JP7567898B2 - Battery Monitoring System - Google Patents

Description

This disclosure relates to a battery monitoring system.

In a battery monitoring system, data obtained by a monitoring unit that is electrically connected to the battery and monitors the battery is transmitted to a higher-level device such as a battery control device or a battery charging device. In one such technology, the higher-level device encrypts raw data provided by the monitoring unit and processed data obtained by processing the raw data, and manages the data in an autonomous distributed ledger (so-called blockchain) (see, for example, Patent Document 1).

European Patent Application Publication No. 3570058

The technology described in Patent Document 1 above is very useful for increasing the reliability of the higher-level equipment, but the reliability of the data itself provided by the monitoring unit is not guaranteed, and in this respect it is unreliable.

One objective of the present disclosure is to provide a battery monitoring system that can ensure the reliability of data provided from a monitoring unit to a higher-level device. Another objective of the present disclosure is to provide a battery monitoring system that can restore the flow of battery circulation even if unauthorized access occurs, or to provide a battery monitoring system that can prevent battery theft.

The invention described in claim 1 is
1. A battery monitoring system, comprising:
A monitoring unit (20) for monitoring a chargeable/dischargeable battery;
a host device (50) that receives monitoring data obtained by the monitoring unit monitoring the battery and stores at least a portion of the specific information included in the monitoring data using a blockchain;
The higher-level equipment is
A block generator (53) that generates a new block including at least a portion of the specific information and a hash value based on the last block linked to the end of the blockchain;
and an external communication device (55) for distributing and storing new blocks generated by the block generation unit in a plurality of external devices,
At least one of the monitoring unit and the higher-level device is provided with a data protection unit (24, 56) for ensuring the reliability of the monitoring data ,
The monitoring unit has a diagnosis unit (243) as a data protection unit for diagnosing the suitability of a command signal transmitted from a higher-level device .

As a result, the reliability of the monitoring data is guaranteed by the data protection unit provided in at least one of the monitoring unit and the host device, so the reliability of the data provided from the monitoring unit to the host device can be ensured.

The invention described in claim 7 is
The monitoring unit includes, as a data protection unit, an access restriction unit (247) that restricts external access to the monitoring data stored in the memory unit (22) of the monitoring unit, and an access release unit (248) that releases the access restriction when a preset release key is notified from a higher-level device when access is restricted.
In this way, if an access restriction unit is provided for the monitoring unit, it is possible to prevent unauthorized access to the monitoring data and to prevent the data from being read or altered. In addition, since an access release unit is provided for the monitoring unit, the flow of battery circulation can be restored even if unauthorized access is made.

The reference symbols in parentheses attached to each component indicate an example of the correspondence between the component and the specific components described in the embodiments described below.

1 is a schematic diagram of a battery monitoring system according to a first embodiment; FIG. 1 is an explanatory diagram for explaining a lithium ion battery. 2 is a schematic diagram of a monitoring unit and a battery ECU of the battery monitoring system; FIG. 13 is an explanatory diagram for explaining a hash value of a new block. FIG. 1 is an explanatory diagram for explaining a blockchain. FIG. 11 is an explanatory diagram for explaining measures against spoofing of a monitoring unit. FIG. 11 is an explanatory diagram for explaining measures against data forgery due to signal jamming. FIG. 11 is an explanatory diagram for explaining measures against takeover of a higher-level device. FIG. 11 is an explanatory diagram for explaining measures against battery theft. FIG. 11 is a schematic diagram of a battery monitoring system according to a second embodiment. FIG. 1 is an explanatory diagram for explaining a first embodiment of a measure against unauthorized access. 13 is a flowchart showing the flow of countermeasure processing against unauthorized access by a monitoring unit. FIG. 11 is an explanatory diagram for explaining a second embodiment of a measure against unauthorized access. 13 is a flowchart showing the flow of countermeasure processing against unauthorized access by a monitoring unit. FIG. 13 is an explanatory diagram for explaining a third embodiment of measures against unauthorized access. 13 is a flowchart showing the flow of countermeasure processing against unauthorized access by a monitoring unit. FIG. 13 is an explanatory diagram for explaining a fourth embodiment of measures against unauthorized access. 13 is a flowchart showing the flow of countermeasure processing against unauthorized access by a monitoring unit.

Hereinafter, the embodiments of the present disclosure will be described with reference to the drawings. In the following embodiments, the same reference numerals are used for parts that are the same as or equivalent to those described in the preceding embodiments, and the description thereof may be omitted. In addition, in the embodiments, when only a part of the components is described, the components described in the preceding embodiments can be applied to the other parts of the components. In the following embodiments, each embodiment can be partially combined with each other, even if not specifically stated, as long as it does not cause any trouble in combination.
First Embodiment
A first embodiment of the present disclosure will be described with reference to Figures 1 to 9. A battery monitoring system 1 is a system for monitoring a chargeable and dischargeable battery BT, such as a high-voltage battery mounted on an automobile, a stationary battery, or a portable battery.

As shown in FIG. 1, the battery monitoring system 1 includes a monitoring unit 20 that monitors the battery BT, and a battery ECU 50 that is provided with monitoring data obtained by the monitoring unit 20 monitoring the battery BT. The battery ECU 50 is a higher-level device that is higher than the monitoring unit 20. Note that the battery monitoring system 1 may include a charger CH that can control the charging of the battery BT instead of the battery ECU 50. In this case, the charger CH corresponds to the higher-level device. Note that hereinafter, the battery ECU 50 and the charger CH may be referred to as higher-level devices.

The battery BT to be monitored is a secondary battery that can be charged and discharged. The battery BT may be composed of a single battery cell, or may be composed of a battery pack in which multiple battery cells are connected in series. Note that some of the battery cells of the battery pack may be connected in parallel.

Specifically, the battery BT is a lithium-ion battery. For example, as shown in FIG. 2, a lithium-ion battery is configured with lithium iron phosphate LFP or nickel-manganese-cobalt NMC as a positive electrode material and graphite as a negative electrode material. Also, for example, a lithium-ion battery has a positive electrode collector made of aluminum and a negative electrode collector made of copper. A lithium-ion battery configured in this way has excellent charge/discharge cycle characteristics, but has the characteristic that the electrode potential is very close to the lithium precipitation potential, making it easy for lithium to precipitate in a charged state.

As shown in FIG. 3, the monitoring unit 20 is electrically connected to the battery BT via a connection member WH. The monitoring unit 20 may be attached integrally to the battery BT, or may be attached detachably to the battery BT. The connection member WH includes a flexible circuit board FPC on which a wiring pattern is printed.

