The present invention relates to electronic postage meters, and more particularly to a memory protection circuit for the non-volatile memory (NVM) of an electronic postage meter.
Various electronic postage meter systems have been developed, as for example the systems disclosed in U.S. Pat. No. 3,978,457 for Microcomputerized Electronic Postage Meter Systems, in U.S. Pat. No. 3,938,095 for Computer Responsive Postage Meter and in European Patent Application, Application No. 80400603.9, filed May 5, 1980 for Electronic Postage Meter Having Improved Security and Fault Tolerance Features. Electronic postage meters have also been developed employing plural computing systems; such a system is shown in U.S. Pat. No. 4,301,507, for Electronic Postage Meter Having Plural Computing Systems and assigned to Pitney Bowes, Inc. of Stamford, Conn.
Electronic postage meters include non-volatile memory capability to store critical postage accounting information. This information includes, for example, the amount of postage remaining in the meter for subsequent printing or the total amount of postage already printed by the meter. Other types of accounting or operating data may also be stored in the non-volatile memory, as desired.
The non-volatile memory in electronic postage meters provides a storage function accomplished in prior mechanical type postage meters by mechanical accounting registers. However, postage meters with mechanical accounting registers are not subject to the many problems encountered by electronic postage meters. Conditions do not normally occur in mechanical type postage meters that prevent accounting for a printing cycle or which result in the loss of data stored in the mechanical accounting registers. Moreover, in mechanical postage meters it is not necessary to electronically monitor the position of the mechanical components associated with the printing of postage. This, however, is not the case with electronic postage meters.
Conditions can occur in electronic postage meters where information stored in non-volatile memory may be permanently lost. Conditions such as a total line power failure or fluctuation in voltage conditions can cause the microprocessor associated with the meter to operate erratically and either cause erasure of data or the writing of spurious data in the nonvolatile memory. The erasure of data or the writing of spurious data in the non-volatile memory may result in a loss of information representing the postage funds stored in the meter. Since data of this type changes with the printing of postage and is not permanently stored elsewhere, there is no way to recapture or reconstruct the lost information. Under such circumstances, it is possible that a user may suffer a loss of postage funds.
To minimize the likelihood of a loss of information stored in the non-volatile memory, efforts have been expended to insure the high reliability of electronic postage meters. Some systems for protecting the critical information stored in the meter are disclosed in the above-noted patents and applications. An additional arrangement to protect the postage meter accounting information is disclosed in U.S. Pat. No. 4,285,050 for Electronic Postage Meter Operating Voltage Variation Sensing System, assigned to the same assignee as the present invention.
In view of the foregoing, it is desirable to provide a power supply for electronic postage meters which is physically associated with and part of the meter. In the event of an external power failure, the power supply within the secure housing of the postage meter continues to generate a sufficient, regulated power, for a long enough time to orderly and accurately transfer critical information from the volatile memory (RAM) to the non-volatile memory. The problem of insuring proper power during a power down cycle is compounded because certain non-volatile memories need several different voltages for proper operation. As an example, one type of solid state memory requires the presence of three different voltages to accomplish a write or erase operation.
While the microprocessors used in electronic postage meters can be reset and become inoperative below a predetermined voltage level, such microprocessors may become active again at even lower voltage levels. The microprocessors may be turned off below a predetermined voltage level and threafter within a lower range turn on again and be capable of outputting data. The microprocessors will again turn off below the lower predetermined range. Because of this unreliable operation with respect to reset or turn off, the accounting information within the postage meter can be destroyed by the inadvertent erasing of data or writing of spurious data during a power down cycle when the microprocessor is believed to be inoperative. Moreover, the cost of carefully testing and selecting microprocessor component for postage meters to avoid this problem can greatly increase the cost of such parts, both because of the cost of testing and because of the rejection of the microprocessor devices that exhibit this characteristic.
Systems have been designed to preserved information stored in electronic memory units when power fails. Examples of systems of this type are shown in U.S. Pat. No. 3,859,638 for a Non-Volatile Memory Unit with Automatic Standby Power, Supply; U.S. Pat. No. 4,049,951 for Data Detection Apparatus; and U.S. Pat. No. 3,676,717 for Non-Volatile Flip-Flop Memory Cell. These systems, in part, involve sensing power failure and taking measures to insure data is not lost such as by employing an auxiliary standby power supply or by loading the data into a non-volatile memory. Other U.S. patents which show systems to protect stored information are U.S. Pat. No. 3,801,963 for Method and Apparatus for Transferring Data from a Volatile Data Store Upon the Occurrence of a Power Failure in a Computer; U.S. Pat. No. 3,959,778 for Apparatus for Transferring Data from a Volatile Main Memory to a Store Unit Upon the Occurrence of an Electrical Supply Failure in a Data Processing System; U.S. Pat. No. 3,810,116 for Volatile Memory Protection; and U.S. Pat. No. 3,980,935 for Volatile Memory Support System.
Another postage meter power failure protection system is shown and described in U.S. Pat. No. 3,978,457 for Microcomputerized Electronic Postage Meter System. In this system, when a voltage drops below a threshold level, a signal is generated which initiates a shut down routine. As part of the shut down routine, the contents of a working random access memory are transferred to a non-volatile memory. The maximum time to detect the shut down signal and the time to transfer the register contents from the work memory to the non-volatile memory is a function of the circuit components including the power supply filter capacitors. It is known that during "power-up" and "power-down" the microprocessor may not function predictably and, therefore, that the memory must be protected. The protection is accomplished by gates.
