Data management system for plumbing equipment

The data management system for plumbing equipment addresses privacy and security issues by securely aggregating and transmitting user data, reducing the risk of leakage and enhancing user privacy through secure communication and identification.

JP2026115200APending Publication Date: 2026-07-09TOTO LTD

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
TOTO LTD
Filing Date
2024-12-27
Publication Date
2026-07-09

AI Technical Summary

Technical Problem

Existing systems for water-related devices lack secure data management that considers user privacy and are vulnerable to external attacks, leading to potential data leakage.

Method used

A data management system for plumbing equipment that includes a storage means for acquired data, a transmission means for secure data transfer, and a control means for determining legitimate transmission paths, along with user identification and health information estimation, utilizing communication devices for secure linking of data to users.

Benefits of technology

The system reduces the likelihood of data leakage by secure data aggregation and transmission, enhances user privacy, and improves data management efficiency through secure communication and user identification.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026115200000001_ABST
    Figure 2026115200000001_ABST
Patent Text Reader

Abstract

To prevent the leakage of information obtained from plumbing fixtures. [Solution] The data management system for plumbing equipment according to the embodiment comprises: a water supply means that supplies water to a water receiving means; an acquisition means that acquires at least one piece of information selected from a group including information required to identify a user of the water supply means or the water receiving means, information about the user's actions, information about the user's biological information, and information about the user's excretion; a storage means that stores the acquired data from the acquisition means; a transmission means that transmits the acquired data stored in the storage means to an external device; and a control means that controls the transmission by the transmission means. The storage means stores a control program that controls the control means, and the control means determines the transmission path or destination of the acquired data based on the execution of the control program.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] The present invention relates to a data management system for water-related devices.

Background Art

[0002] Conventionally, there has been a technology related to software specifications including a flush (amount of toilet water) control for water conservation from data of a smell sensor installed in a toilet and a camera that acquires visual images of excrement (for example, see Patent Document 1).

Prior Art Documents

Patent Documents

[0003]

Patent Document 1

Summary of the Invention

Problems to be Solved by the Invention

[0004] By the way, there has been no system that transmits privacy data of users acquired by water-related devices to the cloud and feeds back information to each individual who has collected the data. For example, in the above-described conventional technology, although defecation information that can be vital information is collected, since it is a function unrelated to individuals such as controlling flushing, there is no need for a highly secure system that takes privacy into consideration.

[0005] In a system including water-related devices having a function of feeding back to each individual based on data obtained from users, security against various attacks from the outside is required to prevent information leakage. If security measures are insufficient, for example, if it allows easy intrusion into the system, data can be easily extracted. Even if intrusion countermeasures are taken as much as possible, if the system itself is easily tampered with, it can be malfunctioned and data can be leaked.

[0006] This application was made in view of the above, and aims to suppress the leakage of information obtained from plumbing equipment. [Means for solving the problem]

[0007] A data management system for plumbing equipment according to one embodiment comprises: a water supply means for supplying water to a water receiving means; an acquisition means for acquiring at least one piece of information selected from a group including information required to identify a user of the water supply means or the water receiving means, information about the user's actions, information about the user's biological information, and information about the user's excretion; a storage means for storing the acquired data from the acquisition means; a transmission means for transmitting the acquired data stored in the storage means to an external device; and a control means for controlling the transmission by the transmission means, wherein the storage means stores a control program for controlling the control means, and the control means determines the transmission path or destination of the acquired data based on the execution of the control program.

[0008] This allows for a reduction in the possibility of data leakage to external parties by determining the legitimacy of external devices to which private data is transmitted, or even if the communication path to those devices is falsified, even if the control program is correct. As a result, the leakage of information obtained from plumbing equipment can be suppressed.

[0009] According to a data management system for plumbing equipment according to one embodiment, the acquired data is stored in the storage means along with information on the date and time of use of the water supply means or the water receiving means, and the system further includes a data extraction means that extracts the acquired data corresponding to a predetermined period or predetermined number of times from the storage means as transmission data in a single transmission unit, and the transmission means can transmit the transmission data extracted by the data extraction means to the external device.

[0010] This reduces the frequency of external communication and lowers the likelihood of intrusion by external attackers. Instead of the edge sending data externally every time it is acquired, the acquired data is aggregated based on time period and number of acquisitions. Furthermore, by sending data from multiple users in a batch, each user can access their data sooner, and the reliability of external transmission is improved.

[0011] According to a data management system for plumbing equipment according to one embodiment, the acquisition means acquires data detected by one or more sensors provided in plumbing equipment having the water supply means and the water receiving means as acquisition data, and the transmission means can transmit transmission data of a data array, which is formed by associating the acquisition data acquired by the acquisition means based on date and time information, to the external device.

[0012] This allows the edge to send a predetermined amount of data in a batch, along with date and time information, rather than sending each piece of data externally as it is acquired. This minimizes the data structure and reduces the likelihood of external attackers infiltrating the system. Furthermore, sending the acquired data as a predetermined data array makes it easier for the recipient to use the data.

[0013] According to a data management system for plumbing equipment according to one embodiment, the external device comprises a data structure determination means for determining a data structure based on the data array, and a health information estimation means for estimating the user's health information, wherein the health information estimation means selects a model from a plurality of health information estimation models that corresponds to the data structure and estimates the user's health status.

[0014] This makes it possible to select the optimal estimation model from the acquired data without requiring users to provide additional information.

[0015] According to a data management system for plumbing equipment according to one embodiment, the system further comprises an identification means for identifying the user of the water supply means or the water receiving means, the storage means stores the user identification result by the identification means together with the acquired data of the acquisition means, the control means has a data generation means for generating transmission data that links the user identification information corresponding to the acquired data to the acquired data, and the transmission means transmits the transmission data generated by the data generation means to the external device.

[0016] For example, plumbing fixtures (toilets, bathrooms, etc.) are used by multiple people. Therefore, according to a data management system for plumbing fixtures according to one embodiment of the system, by including user identification information in the dataset and transmitting it, the management of information that requires personal identification, such as health information, becomes easier. In addition, since users and acquired data are automatically linked, there is no need to perform the task of linking acquired data and users afterward.

[0017] According to a data management system for plumbing equipment according to one embodiment, the transmission means is a communication device owned by the user, and the communication device constitutes at least a part of the identification means and the control means.

[0018] This allows for secure linking of data to users by utilizing their communication devices such as smartphones, smartwatches, smart rings, and tablets. Furthermore, the communication method and timing with plumbing equipment can be arbitrarily selected, limiting opportunities for external intrusion and reducing the possibility of tampering. Additionally, communication devices used by specific individuals possess advanced computing and communication capabilities, enabling more secure transmission to external sources. [Effects of the Invention]

[0019] According to one embodiment, it is possible to suppress the leakage of information obtained from plumbing equipment. [Brief explanation of the drawing]

[0020] [Figure 1] Figure 1 is an explanatory diagram showing an overview of a data management system for water-related equipment according to an embodiment. [Figure 2] Figure 2 is a diagram showing a configuration example of an edge according to an embodiment. [Figure 3] Figure 3 is an explanatory diagram showing an overview of data acquisition and transmission processing according to an embodiment. [Figure 4] Figure 4 is a diagram showing an example of an attack or forgery by an intruder. [Figure 5] Figure 5 is an explanatory diagram showing an overview of authenticity determination of communication software according to an embodiment. [Figure 6] Figure 6 is a diagram showing an overview of the creation of an original certificate. [Figure 7] Figure 7 is a flowchart showing an example of the creation and storage process of an original certificate in initial settings. [Figure 8] Figure 8 is a diagram showing an overview of the acquisition of program values. [Figure 9] Figure 9 is a diagram showing an overview of the acquisition of correct program signature values. [Figure 10] Figure 10 is a flowchart showing an example of an authenticity determination process by comparing the current program value with the correct program verification value. [Figure 11] Figure 11 is a diagram showing an overview of the acquisition of correct program verification values. [Figure 12] Figure 12 is a flowchart showing an example of the initialization process of a control program after forgery notification. [Figure 13] Figure 13 is a diagram showing an example of the reflection of an update program according to an embodiment. [Figure 14] Figure 14 is a flowchart showing an example of the comparison process of an update program. [Figure 15] Figure 15 is a flowchart showing an example of the version comparison process of an update program. [Figure 16] Figure 16 is a flowchart showing an example of the update process of a program. [Figure 17] Figure 17 is an explanatory diagram illustrating the overview of the authenticity determination of data destinations / routes according to the embodiment. [Figure 18] Figure 18 shows an overview of how to create root certificates and server certificates. [Figure 19] Figure 19 is a flowchart showing an example of the process of creating and saving root certificates during initial cloud setup. [Figure 20] Figure 20 is a flowchart showing an example of the process of creating and saving server certificates during initial cloud setup. [Figure 21] Figure 21 shows an example of server certificate value generation. [Figure 22] Figure 22 shows an example of generating a server certificate signature value. [Figure 23] Figure 23 is a flowchart showing an example of the recipient verification process according to the embodiment. [Figure 24] Figure 24 shows an example of generating server certificate validation values. [Figure 25] Figure 25 is a flowchart showing an example of the transmission path verification process according to the embodiment. [Figure 26] Figure 26 shows an example of the data structure of a transmission unit. [Figure 27] Figure 27 shows an example of data segmentation for transmission. [Figure 28] Figure 28 is a block diagram showing an example configuration of a health information estimation device according to an embodiment. [Figure 29] Figure 29 shows an example of a model information storage unit according to the embodiment. [Figure 30] Figure 30 is an explanatory diagram showing a specific overview of a user according to the embodiment. [Figure 31] Figure 31 is a flowchart showing an example of the initial setup process for an operating device. [Figure 32] Figure 32 is a flowchart showing an example of an ID issuance process based on the user's identification status. [Figure 33]Figure 33 shows an example of data associated with a temporary ID that will not be sent. [Figure 34] Figure 34 shows an example of transmission tailored to the user's identification status. [Figure 35] Figure 35 shows an example of user identification using an external device. [Figure 36] Figure 36 is an explanatory diagram illustrating the overview of communication via the user's communication device. [Modes for carrying out the invention]

[0021] The embodiments of the data management system for plumbing fixtures disclosed in this application will be described in detail below with reference to the attached drawings. However, the present invention is not limited to the embodiments described below.