The monitoring unit 20 has a sensor unit 21, a memory unit 22, a first data protection unit 24, and a wireless communication device 25. In FIG. 3, each component of the monitoring unit 20 is surrounded by a rectangular frame, but this is to show the components together and does not indicate that each component is mounted on a single board.

The sensor unit 21 detects the state of the battery BT. The sensor unit 21 includes a temperature sensor 211, a current sensor 212, a voltage sensor 213, a deterioration detection unit 214, an SOH estimation unit 215, etc.

The temperature sensor 211 is a sensor that detects the battery temperature of the lithium ion battery. The temperature sensor 211 is mounted, for example, on a flexible printed circuit board FPC. The battery temperature may be estimated from the measurement results of the internal impedance of the battery BT. In this case, the means for estimating the battery temperature functions as the temperature sensor 211.

The current sensor 212 is a sensor that detects the output current of the battery BT. The current sensor 212 may be mounted, for example, on the flexible substrate FPC, or on a substrate other than the flexible substrate FPC.

The voltage sensor 213 is a sensor that detects the output voltage of the battery BT. The voltage sensor 213 may be mounted, for example, on the flexible substrate FPC, or on a substrate other than the flexible substrate FPC.

The deterioration detection unit 214 detects the degree of deterioration of the battery BT, which is an important indicator for setting the residual value of the battery BT. The deterioration detection unit 214 has a deposition amount detection unit 214a and a coating detection unit 214b.

The deposition amount detection unit 214a is a device that detects lithium deposition in a lithium ion battery. The deposition amount detection unit 214a estimates the amount of lithium deposition from the behavior by utilizing the correlation between the amount of lithium deposition in the lithium ion battery and the behavior of the current and voltage when both ends of the lithium ion battery are shorted. Although not shown, the deposition amount detection unit 214a has a short circuit that temporarily shorts both ends of the lithium ion battery to discharge it, and a calculator that estimates the amount of lithium deposition based on the behavior of the current and voltage when the lithium ion battery is shorted by the short circuit. The short circuit has a short circuit switch, a coil, and a capacitor for shorting both ends of the lithium ion battery. A self-resonant circuit is formed by the internal resistance of the lithium ion battery, the coil of the short circuit, and the capacitor. The calculator extracts a resistance change component that is correlated with the amount of lithium deposition contained in at least one of the signal waveforms of the current and voltage flowing through the short circuit when both ends of the lithium ion battery are shorted, and calculates an estimated value of the amount of lithium deposition from the extracted component.

This method of estimating the amount of lithium deposition is extremely simple and extremely useful in that it can detect a specific battery degradation mode by adjusting the discharge frequency from the lithium ion battery. The deposition amount detection unit 214a calculates the amount of lithium deposition as a corrected value obtained by correcting the estimated value of the amount of lithium deposition with at least one of the battery temperature detected by the temperature sensor 211 and the parasitic resistance value previously stored in the memory unit 22 described below. The deposition amount detection unit 214a may also estimate the amount of lithium deposition using a method other than the above.

The coating detection unit 214b detects the thickness of the coating formed at the interface between the negative electrode and the electrolyte when the lithium ion battery is charged. This coating is also called the SEI layer. SEI is an abbreviation for Solid Electrolyte Interphase. The thickness of the SEI layer is correlated with the behavior of the current and voltage when both ends of the lithium ion battery are shorted by the above-mentioned short circuit. The coating detection unit 214b estimates the thickness of the SEI layer from the behavior of the current and voltage when both ends of the lithium ion battery are shorted by the short circuit. Specifically, when both ends of the battery BT are shorted by the short circuit, the coating detection unit 214b extracts a component that is correlated with the thickness of the SEI layer contained in at least one of the signal waveforms of the current and voltage flowing through the short circuit, and estimates the thickness of the SEI layer from the extracted component. Note that when detecting the thickness of the SEI layer, it is desirable to correct it by the battery temperature, etc., as in the case of detecting the amount of lithium precipitation. The coating detection unit 214b may also estimate the thickness of the SEI layer using a method other than the above.

Here, the internal resistance of the battery BT and the degree of cracking of the positive electrode active material inside the battery BT are physical quantities that directly affect the deterioration of the battery BT. For this reason, the deterioration detection unit 214 may include a detection unit for the internal resistance of the battery BT and a detection unit for the degree of cracking of the positive electrode active material inside the battery BT.

The SOH estimation unit 215 estimates the volumetric capacity SOH of the battery BT based on physical quantities that are highly correlated with the capacity deterioration of the battery BT. One factor in the deterioration of the battery BT is an increase in the internal resistance of the battery BT. The internal resistance of the battery BT is highly correlated with physical quantities such as the amount of lithium deposition and the internal resistance of the battery BT. In addition, the internal resistance of the battery BT is temperature dependent and affects the current and voltage of the battery BT. Note that SOH is an abbreviation for State of Health.

Taking these factors into consideration, the SOH estimation unit 215 of this embodiment estimates the volumetric rate SOH using an estimation model of the volumetric rate SOH based on the amount of lithium precipitation, the thickness of the SEI layer, the temperature, current, and voltage of the battery BT. The estimation model of the volumetric rate SOH is, for example, a control map or function that specifies the relationship between the volumetric rate SOH, the amount of lithium precipitation, the thickness of the SEI layer, the temperature, current, and voltage of the battery BT. Note that the SOH estimation unit 215 may be configured to estimate the volumetric rate SOH of the battery BT using a method other than the above. In addition, although not shown, the monitoring unit 20 also has an estimation unit that estimates the remaining capacity SOC of the battery BT.

The memory unit 22 is composed of a readable and writable storage medium. The memory unit 22 stores the detection results of the state of the battery BT by the sensor unit 21, etc. Specifically, the memory unit 22 stores a unique ID set for each monitoring unit 20, the manufacturing history of the battery BT including the initial capacity of the battery BT and the repair history of the battery BT, etc. In addition, the memory unit 22 stores, for example, the amount of lithium precipitation, the thickness of the SEI layer, the internal resistance of the battery BT, the volumetric capacity ratio SOH, etc. as the usage history of the battery BT. In the following, the unique ID, the manufacturing history of the battery BT, and the usage history of the battery BT are collectively referred to as "specific information". The memory unit 22 is composed of a non-transitive tangible storage medium.

The monitoring control unit 23 monitors the detection results of the state of the battery BT by the sensor unit 21, and judges whether the state of the battery BT is appropriate based on the monitoring results. In addition, when an abnormality of the battery BT is detected, the monitoring control unit 23 notifies a higher-level device such as the battery ECU 50 of the abnormality of the battery BT via the wireless communication device 25.

