The invention relates to postage meters and more particularly to electronic postage meters of the type having a microprocessor for controlling the printing of value and accounting for such printing.
Devices of this type are generally known, and are discussed, for example in U.S. Pat. No. 3,978,457. This patent discloses a system for a postal meter which includes a keyboard for the manual introduction of data corresponding to the postage to be printed and a Random Access Memory for real-time operation. Data is stored in a non-volatile memory upon power down and read into the Random Access Memory upon power up. U.S. Pat. No. 4,301,507 discloses an improvement in electronic postage meters having two or more units that are each provided with computer control and further describes the means for providing communication between units as well as with peripheral devices.
U.S. Pat. No. 4,484,307 to Quatze et al issued Nov. 20, 1984 describes a microcomputerized postage meter that provides high degrees of security and fault tolerance. However, the mechanization described includes a means for disabling the meter, which means cannot be reset except by physical access to the meter interior, and which access is only available to authorized personnel at the factory. If the fault condition is present, then even if the microcomputer is powered, the signal prevents the microcomputer from executing instructions.
In a co-pending U.S. Application, Ser. No. 710,898 entitled ELECTRONIC POSTAGE METER HAVING A STATUS MONITOR, filed Mar. 12, 1985 (now U.S. Pat. No. 4,710,883) and assigned to the assignee of the present application, there is described an improved electronic meter in which a timer, preferrably external to the microcomputer, provides a periodic interruption of the routine being executed. Upon such interruption, the microcomputer shifts to a monitor routine which monitors the meter elements, i.e. any sensors, input and outputs, and determines any changes in the status of these elements. In this improved meter, when abnormalities occur, the meter will not set a fatal error which will require the meter to be taken from service. Instead it has been found desirable that the meter be extremely fault tolerant and that a reset condition be implemented to allow the meter to recover from various abnormalities in operation which previously would require the machine to set a fatal error. While this system works well, it has been found that if the program under which the microcomputer is operating were to be locked into an infinite loop in which the normal interrupts were disabled, hardware fault detection devices would be fooled by the continuous operation, which would from all indications be proper operation, except that the meter, of course, will not provide its essential services. Thus it was found that it is important to recognize when the program becomes locked into an infinite loop, that is, as herein defined, a succession of repetitive program steps through which the microprocessor would continuously cycle unless interrupted by external input.
Software control arrangements are known in which interrupts are provided in a periodic basis. In these watchdog timers there is an independent timing circuit which generates a non-maskable interrupt after timeout or, alternatively, a non-maskable interrupt is sent at regular intervals and verified for proper operation. A problem occurs in these arrangements in that long intervals may occur before the error is discovered.
U.S. Pat. No. 4,298,982 entitled FAULT-TOLERANT INTERFACE CIRCUIT FOR PARALLEL DIGITAL BUS issued to Auerbach on Nov. 3, 1981 describes a method and apparatus for detecting and correcting a stuck condition on bus lines. Suzuki et al, U.S. Pat. No. 4,453,210 entitled MULTIPROCESSOR INFORMATION PROCESSING SYSTEM HAVING FAULT DETECTION FUNCTION BASED UPON PERIODIC SUPERVISION OF UPDATED FAULT SUPERVISING CODES describes a program having an additional function to detect faults occurring in various processors of a multiprocessor system. A counter is provided for each of the processors for holding an associated fault supervising code. The code stored in the counter is periodically updated by the associated processor while the update status of the code is supervised on a cycle longer than the cycle of the updating period. In accordance with this reference, if a fault occurs in one of the processors, the fault supervising code in correspondence with that processor will not be updated and thus the faulty processor can be detected by periodically noting the update status of the fault supervising codes.
U.S. Pat. No. 3,626,206 to Stebbens entitled CIRCUIT MEANS FOR CYCLICALLY MONITORING AND INDICATING THE CONDITION OF A FUNCTION shows a stepping chain-type digitizer for monitoring the condition of a function and for converting this condition into true and false conditions. These outputs control inhibitor gates in the stages of a normally free running ring counter. Any stage of the ring counter controlled by the step in the selected condition remains in the "on" position after the counter advances to turn it "on", and thereby stops any further advance of the ring counter. The stage of the ring counter which remains locked in the "on" position provides an indication of the conditions of the monitored functions.