14-15 November 2018
|European Case Law Identifier:||ECLI:EP:BA:2015:T185312.20150917|
|Date of decision:||17 September 2015|
|Case number:||T 1853/12|
|IPC class:||G06F 21/00|
|Language of proceedings:||EN|
|Download and more information:||
|Title of application:||PROTECTION SYSTEM AND METHOD OF OPERATION THEREIN|
|Applicant name:||Freescale Semiconductor, Inc.|
|Relevant legal provisions:||
|Keywords:||Novelty - (yes)
Remittal to the department of first instance - (yes)
Summary of Facts and Submissions
I. The appeal lies against the decision of the examining division to refuse the European patent application no. 06701214.6 for lack of novelty over document
D1: US 2003/200451 A1.
Prior to this decision, the examining division issued a communication under Rule 71(3) EPC announcing its intention to grant a patent based on a text which the applicant subsequently disapproved in its letter of 22 March 2012.
II. Notice of appeal was filed on 6 June 2012 together with sets of claims according to a main and 1st to 5th auxiliary requests. The appeal fee was paid on the same day, and a statement of grounds of appeal was received on 1 August 2012. The claims according to the 3rd auxiliary request corresponded to the claims on the basis of which the examining division had intended to grant a patent. The appellant requested that the decision under appeal be set aside and that a patent be granted based on one of the sets of claims filed with the grounds of appeal. The appellant, in its reasons why the claimed invention differed from D1, referred to three documents which D1 (paragraph 1) states are incorporated by reference in their entirety. The appellant referred to these documents as D1A to D1C and took the position that documents D1 and D1A to D1C in combination "constitute[d] a single publication, and that, even if considered as separate publications, D1 should be read in the context of D1A-D1C".
III. In an annex to a summons to oral proceedings the board informed the appellant of its preliminary opinion that D1A to D1C did not form, in combination with D1, a "single publication" and did not affect the interpretation of D1. The board tended to agree that the claims were novel over D1, Article 54 EPC 1973, but also to consider that claim 1 of the main request and the 1st to 3rd and 5th auxiliary requests lacked an inventive step over D1, Article 56 EPC 1973. The board further noted that claim 1 of the 4th auxiliary request - prima facie and in view of the fact that the appellant had not provided any specific arguments on inventive step - appeared to lack an inventive step over D1, and expressed doubts as to whether its subject matter had specifically been searched and suggested that it might have to remit the case on this basis to the examining division for further prosecution and to assess the need for an additional search.
IV. In response to the summons the appellant filed neither amendments nor arguments.
V. Oral proceedings took place on 17 September 2015 as scheduled. During the oral proceedings, the appellant withdrew its main and 1st to 3rd and 5th auxiliary requests and requested the grant of a patent based on claims 1-10 filed with the grounds of appeal as the 4th auxiliary request. The further application documents on file are:
1-3, 5-13 as published
4, 4a, 14 received on 8 November 2011
1/2-2/2 as published.
VI. Claim 1, the only independent claim of said "4th auxiliary request", reads as follows:
"A system on a chip (200), SoC, comprising one or more slave devices (275, 280, 285, 290, 295) of a first communication bus operably coupled to a plurality of master devices (205, 240, 250, 265) of the first communication bus, characterised in that
the SoC comprises a central protection function (270) operably coupled to the first communication bus (235) and configured to control data flow between the one or more slave devices (275, 280, 285, 290, 295) and the plurality of master devices (205, 240, 250, 265) via the communication bus (235),
the central protection function being arranged to ensure that no bus data transfers are initiated on the SoC without passing the central protection function and to process and verify each data transfer initiated by a master device (205, 240, 250, 265) according to protection settings assigned to the central protection function (270);
the plurality of master devices (205, 240, 250, 265) comprises an external bus interface and said central memory protection function is arranged to prohibit access to the slave elements via the external bus interface."
VII. At the end of the oral proceedings, the chairman announced the decision of the board.
Reasons for the Decision
1. The invention relates to a microprocessor architecture for the protection of slave devices, and in particular to centralised memory protection for systems on a chip.