[0022] <1. Overview of the data management system for plumbing equipment> First, an overview of the data management system 1 for plumbing equipment according to this embodiment will be described. Figure 1 is an explanatory diagram showing an overview of the data management system 1 for plumbing equipment according to this embodiment. As shown in Figure 1, the data management system 1 for plumbing equipment according to this embodiment includes plumbing equipment 10, an edge 20, a cloud 30, and a terminal device 25.

[0023] The plumbing equipment 10 is a water supply and drainage system located in a plumbing space PS and connected to the water and sewage systems. For example, plumbing equipment 10 located in a toilet space PS1 is a toilet device that functions as a toilet. Plumbing equipment 10 collects data in plumbing spaces such as the toilet space PS1 through sensor detection, etc. Such data includes information on excretion and bathing. In other words, the data acquired by plumbing equipment 10 is private data related to the privacy of users.

[0024] In this embodiment, the toilet space PS1 is described as an example of a water-related space PS, but the water-related space is not limited to the toilet space PS1, and can be applied to any water-related space as long as the water-related equipment data management system 1 is applicable. For example, the water-related equipment data management system 1 may be applied not only to the toilet space PS1, but also to any water-related space such as the bathroom space PS2, which is a so-called bathroom, the washroom space PS3, which is equipped with a washbasin, or the kitchen space PS4, which is a so-called kitchen. However, these are merely examples. In practice, it is not limited to these examples. For example, the water-related equipment data management system 1 may be applied to a laundry space equipped with a washing machine, or to an outdoor water-related space such as a garden or swimming pool. In the following, when water-related spaces such as the toilet space PS1, bathroom space PS2, washroom space PS3, and kitchen space PS4 are described without distinction, they may be referred to as "water-related space PS".

[0025] Edge 20 is an electronic device located in the same bathroom space PS as the plumbing fixture 10, possessing communication capabilities and interacting with the plumbing fixture 10. Edge 20 may communicate with the plumbing fixture 10 via a predetermined wireless communication function such as Bluetooth® or Wi-Fi (Wireless Fidelity)®, or via a wired communication function such as a cable. Furthermore, Edge 20 may be integrated into the plumbing fixture 10. That is, Edge 20 may be built into or mounted on the plumbing fixture 10 and communicate with the plumbing fixture 10 via a data bus or the like. For example, Edge 20 may be an IoT (Internet of Things) device or a smart home appliance. Edge 20 can also transmit data externally using multiple communication methods and timings.

[0026] Edge 20 and Cloud 30 are connected to each other via a network, either wired or wirelessly, enabling communication between them. The network could be, for example, a LAN (Local Area Network), a WAN (Wide Area Network), or the Internet.

[0027] Cloud 30 is composed of computers such as PCs (Personal Computers) and server devices, or mainframes or workstations, or a combination of multiple computers using cloud computing. Cloud 30 receives data from Edge 20 and performs data management and data analysis. Cloud 30 also provides data, such as the results of data analysis, to Edge 20 and terminal devices 25.

[0028] Terminal device 25 is an information terminal owned by the user and is capable of sending and receiving various types of information via a predetermined network such as the internet to the cloud 30, etc. For example, terminal device 25 can access the cloud 30 to acquire and view information. Terminal device 25 can also be connected to the plumbing equipment 10 via Bluetooth® or Wi-Fi®, etc., and can send and receive various types of information. Terminal device 25 can also receive and store acquired data from the plumbing equipment 10 from the cloud 30. Terminal device 25 can also display information about the user transmitted from the edge 20 and data received from the cloud 30. There may be multiple terminal devices 25. For example, each user of the plumbing equipment 10 may have a different terminal device 25. Furthermore, terminal device 25 is not limited to the user, but may also be an information terminal owned by a parent, doctor, trainer, or other person who manages or advises the user on their health. For example, terminal device 25 may be a smartphone, smartwatch, smart ring, tablet, or other terminal device, or it may be a computer such as a PC or server device.

[0029] <2. Example of edge configuration> Referring to Figure 2, an example configuration of the edge 20 according to the embodiment will be described. Figure 2 is a diagram showing an example configuration of the edge 20 according to the embodiment. As shown in Figure 2, the edge 20 comprises a communication unit 21, a control unit 22, and a storage unit 23. Although not shown in the figure, the edge 20 may also further include an input unit (e.g., a keyboard or mouse) for receiving various operations from the user of the edge 20, and a display unit (e.g., a liquid crystal display) for displaying various information. The input unit and display unit may be touch panels.

[0030] The communication unit 21 is implemented, for example, by a communication circuit corresponding to the communication method. The communication unit 21 may also have an antenna or a NIC (Network Interface Card). The communication unit 21 is connected to a predetermined network such as the Internet by wire or wireless connection and transmits and receives information with an external information processing device. For example, the communication unit 21 transmits and receives information with the plumbing equipment 10 and the cloud 30 via a predetermined network such as the Internet.

[0031] The control unit 22 is implemented, for example, by a CPU (Central Processing Unit) or GPU (Graphics Processing Unit) executing a program stored inside the edge 20 (for example, the health information estimation program according to this disclosure) using RAM or the like as a working area. Alternatively, the control unit 22 may be implemented by an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or FPGA (Field Programmable Gate Array).

[0032] The control unit 22 includes an acquisition unit 22a, a data extraction unit 22b, a control program writing unit 22c, an original certificate update unit 22d, a function execution unit 22e, a program verification unit 22f, a program version confirmation unit 22g, an update application unit 22h, an update application permission unit 22i, a root certificate update unit 22j, a recipient verification unit 22k, and a transmission unit 22l.

[0033] The acquisition unit 22a acquires data detected by one or more sensors installed in the plumbing fixture 10 as acquired data. At this time, the acquisition unit 22a acquires at least one piece of information selected from a group that includes information necessary for identifying the user of the plumbing fixture 10, user movement information, user biometric information, and user excretion information. The acquisition unit 22a also stores the acquired data in the storage unit 23 along with information on the date and time of use of the plumbing fixture 10.

[0034] The data extraction unit 22b extracts acquired data that meets predetermined conditions from the storage unit 23 as transmission data in a single transmission unit. For example, the data extraction unit 22b extracts acquired data corresponding to a predetermined period or predetermined number of times from the storage unit 23 as transmission data in a single transmission unit.

[0035] The control program writing unit 22c writes a control program to control the control unit 22 to the storage unit 23. The original certificate update unit 22d stores and updates the original certificate in the storage unit 23. The function execution unit 22e executes a predetermined function according to the authenticity determination program. The program verification unit 22f verifies the control program according to the authenticity determination program.

[0036] The program version verification unit 22g verifies the program itself or its version for the control program and the update program, and stores the correct update program in the storage unit 23. The update program application unit 22h executes the program update process and applies the update program to the control program. The update program application permission unit 22i grants permission to the update program application unit 22h to apply the update program.

[0037] The root certificate update unit 22j stores and updates the root certificate in the storage unit 23. The recipient verification unit 22k verifies the recipient and / or transmission path of the transmitted data.

[0038] The transmitting unit 22l transmits transmission data based on the acquired data stored in the storage unit 23 to an external device.

[0039] The memory unit 23 is implemented by, for example, semiconductor memory elements such as RAM (Random Access Memory) and flash memory, or by storage devices such as HDD (Hard Disk Drive), SSD (Solid State Drive), and optical discs. For example, the memory unit 23 is a computer-readable recording medium that non-temporarily stores data used by programs.

[0040] The storage unit 23 includes an acquired data storage unit 23a, a transmitted data storage unit 23b, a control program storage unit 23c, an update program storage unit 23d, a certificate storage unit 23X, a genuineness determination program storage unit 23Y, and an original control program storage unit 23Z. Of these, the acquired data storage unit 23a, the transmitted data storage unit 23b, the control program storage unit 23c, and the update program storage unit 23d are provided in areas that can be arbitrarily rewritten. The certificate storage unit 23X, the genuineness determination program storage unit 23Y, and the original control program storage unit 23Z are provided in a secure area, such as a secure element. A secure area is a storage area that can only be rewritten under specific conditions through authentication using information that only a specific user or system administrator knows (e.g., ID, password, biometric information, etc.).

