The invention relates to updating of computer code and, more particularly, to methods and apparatus to enable fault tolerant field updating of such code in non-volatile memory, such as flash ROM (read-only memory).
In many computer-based applications it is desirable to be able to change or update code in a system already placed in service, as in a system at a field location. Such code updates may be provided by downloading via Internet or other communication media. One potential problem is that the update process may be disrupted before completion, as by a power fluctuation, communication link disruption, etc.
However, it is also desirable to be able to update or load code while a system is operational to minimize system disruption.
Non-volatile memory, such as flash ROM memory, may be used for code storage. Such memory provides the capability of updating stored code (remotely or locally) while the system is in field service. However, a problem with such updating is that the flash memory must be erased before it can be reprogrammed. If system-level code (i.e., code providing system operation) is to be updated and a disruption occurs after erasure and prior to load installation, the system may be rendered inoperable. In such case, the fall-back solution has been to return the system to functionality by shipping it or discrete components to the factory or maintenance depot to have the flash memory reloaded. Alternatively, the problem may be solved by servicing of the system in the field, with substitution of memory components having the program load.
It is thus desirable to provide a fault tolerant approach in order to obtain the benefits of field updates of code stored in memory, such as flash ROM, while minimizing the disadvantages of potential system inoperability.
To enable field updates of memory, memory alternation is implemented by use of at least two memory areas. Code is initially stored in a first memory area and a first update version of the code is stored in the second memory area. Then, a second update version is downloaded into the first memory area, retaining the first update version for use if the downloading is not successful. As a further aspect, update methods are provided to enable choice of the memory area to be erased for download purposes, without disturbing a more recent operative version of the code available in a remotely located system. Start-up routines are provided to enable start-up on the basis of using the newer, or most recent, update version upon successful download.
For a better understanding of the invention, together with other and further objects, reference is made to the accompanying drawings and the scope of the invention will be pointed out in the accompanying claims.