This invention relates to a programmable microprocessor-based electronic control module designed to store data pertaining to a detected event, and more particularly to a method of protecting the integrity of the stored event data.
In an electronic control system, it is frequently desirable to record data corresponding to various system parameters when a specified event or failure is detected. In a motor vehicle, for example, it is desirable for analytical purposes to record data such as vehicle speed, acceleration, yaw, anti-lock brake activation, engine throttle position, and so forth, at the time of a detected or impending crash event. Aircraft flight recorders perform a similar function by continuously recording data, and permanently storing only the most recently recorded data.
A requirement with data recording systems of the type described above is that the stored data must remain intact, without possibility of external modification subsequent to the detected event. This presents a problem from a practical standpoint, since other data (such as executable software routines) stored in a programmable memory (EEPROM or Flash-ROM) of the controller must be downloaded during manufacture of the module, and may need to be modified from time to time in the field in order to modify the functionality of the controller. This is ordinarily achieved by coupling an electronic service tool to the controller, and transferring a software routine, generally referred to as a Download and Execute routine, into a specified sector of random access memory (RAM) for execution by the controller""s microprocessor. When executed, the Download and Execute routine allows the controller to download data from the service tool, and to write such data into specified sectors of the controller""s programmable memory. Unfortunately, this same procedure could possibly be used by a careless or unscrupulous individual to alter event data, frustrating later analysis of the event. Accordingly, what is needed is a method of safeguarding event data after the module is placed into service, while permitting authorized manufacturing and field programming of the module.
The present invention is directed to an improved method of protecting the integrity of event data stored in the programmable memory of a microprocessor-based control module while permitting authorized manufacturing and field alteration of the programmable memory with a Download and Execute routine. According to the invention, the Download and Execute routine is resident in a designated sector of the module""s read-only memory, and download access to the module""s random access memory after module manufacture has been completed is denied. During manufacture of the module, and during field programming of the controller prior to the writing of event data, the programmable memory may be externally altered by an authorized service tool by transferring the Download and Execute routine from read-only memory to random access memory for execution by the module""s microprocessor, and downloading the new data or code over a data link coupling the service tool to the module. After event data has been written to the programmable memory, external requests to alter the programmable or read-only memories are denied, and the transfer of the Download and Execute routine to random access memory is not permitted. In the illustrated embodiment, the Download and Execute routine is stored along with other executable routines in a Flash Programmable Memory (FPM), while the event data is stored in an Electrically Erasable and Programmable Read-Only Memory (EEPROM).