The software used in controllers and motor vehicles, for example, is becoming increasingly more complex because of constantly rising demands made on such software. This and the increasingly differentiated boundary conditions have led to a characterization of a wide variety of operating states of the software system.
It is problematic that some of these operating states are highly incompatible with one another. If program parts which are assigned to different operating states are stored at the same memory locations, inadvertent execution of a program part in the wrong operating state may lead to a condition that is critical to safety.
One example of this is the existence of an endless loop, which may be appropriate in anticipation of an external shutdown but should never be executed in the normal program sequence. During execution of such program parts, basic monitoring mechanisms such as a hardware or software watchdog are shut down or at least rendered ineffective.
It is no longer possible today to guarantee complete avoidance of the existence of such program structures. Therefore, these program parts must be protected virtually 100% against inadvertent execution.
Methods of preventing inadvertent alteration of memory contents, in particular the contents of flash EEPROM memories are widespread.
German Published Patent Application No. 196 16 053 describes a method of operating a controller having a programmable memory device. The memory device is programmed by successive execution of a plurality of memory programming control operations.
This should largely prevent in a simple manner interference-triggered, interference-influenced deletion and/or overwriting of data stored in the programmable memory device.
This is achieved by providing a check step which determines whether all the selected individual or several memory programming control operations to be carried out by then have been executed, and by a decision step in which a decision is made, taking account the result of the check, as to whether the programming operation is to be continued as intended with the execution of additional memory programming control operations.
It is, thus, possible to ascertain at any desired time whether the control operations to be carried out by then have in fact been carried out.
European Published Patent Application No. 923 081 describes methods of writing to and erasing a flash EEPROM.
In this method, a programming voltage or deletion voltage 35 corresponds to a read voltage. To differentiate the programming or erase voltage from the read voltage, the programming or deletion algorithms are to be processed in a specific sequence using specific addresses and specific data. The programming and deletion algorithms are shifted to a volatile memory allocated logically to the flash EEPROM.
This achieves an increased security of the memory information stored in this flash EEPROM with respect to accidental overwriting or deletion.
This prevents inadvertent overwriting or deletion of stored content caused by accidental exposure of the flash EEPROM to an electromagnetic discharge, programming errors, hardware defects and/or voltage pulses.
In addition, an embodiment is also described in which the address information and data information needed for processing the programming and deletion algorithms is made available only by an external programming device.
There are no known comparable methods of protecting any desired safety-critical program parts, however.