[0041] The acquired data storage unit 23a stores acquired data. The transmitted data storage unit 23b stores transmitted data. The control program storage unit 23c stores the control program. The update program storage unit 23d stores the update program. The certificate storage unit 23X stores various certificates, such as the original certificate and root certificate. The authenticity determination program storage unit 23Y stores the authenticity determination program. The original control program storage unit 23Z stores the original control program (the original control program).

[0042] <3. Examples of Information Processing> The following describes the overview of information processing performed in the data management system 1 for plumbing equipment according to the embodiment, with reference to the drawings. First, the overview of data acquisition and transmission processing performed in the data management system 1 for plumbing equipment according to the embodiment will be described with reference to Figure 3. Figure 3 is an explanatory diagram showing an overview of the data acquisition and transmission processing according to the embodiment.

[0043] The plumbing fixture 10, located in the plumbing space PS, includes a water receiving unit 11, a water supply unit 12, and a sensor device 5. The water receiving unit 11 holds or releases water for use by users, is connected to the sewer system, and discharges (drains) the water after use. The water supply unit 12 is connected to the water supply system and supplies water to the water receiving unit 11.

[0044] The sensor device 5 is placed in the bathroom space PS and collects data detected by one or more sensors installed on (or placed around) the bathroom equipment 10 when a user uses the bathroom equipment 10. The sensor device 5 may be incorporated into the bathroom equipment 10 and integrated with it, or it may be placed around the bathroom equipment 10.

[0045] The acquisition unit 22a of the edge 20 acquires data detected by the sensor device 5 located in the water-related space PS from the sensor device 5 and stores it as acquired data in the acquired data storage unit 23a. The acquired data includes, for example, information related to user identification (age, gender, IC card, etc.), user activity information (entry and exit, sitting and leaving, etc.), user biometric information (blood flow, heart rate, sweat, etc.), and user excretion information (feces, urine, exhaust gas, etc.). Thus, the data obtained in the water-related space PS includes highly private data. Therefore, security measures during communication are required more than for ordinary data.

[0046] The data extraction unit 22b of the edge 20 extracts acquired data stored in the acquired data storage unit 23a according to predetermined conditions and stores it in the transmitted data storage unit 23b as transmitted data. For example, the data extraction unit 22b extracts acquired data corresponding to a predetermined period or predetermined number of times from the acquired data storage unit 23a as transmitted data for one transmission unit.

[0047] The transmission unit 22l of edge 20 transmits the transmission data stored in the transmission data storage unit 23b to the cloud 30 according to the control program. The control program is a program that controls the control unit 22, and is written to the control program storage unit 23c by the control program writing unit 22c of edge 20 and stored in the control program storage unit 23c. The acquisition unit 22a and the data extraction unit 22b may also operate according to the control program.

[0048] However, as shown in Figure 4, if an intruder gains access to the edge 20 via the communication unit 21, the intruder may tamper with the communication software (hereinafter referred to as "communication software") within the edge 20, potentially rewriting the control program and other components. Even if the control program itself remains unchanged, the destination of the data may be altered to send the data to a spoofed recipient. For example, as shown in Figure 4, an intruder could gain access via communication path 3-2, spoof communication path 2-2, and alter the data so that it is sent to a spoofed recipient instead of the cloud 30. Figure 4 illustrates an example of an attack or tampering by an intruder.

[0049] <3-1. Determining the Authenticity of Communication Software> To address the possibility of tampering with the communication software within Edge 20, the authenticity of the communication software is verified. Referring to Figure 5, an overview of the authenticity verification of the communication software performed in the plumbing equipment data management system 1 according to this embodiment will be explained. Figure 5 is an explanatory diagram showing an overview of the authenticity verification of the communication software according to this embodiment. The operation of each component shown in Figure 5 will be described in detail below.

[0050] <3-1-1. Initial Setup> First, prior to the authenticity verification process of the communication software, as shown in Figure 6, on the cloud 30 side, the system administrator's information terminal 40 creates an original certificate during edge device production as an initial setting, and saves the original certificate to the certificate storage unit 23X via the original certificate update unit 22d of the edge 20, as shown in Figure 5. The original certificate includes the correct program signature value, a verification function, and a program information generation function. The system administrator's information terminal 40 may be a computer such as a PC or server device, or a terminal device such as a smartphone or tablet. Figure 6 is a diagram showing an overview of the creation of the original certificate. Figure 7 is a flowchart showing an example of the original certificate creation and storage process in the initial setting.

[0051] For example, as shown in Figure 7, on the cloud 30 side, the system administrator's information terminal 40 sets the signature function f(x), the verification function g(x), and the program information generation function h(x) according to the system administrator's operation (step S101).

[0052] Next, the system administrator's information terminal 40 inputs the program information of the control program into the program information generation function h(x), as shown in Figure 8, and obtains the program value "6n5prn82c8" (step S102). Figure 8 is a diagram illustrating the overview of obtaining the program value. In this way, the system administrator's information terminal 40 generates the program value using the control program and the program information generation function h(x). In the initial setup stage, the generated program value becomes the correct program value.

[0053] Next, the system administrator's information terminal 40 generates a correct program signature value using the correct program value and the signature function f(x) (step S103). For example, as shown in Figure 9, the information terminal 40 inputs the correct program value "6n5prn82c8" into the signature function f(x) and obtains the correct program signature value "w6myakniie". Figure 9 is a diagram illustrating the overview of obtaining the correct program signature value.

[0054] Next, the system administrator's information terminal 40 generates an original certificate (step S104). For example, as shown in Figure 6, the system administrator's information terminal 40 generates an original certificate by writing the verification function g(x), the program information generation function h(x), and the correct program signature value "w6myakniie" to the original certificate.

[0055] Next, the system administrator's information terminal 40 saves the original certificate to the certificate storage unit 23X of the edge 20 via the original certificate update unit 22d (step S105). For example, as shown in Figure 5, the original certificate update unit 22d of the edge 20 obtains the original certificate from the system administrator's information terminal 40 via the communication unit 21 and saves it to the certificate storage unit 23X. At this time, the original certificate update unit 22d may also save the original certificate to the certificate storage unit 23X in response to a request from the cloud 30 or an operation by the system administrator on the cloud 30 side.

[0056] Regarding the renewal of the original certificate, if the control program changes its contents through a legitimate procedure, such as an update, the user or system administrator may save the newly created original certificate to the certificate storage unit 23X via the original certificate renewal unit 22d. For example, when a user requests or authorizes the renewal of the original certificate to the original certificate renewal unit 22d, the original certificate renewal unit 22d may automatically obtain the newly created original certificate from the cloud 30 and overwrite it in the certificate storage unit 23X. In this case, the system may determine that any renewal of the original certificate that does not go through the original certificate renewal unit 22d is fraudulent.

[0057] Furthermore, prior to the authenticity determination process of the communication software, the system administrator's information terminal 40 on the cloud 30 side may, as an initial setting, save the authenticity determination program to the authenticity determination program storage unit 23Y of the edge 20 during edge device production. Alternatively, the control unit 22 of the edge 20 may save the authenticity determination program to the authenticity determination program storage unit 23Y during the installation of the communication software. As shown in Figure 5, the control unit 22 of the edge 20 functions as a function execution unit 22e and a program verification unit 22f by reading the authenticity determination program stored in the authenticity determination program storage unit 23Y of the storage unit 23. That is, the function execution unit 22e and the program verification unit 22f operate according to the authenticity determination program.

[0058] <3-1-2. Determining the Authenticity of the Control Program> Next, referring to Figure 10, we will explain the authenticity determination process for communication software, which involves comparing the program value of the current control program with the verified value of the correct program. Figure 10 is a flowchart showing an example of the authenticity determination process by comparing the current program value with the verified value of the correct program.

[0059] For example, as shown in Figure 10, the function execution unit 22e of edge 20 reads the verification function g(x), the program information generation function h(x), and the correct program signature value of the original certificate stored in the certificate storage unit 23X of edge 20, according to the authenticity determination program (step S111).

[0060] Next, the function execution unit 22e of edge 20 reads the current control program stored in the control program storage unit 23c according to the authenticity determination program and generates the program value of the current control program using the program information generation function h(x) (step S112). For example, as shown in Figure 8, the function execution unit 22e inputs the program information of the control program into the program information generation function h(x) and obtains the program value "6n5prn82c8".

[0061] Next, the function execution unit 22e of edge 20 generates a correct program verification value using the verification function g(x) and the correct program signature value, according to the authenticity determination program (step S113). For example, as shown in Figure 11, the function execution unit 22e inputs the correct program signature value "w6myakniie" into the verification function g(x) and obtains the correct program verification value "6n5prn82c8". Figure 11 is a diagram illustrating the overview of obtaining the correct program verification value.

[0062] Next, the program verification unit 22f of edge 20 compares the program value of the current control program with the verified value of the correct program according to the authenticity determination program (step S114). Note that the timing of the comparison between the program value of the current control program and the verified value of the correct program may be before or after the completion of the acquisition of privacy data.

[0063] Next, the program verification unit 22f of edge 20 determines whether the current program value is the same as the correct program verification value (step S115).

