Program update system and program update method

1 . A program update system comprising: a plurality of control devices including: storage means for storing a control program for controlling a vehicle-mounted device; and execution means for reading out and executing the control program; a relay device connected to the plurality of control devices via an in-vehicle communication line; and an exterior device connected to the relay device via an exterior communication network and for storing update data required in order to update the control program, and in which the update data is transmitted from the exterior device to the relay device, and the control program stored in the storage means of the control device is updated, based on the update data received by the relay device, wherein the update data includes: an update control program for a control device targeted for updating; and a computer program that implements: means for calculating a digest value relating to the update control program; means for determining whether operation of the control device after the update is normal; and means for transmitting a result of the determination by the determining means to the relay device as a response, the relay device includes: means for transmitting the update data received from the exterior device to the control device targeted for updating, the control device includes: means for receiving the update data transmitted from the relay device; and means for updating the control program stored in the storage means using the update control program included in the received update data, and the control device, by executing the computer program included in the update data, determines whether operation after the update is normal, and transmits a result of the determination to the relay device as a response. 2 . The program update system according to claim 1 , wherein the relay device includes: means for storing device identification information identifying the control devices connected via the in-vehicle communication line, and program identification information identifying the control programs stored in the storage means of the control devices; and means for transmitting the device identification information of the control device storing a control program targeted for updating and the program identification information of the control program to the exterior device, and the exterior device includes: means for receiving the device identification information and program identification information transmitted from the relay device; means for specifying update data to be transmitted to the relay device, based on the received device identification information and program identification information; and means for adding the device identification information and the program identification information when transmitting the specified update data to the relay device. 3 . The program update system according to claim 1 , wherein the relay device includes: means for acquiring a digest value relating to the update control program; means for encrypting the acquired digest value; and means for transmitting the encrypted digest value to the exterior device, and the exterior device includes: means for receiving the encrypted digest value transmitted from the relay device; means for decrypting the received digest value; means for comparing the decrypted digest value with an expected value stored in advance; and means for determining a legitimacy of a post-update control program in the control device, based on a result of the comparison. 4 . The program update system according to claim 3 , wherein the exterior device includes: means for retransmitting stored update data and the computer program to the control device via the relay device, if it is judged that the post-update control program is not legitimate. 5 . The program update system according to claim 3 , wherein the exterior device includes: means for notifying the control device via the relay device to terminate execution of the control program, if it is judged that the post-update control program is not legitimate, and the control device includes: means for terminating execution of the control program, if a notification indicating to terminate execution of the control program is received from the exterior device. 6 . The program update system according to claim 3 , wherein at least one of the exterior device, the relay device, and the control device includes means for holding the pre-update control program, the exterior device includes: means for notifying the control device via the relay device to restore the pre-update control program if it is judged that the post-update control program is not legitimate, and the control device includes: means for acquiring the pre-update control program, if a notification to restore the pre-update control program is received via the relay device; and means for restoring the post-update control program stored in the storage means to the acquired pre-update control program. 7 . A program update method in which an exterior device transmits, to a relay device connected to a control device including storage means for storing a control program for controlling a vehicle-mounted device and execution means for reading out and executing the control program, update data required in order to update the control program, and the control program stored in the storage means of the control device is updated, based on the update data received by the relay device, wherein the update data includes: an update control program for a control device targeted for updating; and a computer program that implements: means for calculating a digest value relating to the update control program; means for determining whether operation of the control device after the update is normal; and means for transmitting a result of the determination by the determining means to the relay device as a response, the relay device: transmits the update data received from the exterior device to the control device targeted for updating, and the control device: receives the update data transmitted from the relay device, updates the control program stored in the storage means using the update control program included in the received update data, and by executing the computer program included in the update data, determines whether operation after the update is normal, and transmits a result of the determination to the relay device as a response. 8 . The program update system according to claim 2 , wherein the relay device includes: means for acquiring a digest value relating to the update control program; means for encrypting the acquired digest value; and means for transmitting the encrypted digest value to the exterior device, and the exterior device includes: means for receiving the encrypted digest value transmitted from the relay device; means for decrypting the received digest value; means for comparing the decrypted digest value with an expected value stored in advance; and means for determining a legitimacy of a post-update control program in the control device, based on a result of the comparison.