The first data protection unit 24 is intended to ensure the reliability of the monitoring data provided from the monitoring unit 20 to higher-level devices such as the battery ECU 50 via the wireless communication device 25. The first data protection unit 24 will be described later.

The wireless communication device 25 is a device for enabling two-way communication with a higher-level device such as the battery ECU 50. The monitoring unit 20 receives various signals from the higher-level device such as the battery ECU 50, and transmits monitoring data obtained by the monitoring unit 20 monitoring the battery BT to the higher-level device such as the battery ECU 50. The monitoring data includes specific information such as a unique ID, the manufacturing history of the battery BT, the usage history of the battery BT, and the location information of the battery BT.

Next, the battery ECU 50 will be described. The battery ECU 50 is a higher-level device in the battery monitoring system 1. The battery ECU 50 controls the charging and discharging of the battery BT based on monitoring data provided by the monitoring unit 20, and controls the temperature of the battery BT using a temperature adjustment device. The battery ECU 50 also includes a charge control function that controls the charging of the battery BT.

Specifically, the battery ECU 50 includes a microcomputer equipped with a processor, memory 51, I/O, etc., and an internal communication device 52 for bidirectional communication with the monitoring unit 20. The memory 51 is configured as a non-transient tangible storage medium.

However, with the rapid electrification of automobiles, it is expected that a large amount of used batteries BT will be generated in the near future. Manufacturing batteries BT involves the emission of large amounts of CO2 and the use of rare metals. For this reason, it is expected that a battery ecosystem adapted to a circular society will be built by selecting reuse, rebuild, or recycling for used batteries BT according to the remaining capacity SOC and volumetric capacity SOH of the battery BT. In order to build such a battery ecosystem, a traceability system that links and manages the battery BT itself with information such as the value of the battery BT, such as the remaining capacity SOC and volumetric capacity SOH, and the manufacturing history and usage history of the battery BT. It is expected that users who want to use a battery BT will access the traceability system, understand the necessary battery information, and use the battery BT at a price that corresponds to the value of the battery BT. In such a traceability system, the reliability of the stored battery information is very important.

In light of this background, the battery monitoring system 1 disclosed herein utilizes blockchain technology in the above-mentioned traceability system to improve the reliability of the traceability system. Note that blockchain technology is a type of database that directly connects terminals on an information and communication network to process and record the usage history of the battery 10 in a distributed manner using encryption technology.

The battery monitoring system 1 of the present disclosure is configured to be able to provide parameters representing the state of a battery BT used over a long period of time as reliable, updated data. That is, the battery monitoring system 1 uses higher-level devices such as the battery ECU 50 and the charger CH to encrypt (i.e., hash) the monitoring data provided by the monitoring unit 20 and parameters obtained by calculating the monitoring data. The higher-level devices then manage the data in an autonomous distributed ledger (i.e., a blockchain), thereby improving the reliability of the battery monitoring system 1.

Specifically, the battery monitoring system 1 uses a blockchain to store at least a portion of the specific information included in the monitoring data provided to the battery ECU 50 by the monitoring unit 20. The battery ECU 50 includes a block generation unit 53, a storage 54, an external communication device 55, and a second data protection unit 56.

The block generation unit 53 generates a new block Bn that includes specific information including a unique ID, the manufacturing history of the battery BT, and the usage history of the battery BT, as well as a hash value based on the last block Be linked to the end of the blockchain, as shown in FIG. 4, for example.

The battery ECU 50 stores the new block Bn generated by the block generation unit 53 in its own storage 54, and also uses the external communication device 55 to distribute and store the block Bn in multiple external devices connected via the Internet INT. For example, the battery monitoring system 1A shown in FIG. 5 distributes and stores the block Bn in the storage 54 of each of the battery monitoring systems 1B, 1C, 1D, 1E, and 1F after mutual authentication with the other battery monitoring systems 1B, 1C, 1D, 1E, and 1F connected via the Internet INT.

In such a traceability system, the data stored in the storage 54 is protected from tampering by blockchain technology, greatly improving the reliability of the battery monitoring system 1.

However, blockchain technology is a technology that protects data stored in storage 54 from tampering, and does not guarantee the reliability of the data itself provided from monitoring unit 20 to a higher-level device. For this reason, there is a risk that monitoring data that differs from the actual data will be stored in storage 54 due to a counterfeit product IM impersonating monitoring unit 20 or data forgery caused by interference with the transmission signal of monitoring unit 20 by an electromagnetic shield ES. This is a factor that undermines the reliability of the traceability system.

In addition, if a higher-level device such as the battery ECU 50 is taken over by hacking or the like, there is a possibility that various information may be intentionally manipulated. Specifically, a case is envisaged in which communication from the monitoring unit 20 is blocked and control is exercised so that the volume ratio SOH of the battery BT and the like are not updated, leading to a determination that the battery BT has not deteriorated. In this way, even if a higher-level device is taken over, there is the problem that the reliability of the data is compromised.

Furthermore, in the case of portable batteries such as replaceable batteries, even if data is managed using blockchain technology, if a thief steals the battery, the user loses the value of the battery and a third party enjoys its value. For this reason, measures to prevent theft become an issue.

Taking these factors into consideration, the battery monitoring system 1 is provided with a data protection unit to ensure the reliability of the monitoring data. Specifically, the battery monitoring system 1 is provided with a first data protection unit 24 in the monitoring unit 20 and a second data protection unit 56 in the battery ECU 50.

More specifically, the monitoring unit 20 has, as the first data protection unit 24, a first information authentication unit 241, a first data authentication unit 242, a diagnosis unit 243, a self-termination unit 244, and an encryption communication unit 245.

The first information authentication unit 241 is an authentication unit that mutually authenticates specific information provided from the monitoring unit 20 to the battery ECU 50 with the battery ECU 50. The first information authentication unit 241 determines whether the specific information held by the monitoring unit 20 matches the specific information held by the battery ECU 50.

The first data authentication unit 242 is an authentication unit that mutually authenticates the unique ID assigned to the monitoring unit 20 with the battery ECU 50. The first data authentication unit 242 determines whether the unique ID held by the monitoring unit 20 matches the unique ID held by the battery ECU 50.

The diagnosis unit 243 diagnoses the appropriateness of a command signal transmitted from a higher-level device. The diagnosis unit 243 generates a trained model by learning the command signal from the higher-level device, and diagnoses the appropriateness of the command signal using the trained model. The diagnosis unit 243, for example, learns the tendency of the command signal from the higher-level device to generate a trained model.

The self-stop unit 244 stops the function of the monitoring unit 20. For example, the self-stop unit 244 stops its own function when the diagnosis unit 243 diagnoses that the command signal from the higher-level device is inappropriate. The self-stop unit 244 stops the function of the monitoring unit 20 by, for example, cutting off the power supply to the IC that constitutes the monitoring unit 20.

