Field of the invention

The invention relates to the field of consumption meters, such as electric meters, heat meters, cooling meters, water meters, and gas meters. Especially, the invention defines a consumption meter which can handle legal and non-legal software by means of a single processor.

Background of the invention

Consumption meters for charging purposes are subjected to strong legal requirements regarding their function, to ensure that the basic meter function works in a well-defined manner. A consumption meter must be approved by the authorities in order to be legally cleared for charging purposes. Modern consumption meters have all of or at least most of their functions determined by software. This software includes code with algorithms defining the basic meter calculation algorithms, i.e. a legal software part, as well as procedures defining other less crucial functionalities of the meter not influencing the accuracy of the meter calculations, i.e. a non-legal software part. Often, it is desirable to change functionalities by means of an updated software of an already approved consumption meter. Such change requires that the meter is approved once again by the authorities, even though since the updated software does not involve any changes of the basic meter calculation algorithm. This is problematic, since it is difficult, expensive, and time consuming to provide consumption meters with specific costumer designed functionalities, even though such functionalities are merely in the form of updated software without any effect on the meter accuracy.

One way to solve the above problem is to produce a consumption meter with two separate processors each running their own separate software stored in separate memories. One processor can then run the legal software and thus execute the basic meter calculation algorithms determining the accuracy of the meter. The other processor can then run non-legal software determining auxiliary functionalities not affecting the vital meter function. Hereby, it is possible to change only the non-legal software, when changes in these functions are desired, and this will not require a new approval of the meter, since the legal software and its processing remains unchanged. However, this solution is expensive in manufacturing and two processors require significant more power than one which is a crucial parameter in battery powered meters.

Summary of the invention

Thus, according to the above explanation, it is an object of the present invention to provide a consumption meter which can handle legal and non-legal software with a single processor and at the same time provide enough separation of the execution of legal and non-legal tasks, such that it is possible to change non-legal software without requiring a new approval from the authorities.

According to a first aspect, the invention provides a consumption meter arranged to measure a consumed quantity of a physical entity, the meter including - a measurement circuit arranged to perform a physical measurement on the physical entity and to generate data according thereto,

- a memory,

- a memory management unit arranged to handle access to areas of the memory according to respective access rights assigned to different tasks stored as executable code in the memory, and

- a processor arranged to access the memory through the memory management unit, and to execute executable code stored in the memory, the processor (P) being arranged

- to execute a calculation task code with a first access right assigned thereto, wherein the calculation task includes receiving data from the measurement circuit, to accordingly calculate data representing the consumed quantity, and to store the data representing the consumed quantity in a first memory area, and

- to execute an operating system code arranged to temporally limit execution of executable code other than the calculation task code.

By 'access right' is understood definition of rights related to protection of memory regions. The protection is implemented with rules that are based on the type of transaction (read, write or execute) and the right for an executable code to perform the transaction in a specific memory area. Different execution threads can have different access rights that grant access to resources such as memory regions, I/O ports, and other peripherals. Preferably, the respective access rights assigned to different tasks stored as executable code in the memory includes definition of access of the tasks to: read, write, and execute code. Access rights may be assigned to the different tasks in the form of different privilege levels defining a set of access rights.

By assigning different access rights to different tasks, it is possible to ensure that the crucial meter calculation task and its associated data are not affected by tasks which are not supposed to be involved in the calculation task. Further, by the operating system serving to limit the time available for execution of task code other than the crucial calculation task, it can be ensured that the processor will have sufficient processing time to perform the calculation task, and thus maintain the crucial meter function, even though e.g. an error occurs in another task causing the processor to be trapped in an infinite loop. Altogether, since both memory space and temporal execution are controlled in the consumption meter, it is possible to ensure that the processing of non-legal software does not affect processing of legal software, even though all software is processed by one single processor. Hereby, non-legal software can be changed without affecting the execution of the legal software parts, and thus such meter has the potential that non-legal software can be changed without requiring a renewed authority approval.

In preferred embodiments, the processor is arranged to perform at least one additional task with a second access right assigned thereto, such as a task of communicating the data representing the consumed quantity, wherein the at least one additional task is arranged to store data in a second memory area, wherein the second access right is more restricted than the first access right. Hereby, it is possible to ensure that the additional task has a limited memory access compared to the crucial calculation task. Especially, the second access right may include assigning of read-only access for the additional task to the first memory area. Hereby, it will be possible for the additional task to read the consumed quantity value stored by the calculation task in the first memory area, but it will not be allowed for the additional task to write in the first memory area, and thus it is not possible for the additional task to destroy the quantity value stored by the calculation task.

The Operating System is preferably arranged to assign respective priority levels to all different tasks defined in the meter, and wherein the Operating System (OS) is arranged to allocate processor time to the different tasks according to their priority levels. Thus, the Operating System can allocate processor time in a prioritized way, such that a task with a high priority level is executed before a task with a lower priority level in case both tasks request processor time simultaneously. Especially, legal tasks may be assigned higher priority levels than non-legal tasks, so as to ensure proper operation of the legal tasks. Further, the Operating System may be arranged to pre-empt non-legal tasks, so as to ensure proper operation of the legal tasks.

