The heart of a postage meter, whether electronic or mechanical, is a postage printing mechanism and a set of registers containing accounting data directly representative of postal credit. Accordingly, the paramount design objective is to make sure that printing occurs only with a corresponding updating of the accounting registers. In recent years, mechanical meters utilizing complex and intricate mechanical interlocking schemes have begun giving way to electronic meters in which a microcomputer controls and verifies the printing of postage and updating of accounting registers.
U.S. Pat. No. 4,484,307 to Quatse et al. describes an electronic postage meter having improved security and fault tolerance features. The Quatse et al. meter represented a significant advance in the development of electronic postage meters in that the meter not only verified proper operation, but verified its ability to verify proper operation. Thus, the design acknowledged the fallibility of the electronic components, incorporated an appropriate level of redundancy into the circuitry, and provided the capability of sensing a loss of redundancy that threatened data security. The meter was configured so that any failure that threatened the data security would incapacitate the meter in a manner that prevented further operation until the meter had been returned to the factory. Where the failure was the loss of one level of redundancy, the remaining level of protection still allowed reconstruction of the accounting data.
The circuitry of the Quatse et al. meter comprises a microcomputer, a pair of battery-backed CMOS memories (BAM's), a pair of battery-backed flip-flops, and a timer. The microcomputer checks for agreement between the corresponding data in the BAMs, verifies data written to the BAMs by reading after each write operation, and monitors feedback signals to ensure proper sequencing of the printing mechanism. The flip-flops, which have two states, are coupled to the BAMs and the printing mechanism. In the first state ("normal state"), writing to the BAMs and printing of postage can occur under microcomputer control. In the second state ("faulted state"), writing to the BAMs and actuation of the printing mechanism are prevented. The flip-flops, once set to the faulted state, cannot be reset to the normal state without access to the interior of the secure housing.
The timer has a trigger input coupled to the microcomputer and an output coupled to the flip-flops. Upon receipt of a triggering signal at its trigger input, the timer is temporarily kept from setting the flip-flops to the faulted state for a predetermined interval ("time-out interval"). If another triggering signal is not received within the time-out interval, the flip-flops are set to the faulted state.
Under normal operation, the microcomputer issues a triggering signal at intervals less than the time-out interval, thereby maintaining the flip-flops in the normal states. In the event that a failure is detected, the microcomputer writes an appropriate fault code into the BAMs and suppresses the triggering signal. The timer output then changes and the fault flip-flops are set to the faulted state. In the event that the trigger does not occur for other reasons, the flip-flops are set as above, but no fault code is written.
The Quatse et al. meter was ultimately implemented in a line of commercial products, including a meter known as the Friden Alcatel Model 9250. Several years of operation have shown the Model 9250 to be highly reliable, with an average of about twenty million cycles between failures. An analysis of meters that actually faulted and were returned to the factory revealed that about half the faults were due to the failure of a mechanical or electrical component. In the remaining cases, the fault was due to some electrical noise in the system.