The encryption communication unit 245 encrypts the monitoring data and transmits it to the higher-level device. The encryption communication unit 245 includes an encryption processing unit 246 that encrypts the monitoring data, and a wireless communication device 25.

On the other hand, the battery ECU 50 has a second information authentication unit 561, a second data authentication unit 562, a decryption processing unit 563, and a charging limiting unit 564 as the second data protection unit 56.

The second information authentication unit 561 is an authentication unit that mutually authenticates specific information provided from the monitoring unit 20 to the battery ECU 50 with the monitoring unit 20. The second information authentication unit 561 determines whether the information held by the monitoring unit 20 matches the information held by the battery ECU 50.

The second data authentication unit 562 is an authentication unit that mutually authenticates the unique ID assigned to the monitoring unit 20 with the monitoring unit 20. The second data authentication unit 562 determines whether the unique ID held by the monitoring unit 20 matches the unique ID held by the battery ECU 50.

The decryption processing unit 563 is provided in correspondence with the encryption communication unit 245 of the monitoring unit 20. The decryption processing unit 563 decrypts the monitoring data encrypted by the encryption processing unit 246 through a predetermined decryption process.

The charging limiting unit 564 limits the charging of the battery BT. For example, the charging limiting unit 564 prohibits charging of the battery BT when the authentication results of the first data authentication unit 242 and the second data authentication unit 562 indicate a mismatch between the unique IDs stored in the higher-level device and the monitoring unit 20, respectively.

Here, the charger CH installed at the charging station CS or the like is a higher-level device of the monitoring unit 20 of the battery BT together with the battery ECU 50. The charger CH controls the charging of the battery BT. The charger CH is provided with a data authentication unit AS corresponding to the second data authentication unit 562, and a controller CR corresponding to the charging limiting unit 564.

The battery monitoring system 1 configured in this manner has a data protection unit provided in the monitoring unit 20 and the higher-level device, making it possible to take effective measures against spoofing the monitoring unit 20, data forgery through signal interference, hijacking of the higher-level device, and battery theft. The following describes measures against spoofing the monitoring unit 20, data forgery through signal interference, hijacking of the higher-level device, and battery theft.

[Impersonation of the monitoring unit 20]
Countermeasures against spoofing of the monitoring unit 20 will be described with reference to Fig. 6. As an example of spoofing of the monitoring unit 20, as shown in Fig. 6, a possible fraudulent act would be to replace the genuine monitoring unit 20 with a counterfeit IM and falsify the monitoring data provided to the higher-level device.

In response to this, the battery monitoring system 1 has both the monitoring unit 20 and the battery ECU 50 retain at least a portion of the specific information, including the unique ID, the manufacturing history of the battery BT, and the usage history of the battery BT, and has each information authentication unit 241, 561 mutually authenticate these to determine whether there are any inconsistencies. For example, if the specific information matches in both information authentication units 241, 561, it is determined to be normal, and if the specific information does not match in one of the information authentication units 241, 561, it is determined that the monitoring unit 20 has been spoofed.

[Data forgery due to signal jamming]
Countermeasures against data forgery due to signal jamming will be described with reference to Fig. 7. One example of data forgery due to signal jamming is a fraudulent scheme in which, as shown in Fig. 7, a signal emitted by a genuine monitoring unit 20 is jammed by an electromagnetic shield ES, and false monitoring data is provided from a counterfeit product IM to a higher-level device.

In response to this, the battery monitoring system 1 provides the monitoring data encrypted by the monitoring unit 20 to the higher-level device. In the higher-level device, the second information authentication unit 561 determines whether the monitoring data provided from the monitoring unit 20 is encrypted. If the monitoring data is encrypted, the second information authentication unit 561 determines that the data is normal, and if the monitoring data is not encrypted, it determines that the data is forged.

[Taking over host devices]
Measures against the takeover of a host device will be described with reference to Fig. 8. As an example of the takeover of a host device, as shown in Fig. 8, a possible illicit action would be to take over the host device by hacking or the like and request only data that is convenient for the user from the monitoring unit 20.

In response to this, the battery monitoring system 1 has a diagnosis unit 243 that causes the monitoring unit 20 to diagnose the appropriateness of a command signal transmitted from a higher-level device. This diagnosis unit 243 generates a trained model by learning the command signal from the higher-level device, and diagnoses the appropriateness of the command signal using the trained model. If the command signal is in line with past trends, the diagnosis unit 243 determines that the command signal is normal, and if the command signal is not in line with past trends, it diagnoses that the higher-level device has been hijacked.

[Battery Theft]
Measures against battery theft will be described with reference to Fig. 9. If a replaceable battery is stolen, for example, as shown in Fig. 9, there is a possibility that the battery BT will be charged in a charger CH installed at a charging station CS or the like.

In response to this, the battery monitoring system 1 has both the monitoring unit 20 and the charger CH retain the unique ID of the monitoring unit 20, and each data authentication unit 242 and AS mutually authenticate them to determine whether there is any inconsistency. For example, if the unique IDs match in both the data authentication units 242 and AS, the monitoring unit 20 and the charger CH determine that the battery is normal and allow charging. On the other hand, if the unique IDs do not match in either the data authentication unit 242 or AS, the monitoring unit 20 and the charger CH determine that the battery has been stolen. In this case, the charger CH prohibits charging of the battery BT. Alternatively, if it is determined that the battery has been stolen, the monitoring unit 20, the battery ECU 50, or the like may prohibit discharging of the battery BT. Note that the user may determine that the battery has been stolen based on the location information of the battery BT, and the information may be transferred to the monitoring unit 20, the battery ECU 50, or the charger CH to prohibit charging or discharging.

The above-mentioned measures against battery theft can be implemented not only between the monitoring unit 20 and the charger CH, but also between the monitoring unit 20 and the battery ECU 50. In other words, the battery monitoring system 1 may be configured so that the unique ID of the monitoring unit 20 is stored in both the monitoring unit 20 and the battery ECU 50, and the data authentication units 242, 562 mutually authenticate these IDs to determine whether there are any inconsistencies.

In the battery monitoring system 1 described above, the host device is provided with monitoring data obtained by monitoring the battery BT by the monitoring unit 20, and the host device stores at least a portion of the specific information contained in the monitoring data using a blockchain. This ensures the reliability of the battery monitoring system 1.