In preferred embodiments, a legal task has access rights assigned thereto which is less restrictive than access rights assigned to a non-legal task. Especially, non- legal tasks may have read-only access to all memory areas used by legal tasks. Such memory access right assignment allows security against non-legal overwriting memory areas used by legal tasks, and thus it becomes possible to eliminate memory conflicts between legal and non-legal software.

The operating system may have access to a memory area to which all other tasks have been assigned a read-only access, thereby serving special protection of a dedicated area of the memory for use by the operating system, thereby ensuring that no other tasks can destroy data used by the operating system.

Executable code associated with a task of handling download of executable code into the consumption meter may be stored in a memory area to which all other tasks have been assigned a non-accessible access. Of course the Operating System can initiate execution of such downloading task, but assignment of non- access for other tasks ensures that the code controlling handling of software download is not destroyed by other tasks.

Preferably, the operating system is arranged to limit tasks other than the calculation task by allocating processor time to all tasks defined in the meter. Especially, the operating system may be arranged to allocate processor time to legal tasks according to a predefined timing scheme, so as to ensure proper operation of the legal tasks. The operating system is preferably arranged to preempt or stop execution of non-legal tasks in order to allocate processor time to the legal tasks according to the predefined timing scheme. Thus, a task that would otherwise cause the processor to run in an infinite loop will be stopped by the operating system.

The memory management unit is preferably arranged to detect a task attempting to access a memory area to which it does not have access right, and to inform the Operating System accordingly. Thus, the Operating System can then be designed to act accordingly, e.g. by pre-empting or stopping the task attempting to access the memory area to which it does not have access, and/or logging the event in an error log, and/or transmit an error alarm from the consumption meter etc.

The memory may in general be one single physical component or distributed between a plurality of separate memory chips. The processor may be a suitable processor for a consumption meter, such as known by the person skilled in the art. The memory management unit can be implemented by use of knowledge by persons skilled within data processing, and commercially available products exist for connection between the processor and memory. For further reference, WO 2006/072756 Al describes a data processing apparatus with a memory protection unit. Further, the thesis "Memory Protection in a Real-Time Operating System" by R. P. Anderson and P. Scarin, Department of Automatic Control, Lund Institute of Technology, November 2004, describes related information.

The consumption meter may be one of: an electricity meter, a heat meter, a cooling meter, a flow meter, a water meter, and a gas meter. In a second aspect, the invention provides a method for controlling a consumption meter arranged to measure a consumed quantity, the method including

- assigning of access rights to different tasks stored as executable code in a memory,

- performing a verification of access right for a task before allowing the task to access an area of the memory, - performing a calculation task with a first access right assigned thereto, the calculation task including

- receiving data from a measurement circuit,

- calculating data representing a consumed quantity, - storing the data representing the consumed quantity in a first memory area, and

- temporally limiting execution of a task other than the calculation task, upon action of an Operating System.

It is appreciated that any advantage mentioned for the first aspect applies as well for the second aspect. Further, any sub aspect mentioned in connection with the first aspect may in any way be combined with the second aspect.

Brief description of drawings

In the following, the invention will be described in more details by referring to embodiments illustrated in the accompanying drawings, of which

Fig. 1 illustrates a consumption meter embodiment, and

Fig. 2 illustrates an example of a memory map with data and executable code address spaces and privilege levels assigned to different tasks.

Detailed description of the invention

Fig. 1 illustrates a consumption meter (indicated with the dashed line) with a measurement circuit MC connected to sense a consumed amount of a physical entity, e.g. electric energy supplied by an electric power line. Measurement data from the measurement circuit MC is applied to a processor P which performs a calculation task Tl on these data, i.e. the processor P executes program code representing a calculation algorithm. The executable code associated with the calculation task Tl is stored in a memory M, as well as executable code representing an operating system OS. Further, other areas of the memory M is used by the calculation task Tl to store intermediate calculation data. The resulting calculated consumed quantity Q is preferably stored in a memory location where only the calculation task Tl has access to write thus protecting the resulting data Q from violation from other tasks. Certain tasks may need to have access to read the consumed quantity data Q memory location, e.g. tasks serving to display the consumed quantity value Q on a display, or tasks serving to apply the consumed quantity value Q to a wireless RF transmitter RFT capable of transmitting an RF signal with the consumed quantity value Q represented therein.

As seen in Fig. 1, the processor P accesses the memory M through a memory management unit MML), e.g. implemented as a separate chip connected between the processor P chip and one or more memory M chips. The memory management unit MML) serves to manage all memory access, i.e. read execute code and read/write data. The memory management unit MML) can be set up such that different tasks Tl, OS have assigned certain access rights, e.g. in the form of privilege levels defining a set of access rights for each task. One privilege level includes a set of memory access rights, i.e. specific memory areas where the task has defined one or more of read/write/execute access rights. Thus, when the processor P executes one line of executable code of a task requesting right to write data in a specific location in memory M, the memory management unit MML) checks if the task has write access right to the location in memory M. If not, the memory management unit MML) informs the operating system OS that can act accordingly, e.g. stop further execution of the task. In essence, the memory management unit MML) serves to protect specific memory M areas. Thereby, the memory management unit MML) can effectively separate possible influence by a non-legal task on data or executable code belonging to a legal task. Specific examples of assigning of privilege levels and access rights to certain address areas of the memory M will be given in the following.