[0064] If the current program value and the correct program verification value are the same (step S115: Yes), the program verification unit 22f of the edge 20 performs the privacy data transmission process according to the authenticity determination program (step S116). For example, the program verification unit 22f permits the execution of the privacy data transmission process. As a result, the transmission unit 22l of the edge 20 can send the transmission data stored in the transmission data storage unit 23b to the cloud 30 according to the control program, as shown in Figure 3.

[0065] Conversely, if the current program value and the correct program verification value are not the same (step S115: No), the program verification unit 22f of edge 20 will notify the tampering according to the authenticity determination program (step S117). The notification of tampering may also be made by lighting up a lamp on a display terminal or remote control connected to edge 20. In addition, if tampering occurs, the system may be initialized by forced initialization, forced update, etc.

[0066] <3-1-3. Restoring the control program> The initialization of the control program after a tampering alert will be explained with reference to Figure 12. Figure 12 is a flowchart showing an example of the initialization process of the control program after a tampering alert.

[0067] For example, on the cloud 30 side, the system administrator's information terminal 40, as an initial setting, saves the control program (original control program) in advance in the original control program storage unit 23Z, which is located in an area of ​​the memory unit 23 of the edge 20 that can only be rewritten under specific conditions (a secure area), during edge device production. The original control program is a control program that has not been tampered with.

[0068] Then, after the tampering is reported, when a button or the like installed on the edge 20 is pressed, or when instructions are received from the system administrator's information terminal 40, the control program writing unit 22c of the edge 20 immediately retrieves the control program (original control program) stored in the original control program storage unit 23Z, as shown in Figure 12 (step S121).

[0069] Next, the control program writing unit 22c of edge 20 writes to the control program storage unit 23c, which is located in an arbitrarily rewritable area of ​​the memory unit 23 (step S122). In other words, the control program writing unit 22c overwrites the current control program with the original control program. As a result, the control program writing unit 22c replaces the potentially tampered current control program in the control program storage unit 23c with the original control program.

[0070] <3-2. Updating the communication software> Caution is also necessary when updating the security of communication software via external communication. Referring to Figure 13, an overview of the application of the update program executed in the plumbing equipment data management system 1 according to the embodiment will be described. Figure 13 is a diagram showing an example of the application of the update program according to the embodiment. The operation of each component shown in Figure 13 will be described in detail below.

[0071] <3-2-1. Comparison of update programs> First, we will explain the comparison between the control program and the update program itself, referring to Figure 14. Figure 14 is a flowchart showing an example of the comparison process for the update program.

[0072] For example, as shown in Figure 14, the program version verification unit 22g of the edge 20 requests an update program from the cloud 30 via the communication unit 21 (step S201). At this time, the program version verification unit 22g initiates communication with the cloud 30 to request the acquisition of the update program.

[0073] Next, the program version verification unit 22g of the edge 20 obtains the update program from the cloud 30 via the communication unit 21 (step S202). As a result, the program version verification unit 22g terminates the communication requesting the acquisition of the update program to the cloud 30.

[0074] Next, the program version verification unit 22g of edge 20 compares the control program stored in the control program storage unit 23c with the acquired update program (step S203). Note that, from the perspective of improving communication efficiency, the program comparison does not have to be of the program itself; it may be compared using a value that replaces the program with other information (such as a hash value).

[0075] Next, the program version verification unit 22g of edge 20 determines the difference between the control program stored in the control program storage unit 23c and the acquired update program (step S204).

[0076] If there is a difference between the control program stored in the control program storage unit 23c and the acquired update program (step S204: Yes), the program version verification unit 22g of the edge 20 saves the update program to the update program storage unit 23d (step S205).

[0077] Conversely, if there is no difference between the control program stored in the control program storage unit 23c and the acquired update program (step S204: No), the program version verification unit 22g of edge 20 discards the acquired update program and terminates the process.

[0078] <3-2-2. Comparison of Update Program Versions> Alternatively, the comparison may be limited to the program itself, or the program version may be compared. Refer to Figure 15 to illustrate the comparison of the control program and the update program versions. Figure 15 is a flowchart showing an example of the process for comparing the update program versions.

[0079] For example, as shown in Figure 15, the program version verification unit 22g of the edge 20 requests the update program version from the cloud 30 via the communication unit 21 (step S211). At this time, the program version verification unit 22g initiates communication with the cloud 30 to request the acquisition of the update program version.

[0080] Next, the program version verification unit 22g of the edge 20 obtains the update program version from the cloud 30 via the communication unit 21 (step S212). As a result, the program version verification unit 22g terminates the communication requesting the acquisition of the update program version to the cloud 30.

[0081] Next, the program version verification unit 22g of edge 20 compares the version of the control program stored in the control program storage unit 23c with the version of the acquired update program (step S213).

[0082] Next, the program version verification unit 22g of edge 20 determines the difference between the version of the control program stored in the control program storage unit 23c and the version of the acquired update program (step S214).

[0083] If there is no difference between the version of the control program stored in the control program storage unit 23c and the version of the acquired update program (step S214: No), the program version verification unit 22g of edge 20 discards the acquired version of the update program and terminates the process.

[0084] Conversely, if there is a difference between the version of the control program stored in the control program storage unit 23c and the version of the acquired update program (step S214: Yes), the program version verification unit 22g of the edge 20 requests the update program from the cloud 30 via the communication unit 21 (step S215). At this time, the program version verification unit 22g initiates communication with the cloud 30 to request the acquisition of the update program.

[0085] Next, the program version verification unit 22g of the edge 20 obtains the update program from the cloud 30 via the communication unit 21 (step S216). As a result, the program version verification unit 22g terminates the communication requesting the acquisition of the update program to the cloud 30.

[0086] Next, the program version verification unit 22g of edge 20 saves the update program to the update program storage unit 23d (step S217).

[0087] The content of the update program could be security enhancements to protect private data, or it could be anything else, such as fixing bugs in control systems or adding new features.

[0088] <3-2-3. Program Update> The program update can be initiated when Edge 20 periodically requests the update program from Cloud 30, retrieves it, and saves it; or Cloud 30 can directly instruct Edge 20 to initiate the update; or the update can be initiated by user instruction.

[0089] Referring to Figure 16, the program update process for updating the control program using an update program will be explained. Figure 16 is a flowchart showing an example of the program update process.

[0090] For example, as shown in Figure 16, the update application unit 22h of the edge 20 checks whether an update program is stored in the update program storage unit 23d (step S221). If the update program is not stored in the update program storage unit 23d (step S221: No), the update application unit 22h of the edge 20 terminates processing. Alternatively, the update application unit 22h waits until an update program is stored in the update program storage unit 23d.

[0091] Next, if an update program is stored in the update program storage unit 23d (step S221: Yes), the update application unit 22h of the edge 20 checks whether automatic updates are turned ON in the update application permission unit 22i (step S222).

[0092] If automatic updates are not turned ON in the update application permission unit 22i (step S222: No), the update application unit 22h of the edge 20 checks whether the update has been manually permitted by the update application permission unit 22i (step S223). If the update has not been manually permitted by the update application permission unit 22i (step S223: No), the update application unit 22h of the edge 20 waits until the update is manually permitted. In other words, the update application unit 22h waits for permission to update.

[0093] Here, regarding user permission for program updates, when updating the control program, the user may manually grant permission each time via the update program application permission unit 22i, or grant permission for updates through automatic update settings, etc.

[0094] The update application permission unit 22i may grant permission by operating a device (button, etc.) installed in the water area PS, by operating a terminal held by the user, or by detecting the user's actions (nodding, etc.) with a sensor.

[0095] Next, if automatic updates are turned ON in the update application permission unit 22i (step S222: Yes), or if manual updates are permitted in the update application permission unit 22i (step S223: Yes), the update application unit 22h of the edge 20 updates the control program stored in the control program storage unit 23c with the update program stored in the update program storage unit 23d (step S224). In other words, the update application unit 22h obtains the update program from the update program storage unit 23d and updates the control program with the update program.

[0096] <3-3. Authenticity Verification of Destination / Route> To address the possibility of data destination tampering, the authenticity of the data destination / route is verified. Referring to Figure 17, an overview of the authenticity verification of the data destination / route performed in the plumbing equipment data management system 1 according to this embodiment will be described. Figure 17 is an explanatory diagram showing an overview of the authenticity verification of the data destination / route according to this embodiment. The operation of each component shown in Figure 17 will be described in detail below.

[0097] <3-3-1. Initial Setup> First, prior to the authenticity verification process of the communication software, as shown in Figure 18, on the cloud 30 side, the system administrator's information terminal 40 creates a root certificate during edge device production and a server certificate during cloud initial setup. The root certificate includes a verification function and a certificate information generation function. The server certificate includes a server certificate signature value. Figure 18 is a diagram illustrating the overview of the creation of the root certificate and server certificate. Figure 19 is a flowchart illustrating an example of the root certificate creation and saving process during cloud initial setup. Figure 20 is a flowchart illustrating an example of the server certificate creation and saving process during cloud initial setup.

[0098] <3-3-1-1. Generating Root Certificates> For example, as shown in Figure 19, on the cloud 30 side, the system administrator's information terminal 40 sets the signature function f(x), verification function g(x), and certificate information generation function k(x) according to the system administrator's operation (step S301).