Furthermore, at least one of the monitoring unit 20 and the higher-level device is provided with a data protection unit for ensuring the reliability of the monitoring data. As a result, the reliability of the monitoring data is guaranteed by the data protection unit provided in at least one of the monitoring unit 20 and the higher-level device, so that the reliability of the data provided from the monitoring unit 20 to the higher-level device can be ensured.

In addition, the upper device of the battery monitoring system 1 prohibits charging of the battery BT if the authentication result by the data authentication unit indicates a mismatch between the unique IDs stored in the upper device and the monitoring unit 20. In this way, if the system is configured to prohibit charging of the battery BT and destroy the value of the battery BT when the unique IDs in the monitoring unit 20 and the upper device do not match, it is possible to discourage thieves from stealing the battery BT. This is extremely useful in preventing theft of batteries BT.

In addition, the battery monitoring system 1 provides the following effects:

(1) The monitoring unit 20 and the higher-level device each have an information authentication unit as a data protection unit for mutually authenticating specific information. This makes it possible to detect fraud, such as replacing a genuine monitoring unit 20 with a counterfeit IM to falsify the monitoring data provided to the higher-level device. As a result, it is possible to prevent falsification of the monitoring data by spoofing the monitoring unit 20.

(2) The monitoring unit 20 has an encryption communication unit 245 as a data protection unit that encrypts the monitoring data and transmits it to the higher-level device. In this way, if the monitoring data provided from the monitoring unit 20 to the higher-level device is encrypted, the higher-level device can detect fraudulent attempts to provide false monitoring data to the higher-level device by interfering with the signal from the legitimate monitoring unit 20. As a result, counterfeiting of monitoring data can be prevented.

(3) The monitoring unit 20 has a diagnostic unit 243 as a data protection unit that diagnoses the suitability of a command signal transmitted from a higher-level device. This allows the monitoring unit 20 to detect fraudulent behavior, such as, for example, a person impersonating a higher-level device and requesting only data that is convenient for the monitoring unit 20. As a result, it is possible to prevent tampering with monitoring data by impersonating a higher-level device.

(4) The diagnosis unit 243 generates a trained model by learning command signals from a higher-level device, and uses the trained model to diagnose the appropriateness of the command signal. This allows the trained model to reflect the tendency of command signals to request only data that is convenient for the higher-level device, thereby improving the accuracy of detecting hijacking of the higher-level device.

(5) The monitoring unit 20 has a self-stopping unit 244 as a data protection unit that stops its own function when the diagnostic unit 243 diagnoses that the command signal is inappropriate. This makes it possible to prevent the spread of damage caused by fraud, such as someone masquerading as a higher-level device and requesting only data that is convenient for them from the monitoring unit 20.

Second Embodiment
Next, a second embodiment will be described with reference to Figures 10 to 18. In this embodiment, differences from the first embodiment will be mainly described.

In recent years, there has been a growing movement to safely utilize and fully use battery resources in order to realize a circular economy, and it is predicted that in the near future we will see a society in which the cycle of "battery BT manufacturing" → "temporary use" → "secondary use" → "recycling" can be properly controlled. In the battery circulation society of the future, it is believed that a system will be needed in which data on the number of batteries owned and their health status at each stage of battery use can be tracked on the cloud, and when and what type of batteries BT will be supplied can be predicted for each stage, optimizing production plans.

To realize such a circular society, the reliability of monitoring data including sensing information such as the health status of the battery BT is important, and measures against unauthorized access to systems including the battery BT are necessary. One possible measure against unauthorized access is, for example, deleting the monitoring data stored in the memory unit 22 of the monitoring unit 20 when unauthorized access occurs. Note that unauthorized access is access by someone without legitimate access authority. For example, if there is unauthorized access due to hijacking of a higher-level device, there is a risk that the monitoring data of the monitoring unit 20 will be leaked or leaked, or that the monitoring data will be misused or tampered with.

However, when the monitoring data stored in the memory unit 22 of the monitoring unit 20 is deleted as a measure against unauthorized access, the health status of the battery BT becomes unclear. In this case, it is not possible to determine whether the battery BT can be used for "secondary use," and there is a problem that the battery BT cannot be effectively used because of a cycle of "temporary use" → "recycle."

Taking these factors into consideration, this embodiment proposes a battery monitoring system 1 that takes measures to prevent unauthorized access from reading or tampering with monitoring data, while allowing the battery circulation flow to be restored even if unauthorized access occurs.

As shown in FIG. 10, in the battery monitoring system 1 of this embodiment, an access restriction unit 247 and an access release unit 248 are added to the first data protection unit 24 of the monitoring unit 20. Note that, for convenience, the first information authentication unit 241, the first data authentication unit 242, the diagnosis unit 243, the self-stop unit 244, and the encryption communication unit 245 of the first data protection unit 24 are not shown in FIG. 10.

The access restriction unit 247 restricts external access to the monitoring data stored in the memory unit 22 of the monitoring unit 20. For example, when unauthorized access is detected or predicted, the access restriction unit 247 restricts external access to the monitoring data.

The access release unit 248 releases the restriction on access to the monitoring data stored in the memory unit 22 when access to the monitoring data is restricted by the access restriction unit 247. The access release unit 248 releases the restriction on access to the monitoring data, for example, when a release key is notified from a higher-level device that has legitimate access authority.

Otherwise, it is the same as the first embodiment. The battery monitoring system 1 of this embodiment can obtain the same effects as the first embodiment, which are achieved from a common configuration or an equivalent configuration to the first embodiment.

Specific examples of unauthorized access countermeasures in the monitoring unit 20 are described below. Note that the first to fourth examples shown below can be partially combined with each other, even if not specifically stated, as long as the combination does not cause any problems.

[First embodiment]
First, the first embodiment will be described with reference to Fig. 11 and Fig. 12. The monitoring unit 20 executes the process shown in Fig. 12 as a measure against unauthorized access caused by hijacking of a higher-level device as shown in Fig. 11. The process shown in Fig. 12 is executed by the monitoring unit 20 periodically or irregularly.

As shown in FIG. 12, in step S100, the monitoring unit 20 determines whether unauthorized access to the monitoring data stored in the memory unit 22 is detected or predicted.

The monitoring unit 20 detects unauthorized access, for example, based on the diagnosis result of the command signal by the diagnosis unit 243. Note that the monitoring unit 20 may be configured to determine that unauthorized access has occurred not based on the diagnosis result of the diagnosis unit 243, but based on a mismatch of authentication keys used to access the monitoring unit 20 or on consecutive incorrect passwords.

In addition, even if the monitoring unit 20 cannot determine that unauthorized access has occurred, the monitoring unit 20 predicts unauthorized access based on whether or not a similar act has been performed. For example, the monitoring unit 20 determines that unauthorized access is predicted when the order or number of times various parameters that indicate the state of the battery BT are requested is different from normal, or when the password is entered incorrectly even once.

