1. Field of the Invention
The present invention is directed to an apparatus and a method for improving data integrity using a ring buffer.
2. Description of the Prior Art
Read-write memories are utilized for non-volatile storage for improving the data integrity of memories, as is required for data processing and similar devices and, in particular, for postage meter machines. These memories have memory areas with a number of cells for datasets, which number is usually larger than the number of datasets to be stored.
A high dependability in the storage of datasets is required in the use of such memories in postage meter machines so that, for example, errors in the debiting of monetary data that could result in high secondary costs are avoided. As is known, such dependability is enhanced by a redundant storage of data (U.S. Pat. No. 4,675,841, U.S. Pat. No. 5,109,507, U.S. Pat. No. 5,021,963, and European Patent 0 19 515).
German PS 42 17 830 discloses a method for the operation of a data processing system, wherein the data processing system processes at least one critical control or program section in a program routine that initiates the writing of information into a first non-volatile memory. A second non-volatile memory for redundant storage of data and a third non-volatile memory for storing a status identifier are present in addition to the first non-volatile memory. Preceding an uncritical control section, that does not initiate any writing of information into the first or second non-volatile memory, a status identifier of zero is entered into the third non-volatile memory in order to identify the following control section as uncritical. A pointer counter is incremented to enter a status identifier deviating from zero in order to thus identify the beginning of the next critical control section that initiates the writing of information into the first non-volatile memory. The processing thereof is followed by another critical control section for redundant storage. The pointer counter is incremented to a corresponding status identifier in order to identify the beginning of the further critical control section that initiates the writing of information into the second non-volatile memory. After the processing thereof, the pointer counter is in turn set to the initial condition, i.e. the status identifier zero is set, and the program routine is ended. A determination can be made on the basis of the status identifier at every voltage return (following a voltage drop, as may occur occasionally) as to whether the processing of a critical control section was interrupted in order to complete the processing thereof, i.e., in order to implement the reconstruction of the old dataset.
Upon an abort of a roll-in event, for example due to fades in the power supply, memory errors can also arise in the status identifier for a critical control section. By redundantly storing the status identifier and assuming that the correct status identifiers are in the majority, a decision about which status identifier is the correct one can be made with a majority check. A determination as to whether the values belong to a valid value range is made in the plausibility check.
A high memory requirement (capacity) is thus needed in such a non-volatile read-write memory, without such capacity being available for more datasets to be stored. In rare instances, however, errors are also conceivable wherein the values belong to a valid value range and also represent the majority but nonetheless represent an invalid or incorrect status identifier. A conversion of the correct datasets into incorrect datasets would then ensue given return of the voltage. The division of a program into critical and uncritical areas, moreover is work-intensive and subject to error in view of program modifications that are often subsequently introduced. Additional preventative measures are required for interruptions that do not occur due to voltage outages. Disadvantageously, control sections must still be processed to completion after the return of the voltage, or upon re-activation.
On the other hand, the aforementioned problem does not even arise when the debiting operations just implemented are reliably terminated (German PS 24 38 055). An error during storage is thus avoided from the very outset, so that the problem is not even allowed to arise. This approach, however, requires means for the recognition of an impending voltage outage and for ending an operation. Expensive hardware that only reacts to a voltage outage is utilized therefor.
Another known method employs means for recognizing a destroyed or disturbed dataset (European Application 0 615 211) and another recognizes a destroyed memory cell (European Patent 0 226 205). This demands a relatively high memory requirement in the program memory for the error recognition and correction routines, or for re-addressing the memory cells of the non-volatile memory.