介して接続され、前記車両用制御装置に、前記認証情報と、前記更新指示を送信する少なくとも1つの指示装置と、
     を備える車両用制御システム。     A vehicle control device according to any one of claims 1 to 6,
    At least one instruction device that is connected to the vehicle control device via a vehicle network and that transmits the authentication information and the update instruction to the vehicle control device;
    A vehicle control system including:
  8.  車両用制御装置を制御するコンピュータを、
     制御情報を記憶する記憶部、
     車両用ネットワークを介して接続された少なくとも1つの指示装置から、認証情報と、前記記憶部に記憶されている前記制御情報の更新を指示する更新指示とを受信する通信部、
     前記認証情報に基づいて、前記認証情報を送信した前記指示装置が、予め許可された指示装置であるか否かを判別する認証部、および、
     前記認証部で前記予め許可された指示装置であると判別された前記指示装置が送信した前記更新指示に従って前記記憶部に記憶されている前記制御情報を更新する更新部、
     として機能させるためのプログラム。     A computer that controls the vehicle control device,
    A storage unit for storing control information,
    A communication unit that receives authentication information and an update instruction to update the control information stored in the storage unit, from at least one instruction device connected via a vehicle network.
    An authentication unit that determines whether or not the pointing device that has transmitted the authentication information is a previously permitted pointing device based on the authentication information; and
    An update unit that updates the control information stored in the storage unit according to the update instruction transmitted by the instruction device that is determined to be the previously permitted instruction device by the authentication unit,
    Program to function as.
PCT/JP2019/002734 2019-01-28 2019-01-28 Vehicle control device, vehicle control system, and program WO2020157797A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2020568888A JP7321192B2 (en) 2019-01-28 2019-01-28 VEHICLE CONTROL DEVICE, VEHICLE CONTROL SYSTEM, AND PROGRAM
PCT/JP2019/002734 WO2020157797A1 (en) 2019-01-28 2019-01-28 Vehicle control device, vehicle control system, and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/002734 WO2020157797A1 (en) 2019-01-28 2019-01-28 Vehicle control device, vehicle control system, and program

Publications (1)

Publication Number Publication Date
WO2020157797A1 true WO2020157797A1 (en) 2020-08-06

Family

ID=71840957

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/002734 WO2020157797A1 (en) 2019-01-28 2019-01-28 Vehicle control device, vehicle control system, and program

Country Status (2)

Country Link
JP (1) JP7321192B2 (en)
WO (1) WO2020157797A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004179772A (en) * 2002-11-25 2004-06-24 Sumitomo Electric Ind Ltd On-vehicle gateway apparatus and on-vehicle communication system
JP2007251828A (en) * 2006-03-17 2007-09-27 Auto Network Gijutsu Kenkyusho:Kk In-vehicle database system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004179772A (en) * 2002-11-25 2004-06-24 Sumitomo Electric Ind Ltd On-vehicle gateway apparatus and on-vehicle communication system
JP2007251828A (en) * 2006-03-17 2007-09-27 Auto Network Gijutsu Kenkyusho:Kk In-vehicle database system

Also Published As

Publication number Publication date
JPWO2020157797A1 (en) 2021-11-25
JP7321192B2 (en) 2023-08-04

Similar Documents

Publication Publication Date Title
CN112687122B (en) Information transmission method, vehicle, cloud terminal and cockpit in automatic driving process
CN108881232B (en) Sign-on access method, apparatus, storage medium and the processor of operation system
TWI280769B (en) System, device and method of automatic re-authentication
KR100597085B1 (en) Method and apparatus for session management and user authentication
EP1917616B1 (en) Security certificate management
EP3780481B1 (en) Method for upgrading vehicle-mounted device, and related device
JP6131994B2 (en) System and method for providing services using trustpoints
CN102404117B (en) Secure deployment of provable identity for dynamic application environments
US8165155B2 (en) Method and system for a thin client and blade architecture
CN111356114A (en) In-vehicle electronic control unit upgrading method, device, equipment and vehicle system
GB2448819A (en) Remote security enablement of a trusted platform module (TPM)
CN109040150A (en) Cloud desktop services method, client platform and system
KR20170129427A (en) Method of providing security for controller using encryption and appratus for implementing the same
CN109725638A (en) Function for Automatic Pilot authorization method, device, system and storage medium
WO2020157797A1 (en) Vehicle control device, vehicle control system, and program
EP3952247A1 (en) Heterogeneous operating system-based message transmission system and method, and vehicle
JP5626919B2 (en) Network system, authentication cooperation apparatus, authentication cooperation method, and program
JP6699445B2 (en) Information processing apparatus, information processing program, information processing method, and information processing system
CN112187718B (en) Remote access cloud terminal and system of IDV cloud desktop
JP2001522057A (en) How to digitally sign a message
JP2019187231A (en) Authentication method and system for battery power supply
US8578365B2 (en) Method in a computer system for performing data transfer and corresponding device
CN113434181B (en) Software upgrading method and device, electronic equipment and storage medium
EP1469631A1 (en) Network device and system for authentication and method thereof
CN114419770A (en) Fleet digital key management method and device and computer

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19913443

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020568888

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19913443

Country of ref document: EP

Kind code of ref document: A1