This invention relates generally to handling loss of power in a computerized apparatus, and relates more particularly to the optimal handling of a condition of return of power following the initiation of the handling of loss of power.
It is commonplace to use a processor (typically a microprocessor) under stored program control to replace or augment functions previously performed by mechanical apparatus or by dedicated circuitry. The many internal states of the processor, stored in processor registers, are lost if the processor loses power. Similarly the contents of a volatile RAM chip are lost if power to the RAM chip is lost. In many consumer products using a processor there is no particular need to save the processor states or RAM contents, so that turning the product off cuts power to the processor and the RAM, and as a result the processor states and RAM contents are lost. This is the case, for example, with most personal computers depending on the application program being executed. If the user has entered data into the RAM of the computer, to avoid losing the data the user must typically explicitly invoke a routine for storing data to a nonvolatile memory (such as to a magnetic medium) before turning off the computer. In other systems some or all the RAM is made nonvolatile, typically by providing a backup battery that preserves the memory contents.
The integrity of the stored data is threatened not only by the possibility of loss of power to the memory device itself, but also by the possibility the CPU or data bus may during loss of power give rise to a condition that makes a spurious change to the stored data. For example, during the nonzero time interval during which power to the processor and address decoder drops from nominal levels (5 VDC) to zero, there is the possibility the CPU may execute an instruction that changes important data. This could occur if the processor were to perform a "write" transaction on the data bus to a harmless location, with the address decoder (because of less-than-nominal power) incorrectly decoding the address to some location containing crucial data. The result would be a spurious change in the value of the crucial data.
In many such systems the risks relating to possible loss of power are of little concern since important information will have been backed up elsewhere, or is capable of being reconstructed from other sources if necessary. Likewise the prospect of processor malfunction or data bus or address decoder malfunction that overwrites important information is not particularly daunting, again because it is usually quite straightforward and workable to let the user reconstruct important data, if suspected of being incorrect, from a backup or other sources.
One type of equipment typically having information stored in nonvolatile RAM is the electronic postage meter. In such postage meters the amount of postage available for printing is typically stored in what is called the "descending register". In postage meters it is important that the descending register is to be stored in such a way that there is minimal likelihood of the user printing postage which has not been paid for. For example, when the meter is turned off and later turned back on, the descending register is to have an unchanged value.
Before the development of electronic postage meters it was commonplace to use mechanical meters, that is, meters in which the descending register is a mechanical device. In a meter employing a mechanical register with value stored in gear positions, the requirement of the descending register remaining unchanged is satisfied by the simple fact of the gears maintaining position with or without external electric power. Such a meter maintains the register contents both in the face of a normal termination of power and in the face of an accidental or unintentional termination of power.
In recent years mechanisms having many moving parts have been replaced with simpler mechanisms in which many formerly mechanical functions are accomplished by a processor under stored program control. In such cases, pure mechanical registers are replaced with RAM memory. This has been the case with postage meters and their descending registers, as in the above-mentioned electronic postage meters.
As in other electronic equipment with nonvolatile memory, with electronic postage meters there is the nonzero probability of loss of the information in the nonvolatile memory due to processor, address decoder, or data bus malfunction. By definition the amount of postage available for printing is a particular stored value that is assumed to be correct. While the availability of a backup copy of data is satisfactory for, say, a word-processed document it is not very satisfactory for a postage meter descending register. In a postage meter it should not be within the discretion of the user to determine unilaterally, for example, that the descending register contents in the nonvolatile RAM are to be ignored and overwritten with supposedly correct backup data from some source that is within the control of the customer. Instead, if customers and the postal authorities are to be satisfied with the meter the stored value must have an exceedingly high level of confidence as to its correctness.
Similar imperatives present themselves in other electronic equipment where a stored value must be correct to a high degree of confidence and where it is of little or no utility to consider external backups and the like. These include gas pumps, automated teller machines, smart credit cards, and cash registers.
In an electronic system employing a processor and storing crucial data in RAM, it is necessary to ensure that the system maintain its crucial data unchanged after the power is turned off and back on, even in the midst of other operations. The system typically has a power supply which gives power to the processor and other circuitry for a time interval after external power is switched off. The power provided during this interval is sometimes called "reserve" power. The system design may have a power-failure warning signal, generated by the power supply circuitry, which provides what might be termed an "early warning" to the processor. The design of the stored program for the system typically provides that arrival of the power-failure warning signal invokes a routine for storing data to nonvolatile memory or updating information in the nonvolatile memory.
The routine of the stored program that is responsive to the power-failure warning signal, as just mentioned, has as one of its first tasks the updating of crucial data. The reserve power, typically provided by a large electrolytic capacitor together with other circuitry, is designed so that the interval during which reserve power is reliable exceeds by a comfortable margin the time required for completion of the data-updating routine. In the particular case of a postage meter, for example, the interval during which reserve power is reliable exceeds the time required to update the descending register as needed. The interval is also long enough to permit the processor to indicate by a particular message that power was lost in the midst of a postage printing operation, if such be the case. In the latter case, upon the restoration of power to the meter the processor encounters the message and updates the descending register accordingly.
A decision facing the designer of an electronic system containing crucial data is what to have the processor do after it has finished its required tasks responsive to the receipt of the power-failure warning. That is, the reserve power will presumably persist for some time after the data-updating activities have been completed pursuant to the stored program. When the reserve power runs out, the processor stops completely. But prior to that, it is desired that the processor not cause any harm to the crucial data such as the nonvolatile memory, so the stored program will typically put the processor into a tight loop, that is a loop which does nothing externally observable other than to keep the processor occupied. This loop, often called a "power-fail" loop, may be as simple as a few null instructions and a jump. One way that keeping the processor in such a loop minimizes risk to crucial data is that few transactions take place on the bus, and none of the transactions are write transactions.
Putting the processor into a tight loop prior to the eventual loss of reserve power can give rise to an anomalous result, from the user's point of view, if external power is returned during the time that the processor is using the reserve power. That anomalous result is lockup of the equipment. The processor remains in the tight loop, and does not respond to user keyboard inputs, even though there is no apparent power loss causing this result. One way this lockup might come about is a rapid switching of the equipment off and back on. Another way this might come about is a momentary loss of external AC power. The lockup can happen in either of two ways--(i) return of external power after the power-failure warning arrived and before the processor has entered the tight loop (i.e. during the routine that saves data to the nonvolatile memory), or (ii) return of external power after the processor has entered the tight loop and before loss of reserve power (i.e. during the execution of the tight loop). In equipment having such a design, the only way to free the meter from the lockup is to turn it off, leave it off long enough for the reserve power to be exhausted, and turn it back on. But the user may not know this, or may be unaware of the cause and so only perceive a malfunction. An example of such a loop may be seen in the postage meter of U.S. Pat. No. 4,675,841 at col. 14, line 59. In that system, "[t]he main program can only be re-entered through a complete power-up cycle".
In electronic systems having crucial data, then, it is desirable to minimize risk to the data during the period of loss of power, and yet to avoid the problem of system lockup if the loss of power is brief.