[0099] Next, the system administrator's information terminal 40 writes the verification function g(x) and the certificate information generation function k(x) to the root certificate (step S302). Note that the signing function f(x) is not written to the root certificate. In this way, the system administrator's information terminal 40 generates the root certificate using the verification function and the certificate information generation function.

[0100] Next, the system administrator's information terminal 40 saves the root certificate to the certificate storage unit 23X of the edge 20 via the root certificate update unit 22j (step S303). For example, as shown in Figure 17, the root certificate update unit 22j of the edge 20 obtains the root certificate from the system administrator's information terminal 40 via the communication unit 21 and saves it to the certificate storage unit 23X. At this time, the root certificate update unit 22j may also save the root certificate to the certificate storage unit 23X in response to a request from the cloud 30 or an operation by the system administrator on the cloud 30 side.

[0101] In this way, the system administrator's information terminal 40 stores the root certificate on the edge device 20 during edge device production.

[0102] <3-3-1-2. Generating Server Certificates> Furthermore, as shown in Figure 20, on the cloud 30 side, the system administrator's information terminal 40 writes basic information (server owner, expiration date, server URL) to the server certificate (step S311).

[0103] Next, the system administrator's information terminal 40 generates a server certificate value using the server certificate and the certificate information generation function k(x) (step S312). For example, as shown in Figure 21, the system administrator's information terminal 40 inputs the server certificate into the certificate information generation function k(x) and obtains the server certificate value "jnb6smzsm7". Figure 21 is a diagram showing an example of server certificate value generation.

[0104] Next, the system administrator's information terminal 40 generates a server certificate signature value using the server certificate value and the signing function f(x) (step S313). For example, as shown in Figure 22, the system administrator's information terminal 40 inputs the server certificate value "jnb6smzsm7" into the signing function f(x) and obtains the server certificate signature value "n7xgkbx4zg". Figure 22 is a diagram showing an example of the generation of a server certificate signature value.

[0105] Next, the system administrator's information terminal 40 writes the server certificate signature value to the server certificate (step S314).

[0106] Next, the system administrator's information terminal 40 stores the server certificate on the cloud 30 side (step S315). For example, the server certificate may be stored on the system administrator's information terminal 40 in the cloud 30, or it may be stored on a server device accessible from the information terminal 40 (such as a cloud server that makes up the cloud 30).

[0107] In this way, the system administrator's information terminal 40 stores the server certificate in the cloud 30 during the initial cloud setup. Then, in response to a server certificate acquisition request from the edge 20, the cloud 30 provides the server certificate to the edge 20.

[0108] Furthermore, if the contents (basic information) of the server certificate change, the system administrator's information terminal 40 creates a new root certificate and saves it to the certificate storage unit 23X of the edge 20 via the root certificate update unit 22j. Similarly, the system administrator's information terminal 40 saves the new server certificate with the changed contents to the cloud 30.

[0109] <3-3-2. Verification of the recipient> Next, with reference to Figure 23, the recipient verification process according to the embodiment will be described. Figure 23 is a flowchart showing an example of the recipient verification process according to the embodiment.

[0110] For example, as shown in Figure 23, the recipient verification unit 22k of the edge 20 requests a server certificate from the cloud 30 via the communication unit 21 (step S321). At this time, the recipient verification unit 22k initiates communication with the cloud 30 to request acquisition of a server certificate.

[0111] Next, the sender verification unit 22k of edge 20 obtains a server certificate from cloud 30 via the communication unit 21 (step S322). As a result, the sender verification unit 22k terminates the server certificate acquisition request communication to cloud 30.

[0112] Next, the recipient verification unit 22k of edge 20 obtains the server certificate signature value of the acquired server certificate (step S323). For example, the recipient verification unit 22k obtains the server certificate signature value "n7xgkbx4zg" written to the acquired server certificate.

[0113] Next, the recipient verification unit 22k of edge 20 reads the root certificate stored in the certificate storage unit 23X of edge 20 (step S324).

[0114] Next, the recipient verification unit 22k of edge 20 generates a server certificate verification value using the root certificate verification function g(x) and the server certificate signature value (step S325). For example, as shown in Figure 24, the recipient verification unit 22k inputs the server certificate signature value "n7xgkbx4zg" into the verification function g(x) and obtains the server certificate verification value "jnb6smzsm7". Figure 24 shows an example of the generation of a server certificate verification value.

[0115] Next, the recipient verification unit 22k of edge 20 generates a server certificate value using the root certificate's certificate information generation function k(x) and the server certificate (step S326). For example, as shown in Figure 21, the recipient verification unit 22k inputs the server certificate into the certificate information generation function k(x) and obtains the server certificate value "jnb6smzsm7".

[0116] Next, the recipient verification unit 22k of edge 20 compares the server certificate verification value with the server certificate value (step S327).

[0117] Next, the recipient verification unit 22k of edge 20 determines whether or not the server certificate verification value and the server certificate value are identical (step S328).

[0118] If there is no discrepancy between the server certificate verification value and the server certificate value (step S328: Yes), the recipient verification unit 22k of the edge 20 performs the privacy data transmission process (step S329). For example, the recipient verification unit 22k permits the execution of the privacy data transmission process. This enables the transmission unit 22l of the edge 20 to send the transmission data stored in the transmission data storage unit 23b to the cloud 30 according to the control program, as shown in Figure 3.

[0119] Conversely, if there is a discrepancy between the server certificate verification value and the server certificate value (step S328: No), the recipient verification unit 22k of the edge 20 will report the tampering (step S330). The tampering may also be reported by illuminating a lamp on a display terminal or remote control connected to the edge 20. In addition, if tampering occurs, the system may be initialized by forced initialization, forced update, etc.

[0120] <3-3-3. Verification of the transmission path> Next, with reference to Figure 25, the verification process of the transmission path according to the embodiment will be described. Figure 25 is a flowchart showing an example of the verification process of the transmission path according to the embodiment.

[0121] For example, as shown in Figure 25, the recipient verification unit 22k of the edge 20 determines whether the edge 20 and the cloud 30 are connected by a dedicated transmission path (step S341).

[0122] If the edge 20 and the cloud 30 are not connected by a dedicated transmission path (step S341: No), the recipient verification unit 22k of the edge 20 verifies the recipient (step S342). The recipient verification is as described above (see Figure 23). It is preferable to perform the recipient verification and the transmission path verification separately, but in practice, the transmission path verification may be performed first, and the recipient verification may be performed in between (in that flow).

[0123] Next, the recipient verification unit 22k of edge 20 determines whether or not there are any problems after verifying the recipient (step S343).

[0124] If the edge 20 and the cloud 30 are connected by a dedicated transmission path (step S341: Yes), or if there are no problems after verification of the recipient (step S343: Yes), the recipient verification unit 22k of the edge 20 performs the privacy data transmission process (step S344). For example, the recipient verification unit 22k permits the execution of the privacy data transmission process. As a result, the transmission unit 22l of the edge 20 can send the transmission data stored in the transmission data storage unit 23b to the cloud 30 according to the control program, as shown in Figure 3.

[0125] Conversely, if a problem is found after verifying the recipient (step S343: No), the recipient verification unit 22k of edge 20 will notify the tampering (step S345). The notification of tampering may also be made by lighting up a lamp on a display terminal or remote control connected to edge 20. In addition, if tampering occurs, the system may be initialized by forced initialization, forced update, etc.

[0126] <4. Other processing examples> The process described above is merely an example, and the plumbing equipment data management system 1 may perform various other processes besides those described above. Several examples will be given to illustrate this point. Note that explanations of points similar to those described above will be omitted as appropriate.

[0127] <4-1. Data structure of the transmission unit> The data structure of the transmission unit will be explained with reference to Figure 26. Figure 26 is a diagram showing an example of the data structure of the transmission unit. As described above, the data extraction unit 22b of edge 20 extracts the acquired data stored in the acquired data storage unit 23a according to predetermined conditions and stores it in the transmission data storage unit 23b as transmission data.

[0128] (A) Complete in a set time Edge 20 may transmit within a predetermined time frame to reduce the number of transmissions. For example, as shown in Figure 26(A), the data extraction unit 22b of Edge 20 extracts acquired data acquired at a predetermined time (usage date and time) from the acquired data storage unit 23a as transmission data for one transmission unit. In the example in Figure 26(A), the data extraction unit 22b of Edge 20 extracts acquired data for each day (10 / 30) as transmission data for one transmission unit.

[0129] (B) Grouping by the predetermined number of excretion Furthermore, when Edge 20 converts the acquired data into other information (for example, estimation of excretion rhythm) in the cloud or elsewhere, it may transmit the data in batches in units such as the number of excretions used for the conversion. For example, as shown in Figure 26(B), the data extraction unit 22b of Edge 20 extracts acquired data within a predetermined number of times (or matching the predetermined number) from the acquired data storage unit 23a as data to be transmitted in one transmission unit. In the example in Figure 26(B), the data extraction unit 22b of Edge 20 extracts acquired data for the second or first time (or the first or second time acquired data) as data to be transmitted in one transmission unit.