U.S. Pat. No. 4,445,198, issued on April 24, 1984, in the name of Alton B. Eckert, entitled, MEMORY PROTECTION CIRCUIT FOR AN ELECTRONIC POSTAGE METER, provides a memory protection circuit which protects against unreliable microprocessor operation when power failure occurs for any reason. The memory protection circuit maintains the integrity of the accounting data stored in the meter by insuring that information is not inadvertently written into or erased from the non-volatile memory during a power down cycle. Further, such patent application in the name of Alton B. Eckert describes the various voltage levels necessary for writing into different types of non-volatile memories and the requirement to maintain such voltages for a long enough time during the power down cycle to provide an orderly and accurate transfer of critical information from the volatile memory (RAM) to the NVM. However, in accordance with such patent application although the NVM is protected during the power down cycle from the writing of spurious data therein, there is no such protection afforded to the NVM during normal meter operation when a fluctuation in voltage conditions may cause the microprocessor to operate erratically, causing the erasure of data or the writing of spurious data in the non-volatile memory.
In accordance with such patent application of Alton B. Eckert bias voltages are maintained on the non-volatile memory for sufficient time during the power down cycle to provide an orderly and accurate transfer of critical information from the RAM to the NVM if the power supplied has reached its expected output voltage. However, should a power failure occur during power up shortly after the write terminal of the NVM is energized, it is possible that critical information may be lost since the write terminal voltage is removed at the same point on the power supply output voltage curve during the power down cycle as it is applied to the write terminal during power up.
In U.S. Pat. No. 4,285,050 an operating voltage variation sensing system is disclosed for an electronic postage meter using hysteresis for the power down and power up cycles. Although such circuit provides control of the application of an enable voltage to the non-volatile memory during power up and power down of the meter, it is relatively complex and expensive to implement. Further, such circuit utilizes the architecture of the microprocessor to provide the power down cycle threshold voltage.
A problem arises in that great care must be taken to ensure that there is no alteration of the stored information, particularly no erasure of the entire block of the information, as might occur in the event of the malfunction of a circuit coupled to the memory. While all such circuits, including the microprocessor and the address-generation circuit as well as the memory itself are carefully constructed so as to minimize any chance of failure which might affect the storage of information, nevertheless, it is the nature of electronic circuitry that there is always some chance, albeit a very small chance, that a malfunction could occur and that such malfunction might endanger the storage of the data in the memory.
One particular vehicle by which stored data may be lost arises in the nature of the control circuit for the memory. Typically, such memories are produced commercially as preformed packages with a predesignated arrangment of pins for electrical connection, which pins may be plugged into a socket. In particular, in order to ensure versatile operation of the non-volatile memory, a common address scheme and a common control scheme are provided for all the memories. The control scheme provides for a pair of control lines carrying a two-bit signal for designating four possible functions, namely, read, write, block-erase, and word erase. The selection of the particular function is provided by the control generation circuit in combination with the microcomputer.
The foregoing problem in the maintenance of the security of the stored information is, therefore, directly connected with the generation of the control signals for designating the foregoing four memory functions. In particular, it is noted that while the read and write functions are continually used during the operation of the accounting board, and that while the word-erase funtion would be utilized whenever it is desired to update stored data, the block-erase function would never be used to erase the memory in view of its storage of a history file on the use of the postage meter.
It is apparent therefore, that in the event of a malfunction in the microcomputer or in the control generation circuit, which malfunction would inadvertently provide the two-bit control signal designating the block-erase function, then the non-volatile memory would become erased in its entirety. Accordingly, a substantial increase in the security of the operation of the accounting board, particularly with respect to the storage of data in the non-volatile memory, is obtained if a security device is provided which prevents the presentation of the unauthorized block-erase signal at the memory. One such system is disclosed in pending patent application Ser. No. 397,395, filed on July 12, 1982, in the name of T. Germaine et al., entitled, SECURITY SYSTEM FOR USE WITH ELECTRONIC POSTAGE METER TO PREVENT BLOCK ERASURE OF DATA, which discloses circuits for preventing the block erase of data from non-volatile memory during meter operation.
Pending patent application Ser. No. 485,778 filed on April 18, 1983, in the name of Arno Muller for NON-VOLATILE MEMORY PROTECTION CIRCUIT FOR AN ELECTRONIC POSTAGE METER utilizes a microprocessor output operating under software or firmware control to prevent inadvertent erasing of data from or writing data in NVM during normal postage meter operation.
Pending patent application Ser. No. 489,971 filed on April 29, 1983, in the name of Alton B. Eckert et al. for NON-VOLATILE MEMORY PROTECTION CIRCUIT WITH MICROPROCESSOR INTERACTION provides a system for controlling non-volatile memory during the power up, power down and normal operating cycles of an electronic postage meter which among other things applies a bias voltage to the non-volatile memory for erasing or writing data therein only in the presence of an output control signal from the microporocessor operating under software or firmware control.
In summary, prior systems and techniques generally utilize the microprocessor to monitor the power signal condition with software activating or deactivating the NVM in response to a predetermined power condition. That is, the microprocessor generally controls the NVM at all times except when the power is below nominal voltage. This raises the possibility during normal meter operation that the software or firmware may cause the inadvertent erasure of or the writing of data in NVM.