The monitoring unit 20 waits until unauthorized access is detected or predicted, and when unauthorized access is detected or predicted, the process proceeds to step S110. In step S110, the monitoring unit 20 stores the monitoring data stored in the memory unit 22 as backup data in an external storage device 60 such as a cloud server. It is desirable that the backup data is encrypted so that it cannot be determined from the outside.

The external storage device 60 is provided outside the monitoring unit 20. Data communication between the external storage device 60 and the monitoring unit 20 is performed by wireless communication such as OTA or wired communication such as a communication cable. Note that OTA is an abbreviation for Over The Air.

Then, in step S120, the monitoring unit 20 deletes the monitoring data stored in the memory unit 22. This restricts access to the monitoring data stored in the memory unit 22. The processes of steps S110 and S120 described above are realized by the access restriction unit 247.

Next, in step S130, the monitoring unit 20 determines whether a release key for lifting the access restriction has been notified from a higher-level device with valid access authority, such as a genuine battery ECU 50.

The monitoring unit 20 waits until the release key is notified, and when the release key is notified from the higher-level device, the process proceeds to step S140. In step S140, the monitoring unit 20 obtains backup data from the external storage device 60, and restores the monitoring data from the backup data to the storage unit 22. This removes the restriction on access to the monitoring data. The process of step S140 described above is realized by the access release unit 248.

The unauthorized access countermeasures of the first embodiment described above can prevent the reading and alteration of monitoring data through unauthorized access. In particular, in this example, the monitoring data is restored to the memory unit 22 from the backup data stored in the external storage device 60, so that the flow of battery circulation can be restored even if unauthorized access occurs.

[Modification of the first embodiment]
In the first embodiment, access to the monitoring data is restricted when unauthorized access to the monitoring data is detected or predicted, but this is not limited to this. The monitoring unit 20 may, for example, be configured to periodically restrict access to the monitoring data, or to restrict access to the monitoring data based on a command signal from a higher-level device. This also applies to the following embodiments.
Furthermore, the backup of the monitoring data to the external storage device 60 is not limited to when unauthorized access to the monitoring data is detected or predicted, but may be performed periodically, for example. Note that, when the backup of the monitoring data to the external storage device 60 is performed periodically, when unauthorized access to the monitoring data is detected or predicted, the monitoring data may be deleted from the storage unit 22 without backing up the monitoring data.

[Second embodiment]
Next, a second embodiment will be described with reference to Fig. 13 and Fig. 14. The monitoring unit 20 executes the process shown in Fig. 14 as a measure against unauthorized access caused by hijacking of a higher-level device as shown in Fig. 13. The process shown in Fig. 14 is executed by the monitoring unit 20 periodically or irregularly.

As shown in FIG. 14, in step S200, the monitoring unit 20 determines whether unauthorized access to the monitoring data stored in the memory unit 22 is detected or predicted. This determination process is similar to that in the first embodiment, and therefore will not be described.

When unauthorized access is detected or predicted, the monitoring unit 20 prohibits access to information in the storage unit 22 in step S210. The monitoring unit 20 prohibits access to information in the storage unit 22, for example, by stopping communication between the outside and the storage unit 22 by stopping the functions of the wireless communication device 25, or by setting the monitoring data to be unreadable. This restricts access to the monitoring data stored in the storage unit 22. The processing of step S210 described above is realized by the access restriction unit 247.

Next, in step S220, the monitoring unit 20 determines whether a release key for lifting the access restriction has been notified from a higher-level device with valid access authority, such as a genuine battery ECU 50.

When the release key is notified from the higher-level device, the monitoring unit 20 performs a process in step S230 to allow information access to the storage unit 22. This removes the restriction on access to the monitoring data. The process of step S230 described above is realized by the access release unit 248.

The unauthorized access countermeasures of the second embodiment described above can prevent the reading and alteration of monitoring data through unauthorized access. In particular, the unauthorized access countermeasures of this example have the advantage that they can be realized by a simple process of switching between prohibiting and allowing access to information in the memory unit 22.

[Third Example]
Next, a third embodiment will be described with reference to Fig. 15 and Fig. 16. The monitoring unit 20 executes the process shown in Fig. 16 as a measure against unauthorized access caused by hijacking of a higher-level device as shown in Fig. 15. The process shown in Fig. 16 is executed by the monitoring unit 20 periodically or irregularly.

As shown in FIG. 16, in step S300, the monitoring unit 20 determines whether unauthorized access to the monitoring data stored in the memory unit 22 is detected or predicted. This determination process is similar to that in the first embodiment, and therefore will not be described.

When unauthorized access is detected or predicted, the monitoring unit 20 encrypts the monitoring data stored in the memory unit 22 in step S310. An example of an encryption method is public key cryptography. This restricts access to the monitoring data stored in the memory unit 22. The process of step S310 described above is realized by the access restriction unit 247.

Next, in step S320, the monitoring unit 20 determines whether a release key for lifting the access restriction has been notified from a higher-level device with valid access authority, such as a genuine battery ECU 50.

When the release key is notified from the higher-level device, the monitoring unit 20 decrypts the encrypted monitoring data in step S330. This removes the restriction on access to the monitoring data. The process of step S330 described above is realized by the access release unit 248.

The unauthorized access countermeasures of the third embodiment described above can prevent the reading and alteration of monitoring data through unauthorized access. In particular, this embodiment has the advantage that a countermeasure against unauthorized access can be implemented through a simple process of encrypting and decrypting the monitoring data.

[Fourth embodiment]
The fourth embodiment will be described with reference to Fig. 17 and Fig. 18. The monitoring unit 20 executes the process shown in Fig. 18 as a measure against unauthorized access caused by hijacking of a higher-level device as shown in Fig. 17. The process shown in Fig. 18 is executed by the monitoring unit 20 periodically or irregularly.

As shown in FIG. 18, in step S400, the monitoring unit 20 determines whether unauthorized access to the monitoring data stored in the memory unit 22 is detected or predicted. This determination process is similar to that in the first embodiment, and therefore will not be described.

When unauthorized access is detected or predicted, the monitoring unit 20 prohibits at least one of reading and rewriting of the monitoring data in step S410. The monitoring unit 20 prohibits at least one of reading and rewriting of the monitoring data, for example, by setting the access rights of the folder in which the monitoring data is stored to unreadable or unwriteable. This restricts access to the monitoring data stored in the memory unit 22. The processing of step S410 described above is realized by the access restriction unit 247.

Next, in step S420, the monitoring unit 20 determines whether a release key for lifting the access restriction has been notified from a higher-level device with valid access authority, such as a genuine battery ECU 50.