[0130] (C) Bulking up by user group Furthermore, if the Edge 20 is used only by a specific group of users, such as family members, in addition to improving security by reducing the frequency of external communications, it may also transmit data in batches for each user group from the perspective of efficiency and reliability in reliably uploading each user's data to the cloud. For example, as shown in Figure 26(C), the data extraction unit 22b of the Edge 20 extracts acquired data (acquired data of users who are group members) from the acquired data storage unit 23a on a user group basis as transmitted data for one transmission unit. In the example in Figure 26(C), the data extraction unit 22b of the Edge 20 extracts the acquired data of users A, B, C, and D, who belong to the same user group such as family members, as transmitted data for one transmission unit.

[0131] The transmission unit 22l of the edge 20 retrieves the transmission data stored in the transmission data storage unit 23b and transmits the retrieved transmission data to the cloud 30 according to the control program. The transmission unit 22l may be integrated with the data extraction unit 22b. That is, the transmission unit 22l may function as the data extraction unit 22b, extracting the retrieved data stored in the retrieved data storage unit 23a according to predetermined conditions and transmitting it as transmission data with a predetermined transmission unit data structure at a predetermined timing.

[0132] <4-2. Splitting of transmitted data> Furthermore, the division of transmitted data will be explained with reference to Figure 27. Figure 27 is a diagram showing an example of the division of transmitted data. If Edge 20 determines that grouping by user unit would increase the risk of data leakage, it may, as shown in Figure 27, add a key ID (linking ID) for later integration, divide the data in the column direction of the table, and send it to Cloud 30. For example, as shown in Figure 27, the transmission unit 22l of Edge 20 may add a "linking ID" to the transmitted data containing pairs of "user," "usage date and time," and "acquired data," and divide it into three parts: first transmitted data (first transmission) containing the pair of "linking ID" and "user," second transmitted data (second transmission) containing the pair of "linking ID" and "usage date and time," and third transmitted data (third transmission) containing the pair of "linking ID" and "usage date and time," and send them to Cloud 30.

[0133] In practice, the data extraction unit 22b of the edge 20 may extract the acquired data stored in the acquired data storage unit 23a as a single transmission data, and then divide it as described above and store it in the transmission data storage unit 23b.

[0134] Cloud30 receives each of the divided transmission data (1st transmission data to 3rd transmission data) as described above, and then uses the "linking ID" as a key to integrate each transmission data back into a single transmission data.

[0135] <4-3. Functional Configuration of Health Information Estimation Device> Cloud 30 may also include a health information estimation device 100 as an external device, which estimates the user's health information from the user's privacy data acquired by the plumbing equipment 10. The functional configuration of the health information estimation device 100 will be described below with reference to Figure 28. Figure 28 is a block diagram showing an example configuration of a health information estimation device according to an embodiment.

[0136] As shown in Figure 28, the health information estimation device 100 includes a communication unit 110, a storage unit 120, and a control unit 130. The health information estimation device 100 may also have an input unit (e.g., a keyboard or mouse) for receiving various operations from the administrator of the health information estimation device 100, and a display unit (e.g., a liquid crystal display) for displaying various information.

[0137] The communication unit 110 is implemented, for example, by a communication circuit. The communication unit 110 is connected to a predetermined network, such as the Internet, by wire or wireless connection, and transmits and receives information with an external information processing device. For example, the communication unit 110 transmits and receives information with other devices having communication functions, such as the edge 20, the user's terminal device 25, and the system administrator's information terminal 40, via a predetermined network such as the Internet.

[0138] The memory unit 120 is implemented by, for example, a semiconductor memory element such as RAM (Random Access Memory) or flash memory, or a storage device such as a hard disk or optical disc. For example, the memory unit 120 is a computer-readable recording medium that non-temporarily records data used by a health information estimation program.

[0139] As shown in Figure 28, the storage unit 120 according to this embodiment includes a data storage unit 121, a model information storage unit 122, and a user information storage unit 123.

[0140] The data storage unit 121 according to this embodiment stores various data used by the health information estimation device 100 for processing. The data storage unit 121 stores various data used to estimate the health information of users who use the water-related space PS. The data storage unit 121 stores various data acquired about users who use the water-related space PS.

[0141] The data storage unit 121 stores water-related sensor data (privacy data), such as toilet sensor data. The data storage unit 121 stores each piece of data based on the detection of the sensor device 5 as water-related sensor data, associating it with the date and time information of when the data was acquired. For example, the data storage unit 121 stores toilet sensor data acquired for the toilet space PS1. For example, the data storage unit 121 stores toilet sensor data including gas data, stool data, urine data, biological data, etc., detected in the toilet space PS1. For example, the data storage unit 121 stores gas data including data for one of various gases such as odorless gas and malodorous gas, and stool data including data for at least one of the amounts, shapes, and colors of stool.

[0142] The data storage unit 121 stores various water-related sensor data in addition to toilet sensor data. For example, the data storage unit 121 stores bathroom sensor data acquired for the bathroom space PS2. For example, the data storage unit 121 stores bathroom sensor data including biometric data detected in the bathroom space PS2. For example, the data storage unit 121 stores washroom sensor data acquired for the washroom space. For example, the data storage unit 121 stores washroom sensor data including biometric data detected in the washroom space. For example, the data storage unit 121 stores kitchen sensor data acquired for the kitchen space. For example, the data storage unit 121 stores kitchen sensor data including biometric data detected in the kitchen space.

[0143] The data storage unit 121 is not limited to the above and may store various types of information depending on the purpose. For example, if there are multiple users, the data storage unit 121 stores information that identifies a user (e.g., user ID) in association with the information of that user.

[0144] The model information storage unit 122 stores information about the model. For example, the model information storage unit 122 stores information about multiple models (health information estimation models) used to estimate the user's health information. Figure 29 is a diagram showing an example of the model information storage unit according to the embodiment. The model information storage unit 122 shown in Figure 29 includes items such as "model ID," "health information estimation model," "data structure," and "model data."

[0145] The "Model ID" indicates identification information for identifying the model. The "Health Information Estimation Model" indicates the content of the model identified by the Model ID. The information in the "Health Information Estimation Model" field may include various information about the model, such as its name, purpose, and type.

[0146] "Data structure" indicates the data structure associated with the health information estimation model. "Data structure" indicates the data structure in which the corresponding health information estimation model is used. The information in the "Data structure" item may include various information about the content of that data structure, such as the data array (or pattern of array) that corresponds to that data structure.

[0147] "Model data" refers to the data of the model. Figure 29 shows an example where conceptual information such as "MDT1" is stored in "model data," but in reality, it includes various information that constitutes the model, such as information about the network included in the model and functions.

[0148] Furthermore, the model information storage unit 122 is not limited to the above and may store various types of information depending on the purpose. For example, models A to D in Figure 29 are merely examples, and other models may be stored in the model information storage unit 122, and five or more models may be stored.

[0149] The user information storage unit 123 stores user information. For example, the user information storage unit 123 stores various user information about users who are users of the water-related space PS. For example, the user information storage unit 123 stores information about a user in association with information that identifies the user (user ID).

[0150] The user information storage unit 123 stores various information about the user's attributes, identified by the user ID. For example, the user information storage unit 123 stores various attribute information of the user, such as demographic attribute information like age and gender, and psychographic attribute information like lifestyle and interests. For example, attribute information may include weight, height, mental state, medical history, etc.

[0151] The user information storage unit 123 is not limited to the above and may store various types of information depending on the purpose. For example, the user information storage unit 123 stores user information collected through user input. In this case, the user information storage unit 123 may also store information indicating data supplemented by the user (supplementary data).

[0152] The above is merely one example, and the memory unit 120 stores various types of information used in processing. In addition to the above, the memory unit 120 stores various types of information used in the estimation process of health information. For example, the memory unit 120 stores a list of data structures (data structure list) that associates data structures with data array patterns.

[0153] The control unit 130 is implemented, for example, by a CPU or GPU, which executes a program stored inside the health information estimation device 100 (for example, the health information estimation program according to this disclosure) using RAM or the like as a working area. Alternatively, the control unit 130 can be implemented, for example, by an integrated circuit such as an ASIC or FPGA.

[0154] The control unit 130 includes an acquisition unit 131, a determination unit 132, an estimation unit 133, and a transmission unit 134, and realizes or executes the information processing functions and operations described below. Note that the internal configuration of the control unit 130 is not limited to the configuration shown in Figure 28, and other configurations are also acceptable as long as they perform the information processing described later.

[0155] The acquisition unit 131 acquires various types of information. The acquisition unit 131 acquires various types of information from the storage unit 120. The acquisition unit 131 receives various types of information from various computers such as the edge 20, the user's terminal device 25, and the system administrator's information terminal 40. The acquisition unit 131 acquires various types of data (information) used for estimation processing, such as water sensor data. For example, the acquisition unit 131 acquires water sensor data from the data storage unit 121. For example, the acquisition unit 131 acquires model information from the model information storage unit 122. For example, the acquisition unit 131 acquires user information from the user information storage unit 123.

[0156] The decision unit 132 performs decision processing to determine various pieces of information. For example, the decision unit 132 performs decision processing using various pieces of information stored in the storage unit 120. For example, the decision unit 132 performs decision processing using various pieces of information acquired by the acquisition unit 131.