Apart from ensuring that legal tasks are protected from memory M violation from non-legal tasks, proper execution of the vital meter tasks, e.g. the calculation task Tl, and the operating system OS, it must be ensured that a non-legal task does not temporally occupy the processor P, such that the vital legal tasks Tl, OS can not be executed properly by the processor P. This is handled by the operating system OS which is capable of temporally limiting execution of a task. E.g. the operating system OS may include a timing scheme for all task defined in the meter, e.g. time slots assigned for each tasks. In such timing scheme it can then be ensured that proper time is reserved for execution of the vital tasks Tl, OS. The operating system OS is then preferably designed to temporally limit a task by stopping execution of the task, if the task exceeds the time reserved for the task in the timing scheme. This protects against a task accidentally running into an infinite loop which would cause the processor P to cease handling the vital calculation task Tl, thereby causing mal-function of the meter.

Fig. 2 illustrates an example of a memory M map for a consumption meter with, for simplicity, only three tasks: an additional or auxiliary non-legal task Tl, a vital meter calculation task T2 (i.e. a legal task), and an operating system (i.e. also a legal task). The memory M is split into areas: a shared data area SHD which can be accessed by all tasks Tl, T2, OS, a private data area PD for data used by each single task Tl, T2, OS, and an executable code area EC with executable code for each single task Tl, T2, OS.

To the right in Fig. 2, different privilege levels PLl, PL2, PL3 assigned to the respective task OS, T2, T3 are illustrated with respect to their access rights to the different areas of the memory M. Bars are used to indicate the area of the memory M which the privilege level PLl, PL2, PL3 represents access right to. Thus, it is seen that the operating system OS with the highest privilege level PLl is allowed full access right to all areas of the memory M. Further, all tasks Tl, T2, OS have access right to the shared data memory area SHD irrespective of their privilege levels PLl, PL2, PL3. Apart from the shared data area SHD, task T2 with privilege level PL2 only has access right to its own private data and executable code memory areas. The same applies for task Tl which has privilege level PL3. Thus, with this memory access right assignment, it can be ensured that none of the tasks Tl, T2 can destroy crucial data used by other tasks OS, T2, Tl. Thus, a legal calculation task T2 will not be affected with respect to memory conflict by replacement of the executable code for task Tl, provided that the same privilege level PL2 is assigned to the new executable code for task Tl. Hereby, legal and non-legal code can be handled even sharing the same physical memory M without interference.

Fig. 3 illustrates the virtual memory map taking into account the access rights assigned to task Tl and task T2 following the example from Fig. 2. The sketch to the left illustrates the memory M as "seen" from task Tl, whereas the sketch to the right illustrates the memory M as "seen" from task T2. Apart from the shared data area SHD, the tasks will not operate at overlapping memory addresses, and thus these tasks Tl, T2 can operate safely without memory conflicts even though they both access the same physical memory M chip. The memory management unit MML) as shown in Fig. 1 serves to check that the assignment rights associated with the respective privilege levels PLl, PL2, PL3 are obeyed. The memory management unit MML) will inform the operating system OS, in case not.

To sum up, the invention provides a consumption meter, e.g. for charging purposes, arranged to measure a consumed quantity Q of a physical entity. The meter has a measurement circuit MC, a memory M, a memory management unit MML) for handling access to areas of the memory M according to respective access rights assigned to different tasks, and a processor P. The processor P can access the memory M through the memory management unit MML), and execute executable code Tl, OS stored in the memory M. The processor P can execute a vital meter calculation task Tl with a first access right PL3 assigned thereto which results in storing a calculated consumed quantity Q in a first memory area. Finally, the processor P can execute an operating system OS which can temporally limit execution of executable code other than the calculation task code Tl. This architecture of a consumption meter allows one single processor P to be used for handling legal and non-legal tasks, and the memory management unit MML) serves to ensure that no data used by a legal task can be destroyed by a non- legal task. Further, since the operating system OS can handle possible temporal conflicts between non-legal and legal tasks, it will be possible to change executable program code for non-legal tasks without the requirement of a renewed authority approval of the meter.

Although the present invention has been described in connection with the specified embodiments, it is not intended to be limited to the specific form set forth herein. Rather, the scope of the present invention is limited only by the accompanying claims. In the claims, the term "comprising" or "including" does not exclude the presence of other elements. Additionally, although individual features may be included in different claims, these may possibly be advantageously combined, and the inclusion in different claims does not imply that a combination of features is not feasible and/or advantageous. In addition, singular references do not exclude a plurality. Thus, references to "a", "an", "first", "second" etc. do not preclude a plurality. Furthermore, reference signs in the claims shall not be construed as limiting the scope.