When the release key is notified from the higher-level device, the monitoring unit 20 permits reading and rewriting of the monitoring data in the memory unit 22 in step S430. This removes the restriction on access to the monitoring data. The process of step S430 described above is realized by the access release unit 248.

The unauthorized access countermeasures of the fourth embodiment described above can prevent the reading or alteration of monitoring data through unauthorized access. In particular, this embodiment has the advantage that countermeasures against unauthorized access can be implemented through a simple process of changing the access rights settings of the folder in which the monitoring data is stored.

Other Embodiments
Representative embodiments of the present disclosure have been described above, but the present disclosure is not limited to the above-described embodiments and can be modified in various ways, for example, as described below.

As in the above-described embodiment, it is desirable for the battery monitoring system 1 to be configured to be able to respond to each of "spoofing of the monitoring unit 20," "data forgery by signal interference," "hijacking of higher-level equipment," "battery theft," and "unauthorized access," but this is not limited thereto. The battery monitoring system 1 may be configured to be able to respond to some of the above frauds, or to be able to respond to frauds other than those described above.

As in the above embodiment, it is desirable for the higher-level device to store at least a portion of the specific information contained in the monitoring data using a blockchain, but this is not required.

As in the above embodiment, the sensor unit 21 of the monitoring unit 20 desirably includes a temperature sensor 211, a current sensor 212, a voltage sensor 213, a deterioration detection unit 214, and a SOH estimation unit 215, but is not limited to this. For example, the sensor unit 21 of the monitoring unit 20 does not need to be provided with the deterioration detection unit 214 and the SOH estimation unit 215.

As in the above embodiment, the first data protection unit 24 desirably includes a first information authentication unit 241, a first data authentication unit 242, a diagnosis unit 243, a self-termination unit 244, an encryption communication unit 245, an access restriction unit 247, and an access release unit 248, but is not limited to this. For example, the first data protection unit 24 may not include some of the first information authentication unit 241, the first data authentication unit 242, the diagnosis unit 243, the self-termination unit 244, the encryption communication unit 245, the access restriction unit 247, and the access release unit 248.

As in the above embodiment, the second data protection unit 56 of the battery ECU 50 desirably includes a second information authentication unit 561, a second data authentication unit 562, a decryption processing unit 563, and a charge limiting unit 564, but is not limited to this. For example, the second data authentication unit 562 may not include some of the second information authentication unit 561, the second data authentication unit 562, the decryption processing unit 563, and the charge limiting unit 564.

In the above embodiment, the connection member WH includes a flexible circuit board FPC, but this is not limited thereto, and the connection member WH does not have to include a flexible circuit board FPC.

In the above embodiment, the battery ECU 50 and the charger CH are exemplified as higher-level devices of the monitoring unit 20, but the higher-level devices may be configured as devices other than the battery ECU 50 and the charger CH.

Although the battery monitoring system 1 monitors lithium ion batteries, this is not limited to this. The battery monitoring system 1 may monitor batteries other than lithium ion batteries. The battery monitoring system 1 may be configured such that the monitoring unit 20 is connected to the higher-level device by wire rather than wirelessly. Furthermore, the battery monitoring system 1 is not limited to being completely identical to the one described above, and may differ in some respects from the one described above.

It goes without saying that in the above-described embodiments, the elements constituting the embodiments are not necessarily essential, except in cases where they are specifically stated as essential or where they are clearly considered essential in principle.

In the above-described embodiments, when numerical values such as the number, values, amounts, ranges, etc. of components of the embodiments are mentioned, they are not limited to the specific numbers, except when it is expressly stated that they are essential or when they are clearly limited to a specific number in principle.

In the above-described embodiments, when referring to the shapes, positional relationships, etc. of components, etc., there is no limitation to those shapes, positional relationships, etc., unless specifically stated otherwise or in principle limited to a specific shape, positional relationship, etc.

The control unit and the method of the present disclosure may be realized in a special-purpose computer provided by configuring a processor and memory programmed to execute one or more functions embodied in a computer program. The control unit and the method of the present disclosure may be realized in a special-purpose computer provided by configuring a processor with one or more dedicated hardware logic circuits. The control unit and the method of the present disclosure may be realized in one or more special-purpose computers configured by a combination of a processor and memory programmed to execute one or more functions and a processor configured with one or more hardware logic circuits. The computer program may also be stored in a computer-readable non-transient tangible recording medium as instructions executed by the computer.

[Aspects of the present disclosure]
[First viewpoint]
1. A battery monitoring system, comprising:
A monitoring unit (20) for monitoring a chargeable/dischargeable battery;
a host device (50) that receives monitoring data obtained by the monitoring unit monitoring the battery and stores at least a portion of the specific information included in the monitoring data using a block chain;
The higher-level device is
A block generator (53) that generates a new block including at least a portion of the specific information and a hash value based on the last block linked to the end of the blockchain;
an external communication device (55) for distributing and storing the new block generated by the block generation unit in a plurality of external devices;
At least one of the monitoring unit and the higher-level device is provided with a data protection unit (24, 56) for ensuring the reliability of the monitoring data.

[Second viewpoint]
The battery monitoring system according to a first aspect, wherein the monitoring unit and the higher-level device each have, as the data protection unit, an information authentication unit (241, 561) for mutually authenticating the specific information.

[Third viewpoint]
The battery monitoring system according to the first or second aspect, wherein the monitoring unit has, as the data protection unit, an encryption communication unit (245) that encrypts the monitoring data and transmits it to the higher-level device.

[Fourth viewpoint]
A battery monitoring system according to any one of the first to third aspects, wherein the monitoring unit has, as the data protection unit, a diagnosis unit (243) that diagnoses the appropriateness of a command signal transmitted from the higher-level device.

[Fifth Viewpoint]
A battery monitoring system as described in a fourth aspect, wherein the diagnosis unit generates a trained model by learning the command signal from the higher-level device, and diagnoses the appropriateness of the command signal using the trained model.

[Sixth Viewpoint]
A battery monitoring system as described in the fourth or fifth aspect, wherein the monitoring unit has, as the data protection unit, a self-stop unit (244) that stops its own function when the diagnostic unit diagnoses the command signal as inappropriate.

[Seventh Viewpoint]
the host device includes a charge control function for controlling charging of the battery,
A unique ID assigned to the monitoring unit is stored in each of the monitoring unit and the host device,
The monitoring unit and the higher-level device each have a data authentication unit (242, 562) for mutually authenticating the unique ID,
A battery monitoring system described in any one of the first to sixth aspects, wherein the higher-level device prohibits charging of the battery when the authentication result by the data authentication unit indicates a mismatch of the unique ID stored in the higher-level device and the monitoring unit, respectively.