[0157] Furthermore, the determination unit 132 functions as a data structure determination means that determines the data structure based on a data array formed by associating data (water sensor data) acquired by the acquisition unit 131 based on date and time information. The determination unit 132 determines the data structure based on a data array formed by associating data acquired by the acquisition unit 131 based on personal information or date information. The determination unit 132 determines the data structure based on at least one combination of data in the data array.

[0158] The estimation unit 133 performs estimation processing to estimate various types of information. For example, the estimation unit 133 performs estimation processing using various types of information stored in the storage unit 120. For example, the estimation unit 133 performs estimation processing using various types of information acquired by the acquisition unit 131. For example, the estimation unit 133 performs estimation processing using various types of information acquired by the determination unit 132.

[0159] Furthermore, the estimation unit 133 functions as a health information estimation means that estimates the user's health information based on the data array of data (water sensor data) acquired by the determination unit 132. The estimation unit 133 selects a model from among multiple health information estimation models according to the data structure and estimates the user's health status. For example, if the health information estimation model is a function such as an AI model, the estimation unit 133 inputs data into the selected model and uses the information output by the model to estimate the user's health status. For example, if the selected model is an AI model that outputs a score (value) indicating the health status in response to data input, the estimation unit 133 inputs data into the selected model and estimates whether the user of that data is in that health status based on the score output by the model.

[0160] The transmitting unit 134 transmits information to an external information processing device. For example, the transmitting unit 134 transmits various information to computers such as the edge 20, the user's terminal device 25, and the system administrator's information terminal 40. The transmitting unit 134 notifies the user of information related to the user's health information. The transmitting unit 134 notifies the user by transmitting the information estimated by the estimation unit 133 to the user's terminal device 25. The transmitting unit 134 transmits the information generated by the estimation unit 133 to the user's terminal device 25.

[0161] <5. Others> The plumbing equipment data management system 1 is applicable not only when a plumbing space PS is used by a single user (e.g., user U1), but also when the same plumbing space PS is used by multiple users. In other words, the plumbing equipment data management system 1 is applicable not only to plumbing spaces PS located in a residence where one person lives, but also to users of plumbing spaces PS located in a facility (such as a building) shared by an unspecified number of people. An example of this case will be briefly explained.

[0162] <5-1. Identifying Users> As described above, if it is anticipated that multiple users will use the water-related space PS, the water-related equipment data management system 1 may identify the users of the water-related space PS in any manner. In this case, as shown in Figure 30, the users may be identified using the operating device 15 installed in the water-related space PS.

[0163] Referring to Figure 30, the identification of users according to the embodiment will be explained. Figure 30 is an explanatory diagram showing an overview of user identification according to the embodiment. For example, in the bathroom space PS, an operating device 15 is installed, each having a button corresponding to a user. The data management system 1 for the bathroom equipment identifies users when they operate the buttons on the operating device 15 in the bathroom space PS and specify the user. In the toilet space PS1, user U1, who is one of the users, operates the button that represents user U1 among the multiple buttons on the operating device 15 of the toilet equipment, thereby specifying user U1, and the data management system 1 for the bathroom equipment identifies the user as user U1. In the example in Figure 30, when user A's button is operated, user A is identified.

[0164] For example, the plumbing equipment data management system 1 identifies a user when the user presses a button corresponding to that user on the operating device 15 of the plumbing space PS and specifies the user. Alternatively, the plumbing equipment data management system 1 identifies a user when the user specifies the user corresponding to themselves from the user group displayed on the operating device 15 of the plumbing space PS. In addition, the system may identify user U1 as a user of the plumbing space PS by pairing the user's terminal device 25, such as a smartphone or tablet, with the operating device 15 of the plumbing space PS, for example, via Bluetooth. Furthermore, the user may be identified based on the detection results of various sensors installed in the plumbing space PS. Note that the above is just an example, and the user may be identified by any process that makes it possible to identify the user of the plumbing space PS.

[0165] <5-1-1. Initial Setup of the Control Device> Referring to Figure 31, the initial setup of the operating device 15 (registration of user identification information) will be explained. Figure 31 is a flowchart showing an example of the initial setup process for the operating device 15.

[0166] For example, as shown in Figure 31, the operating device 15 for the water area PS starts registering information for the user button in response to user operation (step S501). For example, user A starts registering information for the user A button.

[0167] Next, in the operating device 15 for the water-related space PS, each user sets their own identification information to the user button corresponding to them (step S502). For example, user A sets their own identification information to the user A button.

[0168] Next, the operating device 15 for the water area PS terminates the registration of user button information in response to user operation (step S503). For example, user A terminates the registration of user A button information.

[0169] In practice, the edge 20 may also be configured to cooperate with the operating device 15 to register user button information. That is, the edge 20 may be configured to accept user button information registration from the operating device 15.

[0170] Furthermore, the registration of user identification information is not limited to linking it to the physical buttons mentioned above. It may also be possible to directly register biometric information such as the user's face or fingerprints, or to have a keyboard or other device that allows registration of user knowledge information such as IDs and passwords, or to register information using the user's smartphone or IC card.

[0171] Furthermore, the user identification method does not have to be a direct identification method as described above; it may also be an identification method that infers the user from the obtained data. For example, Edge 20 may infer the user from the characteristics of the acquired data. Cloud 30 may also infer the user from the characteristics of the transmitted data.

[0172] <5-1-2. Issuance of IDs according to the user's identification status> Referring to Figure 32, the issuance of IDs according to the user's identification status will be explained. Figure 32 is a flowchart showing an example of the ID issuance process according to the user's identification status. In this case, as shown in Figure 30, the control unit 22 of the edge 20 further includes a user identification unit 22m and a data generation unit 22n.

[0173] The user identification unit 22m identifies the user of the plumbing equipment 10. The data generation unit 22n generates transmission data that links the user identification information corresponding to the acquired data to the acquired data.

[0174] For example, as shown in Figure 32, the edge acquisition unit 22a acquires data detected by the sensor device 5 located in the water area PS from the sensor device 5 and stores it as acquired data (privacy data) in the acquired data storage unit 23a (step S511).

[0175] Next, the user identification unit 22m of the edge 20 determines whether or not user identification has been completed (step S512).

[0176] If user identification is not complete (step S512: No), the data generation unit 22n of the edge 20 issues a temporary ID (step S513).

[0177] Next, the data generation unit 22n of the edge 20 associates the temporary ID with the acquired data (privacy data) and stores it in the acquired data storage unit 23a of the storage unit 23 (step S514).

[0178] Next, the data generation unit 22n of the edge 20 announces a temporary ID (step S515). The temporary ID may be displayed on a display unit installed in the water area PS, or it may be displayed on an information terminal owned by the user (e.g., a smartphone). In addition, to prevent the data linked to the temporary ID from being passed on to others, the user may set information known only to the user (e.g., a password).

[0179] Conversely, if user identification is complete (step S512: Yes), the user identification unit 22m of the edge 20 reads the user ID, which is the user's identification information (step S516). Preferably, this user ID is a unique user ID used in the plumbing equipment data management system 1.

[0180] Next, the data generation unit 22n of the edge 20 associates the user ID with the acquired data (privacy data) and stores it in the acquired data storage unit 23a of the storage unit 23 (step S517).

[0181] Next, the data generation unit 22n of the edge 20 determines whether or not there is acquired data (privacy data) associated with a temporary ID in the acquired data storage unit 23a (step S518). If there is no acquired data (privacy data) associated with a temporary ID (step S518: No), the series of processes ends there.

[0182] If there is acquired data (privacy data) linked to a temporary ID (Step S518: Yes), the user selects a temporary ID displayed on the display unit installed in the bathroom space (Step S519). For example, the user selects a temporary ID from among those displayed on the display unit that they believe to represent their confidence. At this time, the display unit may also display the date and time of use along with the temporary ID. The display unit may also request information known only to the user (e.g., a password) when the user selects a temporary ID.

[0183] Next, the data generation unit 22n of the edge 20 converts the temporary ID into the user ID of the user in question (step S520). As a result, the data generation unit 22n converts the acquired data (privacy data) associated with the temporary ID into acquired data (privacy data) associated with the user ID and overwrites (updates) the acquired data storage unit 23a of the storage unit 23.

[0184] Furthermore, if the temporary ID displayed on the display unit installed in the water area PS is not selected by anyone, Edge 20 will not transmit the acquired data (privacy data) associated with the temporary ID to the external device, as shown in Figure 33. Figure 33 shows an example of data associated with a temporary ID that is not to be transmitted. In other words, only the acquired data (privacy data) associated with the user ID is to be transmitted. In this case, the data extraction unit 22b of Edge 20 will not extract the acquired data (privacy data) associated with the temporary ID. Also, the transmission unit 22l of Edge 20 will not transmit data based on the acquired data (privacy data) associated with the temporary ID.

[0185] <5-1-3. Sending messages according to the user's identification status> Refer to Figures 34 and 35 to explain transmission tailored to the user's identification status. Figure 34 is a diagram showing an example of transmission tailored to the user's identification status. Figure 35 is a diagram showing an example of user identification by an external device.