[Eighth Viewpoint]
A battery monitoring system as described in any one of the first to fifth aspects, wherein the monitoring unit includes, as the data protection unit, an access restriction unit (247) that restricts external access to the monitoring data stored in the memory unit (22) of the monitoring unit, and an access release unit (248) that releases the access restriction when a preset release key is notified from the higher-level device when the access is in a restricted state.

[Ninth Viewpoint]
1. A battery monitoring system, comprising:
A monitoring unit (20) for monitoring a chargeable/dischargeable battery;
a host device (50) to which monitoring data obtained by the monitoring unit monitoring the battery is provided,
The monitoring unit is provided with a data protection unit (24) for ensuring the reliability of the monitoring data,
A battery monitoring system, wherein the data protection unit includes an access restriction unit (247) that restricts external access to the monitoring data stored in the memory unit (22) of the monitoring unit, and an access release unit (248) that releases the access restriction when a preset release key is notified from the higher-level device when the access is in a restricted state.

[Tenth Viewpoint]
the access restriction unit restricts the access by storing the monitoring data as backup data in an external storage device (60) outside the monitoring unit, and then deleting the monitoring data from the storage unit;
A battery monitoring system described in the 8th or 9th aspect, wherein when the access release unit is notified of the release key, it releases the access restriction by restoring the monitoring data to the memory unit using the backup data stored in the external storage device.

[Eleventh Viewpoint]
the access restriction unit restricts the access by prohibiting access to information in the storage unit;
The battery monitoring system according to the eighth or ninth aspect, wherein the access release unit, upon being notified of the release key, releases the access restriction by permitting access to the information.

[Twelfth Viewpoint]
the access restriction unit restricts the access by encrypting the monitoring data in the storage unit;
A battery monitoring system as described in the eighth or ninth aspect, wherein the access release unit, upon being notified of the release key, releases the access restriction by decrypting the encrypted monitoring data.

[Thirteenth Viewpoint]
the access restriction unit restricts the access by prohibiting at least one of reading and rewriting of the monitoring data in the storage unit;
A battery monitoring system described in the 8th or 9th aspect, wherein when the access release unit is notified of the release key, it releases the access restriction by allowing the reading and rewriting of the monitoring data in the memory unit.

[Fourteenth Viewpoint]
1. A battery monitoring system, comprising:
A monitoring unit (20) for monitoring a chargeable/dischargeable battery;
A charger (CH) that controls charging of the battery,
The monitoring unit and the charger each store a unique ID assigned to the monitoring unit,
Each of the monitoring unit and the charger has a data authentication unit (242, AS) for mutually authenticating the unique ID,
The charger prohibits charging of the battery when a result of the authentication by the data authentication unit indicates a mismatch between the unique ID stored in the charger and the unique ID stored in the monitoring unit.

[Fifteenth Viewpoint]
The battery monitoring system according to any one of the eighth to thirteenth aspects, wherein the access restriction unit restricts external access to the monitoring data when the unauthorized access is detected or predicted.

1 Battery monitoring system 20 Monitoring unit 24 First data protection unit (data protection unit)
50 Battery ECU (upper device)
53 Block generation unit 55 External communication device 56 Second data protection unit (data protection unit)
CH charger (superior device)

Claims (11)

1. A battery monitoring system, comprising:
A monitoring unit (20) for monitoring a chargeable/dischargeable battery;
a host device (50) that receives monitoring data obtained by the monitoring unit monitoring the battery and stores at least a portion of the specific information included in the monitoring data using a blockchain;
The higher-level device is
A block generator (53) that generates a new block including at least a portion of the specific information and a hash value based on the last block linked to the end of the blockchain;
an external communication device (55) for distributing and storing the new block generated by the block generation unit in a plurality of external devices;
At least one of the monitoring unit and the higher-level device is provided with a data protection unit (24, 56) for ensuring the reliability of the monitoring data ,
The monitoring unit has, as the data protection unit, a diagnosis unit (243) that diagnoses the suitability of a command signal transmitted from the higher-level device . The battery monitoring system according to claim 1, wherein the monitoring unit and the higher-level device each have an information authentication unit (241, 561) as the data protection unit for mutually authenticating the specific information. The battery monitoring system according to claim 1 or 2, wherein the monitoring unit has an encryption communication unit (245) as the data protection unit that encrypts the monitoring data and transmits it to the higher-level device. The battery monitoring system according to claim 1 or 2 , wherein the diagnosing unit generates a trained model by learning the command signal from the higher-level device, and diagnoses the appropriateness of the command signal using the trained model. 3. The battery monitoring system according to claim 1 , wherein the monitoring unit has, as the data protection unit, a self-stop unit (244) that stops its own function when the diagnostic unit diagnoses that the command signal is inappropriate. the host device includes a charge control function for controlling charging of the battery,
A unique ID assigned to the monitoring unit is stored in each of the monitoring unit and the host device,
The monitoring unit and the higher-level device each have a data authentication unit (242, 562) for mutually authenticating the unique ID,
3. The battery monitoring system according to claim 1, wherein the host device prohibits charging of the battery when an authentication result by the data authentication unit indicates a mismatch between the unique ID stored in the host device and the unique ID stored in the monitoring unit. The battery monitoring system according to claim 1, wherein the monitoring unit includes, as the data protection unit, an access restriction unit (247) that restricts external access to the monitoring data stored in the storage unit (22) of the monitoring unit, and an access release unit (248) that releases the access restriction when a preset release key is notified from the higher-level device while the access is restricted. the access restriction unit restricts the access by storing the monitoring data as backup data in an external storage device (60) outside the monitoring unit, and then deleting the monitoring data from the storage unit;
The battery monitoring system of claim 7, wherein when the access release unit is notified of the release key, the access release unit releases the access restriction by restoring the monitoring data to the memory unit using the backup data stored in the external storage device. the access restriction unit restricts the access by prohibiting access to information in the storage unit;
The battery monitoring system according to claim 7 , wherein the access release unit, upon receipt of the release key, releases the restriction on access by permitting the information access. the access restriction unit restricts the access by encrypting the monitoring data in the storage unit;
The battery monitoring system according to claim 7 , wherein the access release unit, upon receiving the release key, releases the access restriction by decrypting the encrypted monitoring data. the access restriction unit restricts the access by prohibiting at least one of reading and rewriting of the monitoring data in the storage unit;
9. The battery monitoring system according to claim 7 , wherein the access release unit, upon receiving the release key, releases the access restriction by permitting the reading and rewriting of the monitoring data in the storage unit.

Images