[0186] As shown in Figure 34, the information terminal 40 of the system administrator on the cloud 30 side sets the transmission method, transmission timing, and transmission route for each user ID in the control program. Alternatively, the edge 20 may set the transmission method, transmission timing, and transmission route for each user ID in the control program when registering the user's identification information. For example, as shown in Figure 34, user ID "ID_A" is set to transmission method "BLE", transmission timing "after excretion", and transmission route "to smartphone". User ID "ID_B" is set to transmission method "WiFi", transmission timing "after excretion", and transmission route "to family shared PC". User ID "ID_C" is set to transmission method "mobile network", transmission timing "around 8 AM", and transmission route "to the cloud". Note that even with the same transmission method, the transmission timing and transmission route may differ. This reduces the risk of all users' private data being leaked from a single transmission method.

[0187] Furthermore, as shown in Figure 35, the transmission unit 22l of the edge 20 transmits a set of user ID, usage date and time, and acquired data as transmission data to an external device such as a smartphone or cloud. The external device converts the user ID into information that can identify the user (for example, the user ID used by that external device). In other words, only legitimate external devices designated as transmission routes can identify the user from the user ID. In addition, the data sent from the edge is data that cannot be used to identify the user until it reaches the external device. In this way, security is ensured by minimizing the data sent from the edge, taking into consideration the risk of information leakage.

[0188] As described above, if it is possible to identify the users of the water-related spaces PS, each water-related space PS, such as the toilet space PS1, may be located in any location. For example, the toilet space PS1 may be a so-called public toilet. For example, the toilet space PS1 is not limited to a residence where a family lives, but may also be a toilet space in a facility where multiple people live (nursing home, elderly care home, etc.), an office building, a store such as a department store, an amusement park, a stadium, a park, a parking lot, etc. Thus, as long as the processing by the water-related equipment data management system 1 is applicable, the water-related spaces PS may be located in any location.

[0189] <5-2. Communication via the user's communication device> As shown in Figure 4, to address the problem of edge 20 being compromised by an intruder and the data recipient and transmission path being altered, edge 20 may be configured to transmit data via the user's communication device 50.

[0190] Refer to Figure 36 to explain communication via the user's communication device 50. Figure 36 is an explanatory diagram showing an overview of communication via the user's communication device 50.

[0191] As shown in Figure 36, the communication unit 21 of the edge 20 communicates with the cloud 30 via the user's communication device 50. The user's communication device 50 may be a terminal device such as a smartphone, smartwatch, smart ring, or tablet, or a computer such as a PC or server, or a network device such as a router or gateway. The user's communication device 50 comprises a communication unit 51 and a control unit 52. The communication unit 51 and control unit 52 are the same as those of the communication unit 21 and control unit 22. The storage unit of the user's communication device 50 is not described.

[0192] In the example shown in Figure 36, data is transmitted from communication path 1-2 on the edge 20 side to communication path 2-1 on the user's communication device 50 side, and then from communication path 1-1 on the user's communication device 50 side to the cloud 30 side. However, these are just examples. In reality, the system is not limited to these examples.

[0193] In other words, the transmitter 22l of the edge 20 transmits data to the cloud 30 via the user's communication device 50. At this time, the transmitter 22l of the edge 20 utilizes the computing and communication technologies (control unit 52 and communication unit 51) of the communication device 50. For example, instead of directly uploading data to the cloud 30, the transmitter 22l of the edge may securely upload data to the cloud 30 using the latest computing and communication technologies of the user's communication device 50 (e.g., a smartphone).

[0194] Furthermore, it is possible to migrate data from an edge 20 used by multiple people to a communication device 50 used by an individual. For example, by migrating data from an edge 20 where data for multiple people is stored to a communication device 50 used by a specific individual, the risk of data leakage from the edge 20 (data leakage from the edge 20) can be reduced. In this case, the communication device 50 used by the specific individual may assign the user ID of that specific individual to the data. Also, by transmitting (transferring) the data via the communication device 50 used by the specific individual, it becomes possible to identify that the data belongs to that specific individual.

[0195] The form and timing of data transfer from edge 20 to communication device 50 will be explained. The communication method between edge 20 and communication device 50 can be any form that allows communication within a specific space (a space of limited size) such as the bathroom space PS (for example, Bluetooth). Furthermore, by limiting communication to people and locations, such as only communicating when a user is in the bathroom space PS, the data can be reliably sent to the user's communication device 50, which will produce the two effects mentioned above.

[0196] Further effects and modifications can be readily derived by those skilled in the art. Therefore, broader aspects of the present invention are not limited to the specific details and representative embodiments expressed and described above. Accordingly, various modifications are possible without departing from the spirit or scope of the overall concept of the invention as defined by the appended claims and their equivalents.

[0197] Furthermore, the terms "section, module, unit" mentioned above can be replaced with "means" or "circuit," etc. For example, the acquisition unit can be replaced with acquisition means or acquisition circuit.

[0198] The embodiments and modifications described above may also have the following configurations, but are not limited to them. (1) A water supply means that supplies water to a water receiving means, An acquisition means for acquiring at least one piece of information selected from the group including information required to identify the user of the water supply means or the water receiving means, information on the user's movements, information on the user's biological information, and information on the user's excretion; A storage means for storing the acquired data of the aforementioned acquisition means, A transmission means for transmitting acquired data stored in the storage means to an external device, The system includes control means for controlling transmission by the aforementioned transmission means, The storage means stores a control program for controlling the control means. The control means determines the transmission path or destination of the acquired data based on the execution of the control program. A data management system for plumbing fixtures, characterized by the following features. (2) The acquired data is stored in the storage means along with information on the date and time of use of the water supply means or the water receiving means. The storage means further comprises a data extraction means for extracting the acquired data corresponding to a predetermined period or predetermined number of times from the storage means as transmission data for a single transmission unit, The transmission means transmits the transmission data extracted by the data extraction means to the external device. A data management system for plumbing equipment as described in (1), characterized by the above. (3) The acquisition means acquires data detected by one or more sensors provided in the plumbing equipment having the water supply means and the water receiving means as the acquisition data. The transmission means transmits data of a data array, which is formed by associating the acquired data obtained by the acquisition means based on date and time information, to the external device. A data management system for plumbing equipment as described in (1) or (2), characterized by the above. (4) The external device comprises a data structure determination means for determining a data structure based on the data array, and a health information estimation means for estimating the user's health information. The health information estimation means selects a model from among a plurality of health information estimation models that corresponds to the data structure and estimates the user's health status. A data management system for plumbing fixtures as described in (3), characterized by the above. (5) The system further comprises identification means for identifying the user of the water supply means or the water receiving means, The storage means stores the user identification result by the identification means together with the acquired data by the acquisition means, The control means includes data generation means that generates transmission data that links the user identification information corresponding to the acquired data to the acquired data, The transmission means transmits the transmission data generated by the data generation means to the external device. A data management system for plumbing fixtures as described in any one of (1) to (4), characterized by the above. (6) The aforementioned transmission means is a communication device owned by the user, The communication device constitutes at least a part of the identification means and the control means. A data management system for plumbing equipment as described in (5), characterized by the above. [Explanation of Symbols]

[0199] 1. Data management system for plumbing equipment 10. Plumbing fixtures 20 Edge 21 Communications Department 22 Control Unit 23 Memory section 25 Terminal devices 30 Cloud 40 System Administrator's Information Terminal 50. User's communication device 100 Health information estimation device

Claims

1. A water supply means that supplies water to a water receiving means, An acquisition means for acquiring at least one piece of information selected from the group including information required to identify the user of the water supply means or the water receiving means, information on the user's movements, information on the user's biological information, and information on the user's excretion; A storage means for storing the acquired data of the aforementioned acquisition means, A transmission means for transmitting acquired data stored in the storage means to an external device, The system includes control means for controlling transmission by the aforementioned transmission means, The storage means stores a control program for controlling the control means. The control means determines the transmission path or destination of the acquired data based on the execution of the control program. A data management system for plumbing fixtures, characterized by the following features.

2. The acquired data is stored in the storage means along with information on the date and time of use of the water supply means or the water receiving means. The storage means further comprises a data extraction means for extracting the acquired data corresponding to a predetermined period or predetermined number of times from the storage means as transmission data for a single transmission unit, The transmission means transmits the transmission data extracted by the data extraction means to the external device. A data management system for plumbing equipment as described in claim 1.

3. The acquisition means acquires data detected by one or more sensors provided in the plumbing equipment having the water supply means and the water receiving means as the acquisition data. The transmission means transmits data of a data array, which is formed by associating the acquired data obtained by the acquisition means based on date and time information, to the external device. A data management system for plumbing equipment as described in claim 1.

4. The external device comprises a data structure determination means for determining a data structure based on the data array, and a health information estimation means for estimating the user's health information. The health information estimation means selects a model from among a plurality of health information estimation models that corresponds to the data structure and estimates the user's health status. A data management system for plumbing equipment as described in feature 3.

5. The system further comprises identification means for identifying the user of the water supply means or the water receiving means, The storage means stores the user identification result by the identification means together with the acquired data by the acquisition means, The control means includes data generation means that generates transmission data that links the user identification information corresponding to the acquired data to the acquired data, The transmission means transmits the transmission data generated by the data generation means to the external device. A data management system for plumbing equipment as described in claim 1.

6. The aforementioned transmission means is a communication device owned by the user, The communication device constitutes at least a part of the identification means and the control means. A data management system for plumbing equipment as described in claim 5.