1.1 The application describes (see page 2, 2nd and 3rd paragraphs) how systems with several bus master devices and several slave devices need to provide a mechanism for the masters to agree which one obtains ownership of a desired resource (i.e. slave). More specifically, it is disclosed that "the typical microprocessor architecture [...] provides protection to memory devices and peripherals using" so-called "memory protection units (MPUs)" or "memory management units (MMUs)". These are located in the processor main core and can only "protect accesses from one master device to multiple slave devices" (page 2, last paragraph - page 3, 2nd paragraph). The application does not describe in detail the kind of protection provided by MPUs or MMUs. The application also states that slave devices may have individual protection units (see e.g. page 3, lines 14-15).
1.2 It is disclosed that conventional microprocessor architectures only protect memory and peripherals from "erroneous accesses" by the main CPU core (page 4, 3rd paragraph) with the consequence that many such accesses are "unprotected". Furthermore, the memory protection mechanisms provided for individual bus masters (or slaves) separately may be inconsistent with each other (page 3, 3rd and 4th paragraphs). The invention thus seeks to provide a mechanism "for fully controlled and protected memory access for system-on-chip (SoC) devices, to encompass all potential master devices and all memory destinations" (page 4, last paragraph).
1.3 In contrast to the prior art depicted in figure 1 of the application, the invention contains a "Central Memory Protection (CMP)" between the bus masters and the bus to which several slaves are connected (see the embodiment depicted in figure 2). The CMP checks all accesses initiated by a master device against the settings in the CMP and allows the access or, otherwise, sets an error or warning flag or raises an interrupt or bus transfer abort (page 7, 2nd paragraph). The CMP is said to be "central" in that it is "designed to ensure that no bus data transfers are initiated on the SoC without passing through the central memory protection function", and that this "ensures full observability of all bus data transfers within the protection system" (page 6, 2nd paragraph). In particular, it is disclosed that "all accesses to the slave elements [...] are checked" and that "the CMP function 270 is arranged such that all memory map accesses ('read' and/or 'write' operations) are under its full control" (page 10, 1st paragraph).
Article 123(2) EPC
2. Present claim 1 is based on claims 1, 7 and 10 as originally filed in combination with the description on page 6, lines 16-19, and page 9, lines 22-26, and figure 2. The board is thus satisfied that the requirements of Article 123(2) EPC are complied with.
Clarity, Article 84 EPC 1973, and claim construction
3. The board is also satisfied that claim 1 is clear, Article 84 EPC 1973. However, several of the terms require interpretation, as set out below.
3.1 Claim 1 refers to a system on a chip (SoC) "comprising" several slave and master devices and a central protection function (henceforth CPF) "configured to control data flow between" them. Since the term "comprising" is conventionally construed as non-exhaustive, this leaves the possibility that there may be master and/or slave devices the data flow between which is not controlled by the CPF. However, the further feature in claim 1 that the CPF ensures "that no bus data transfers are initiated on the SoC without passing the central protection function" goes beyond this. In the board's judgment the skilled person would interpret claim 1 as requiring a CPF which "controls" the data flow between all master and slave devices on the SoC.
3.2 Claim 1 requires the CPF to "control data flow" and to "process and verify [...] data transfer[s]". The board takes the view that the skilled person would, in the context of claim 1, understand "process and verify" and "control" to be synonyms. During the oral proceedings the representative agreed with this interpretation. The board notes however, that claim 1 lacks any detail as to what specific control of the pertinent data flow the CFP is to exercise.
3.3 The "bus data transfers initiated on the SoC" controlled by the CPF are not detailed any further in claim 1. However, claim 1 specifies that the CFP is configured to "control data flow between [...] slave devices [...] and [...] master devices" which are "initiated by a master device". The skilled person would, in the board's view, understand claim 1 to refer to accesses by master devices to slave devices - as opposed to master-master communication which the appellant referred to during oral proceedings. The description exclusively refers to masters accessing slaves, in particular to processors accessing memory devices, and does not mention master-master communication. This was specifically confirmed by the representative during the oral proceedings.
Article 83 EPC 1973
4. The board is also satisfied that the invention as claimed is disclosed in a manner sufficiently clear and complete for it to be carried out by a person skilled in the art. This applies, in particular, to the last feature of claim 1, according to which an external bus interface is to be provided as a master device, all accesses to slave elements via this interface being prohibited by the CPF.
The prior art
5. D1 relates to a system on a chip and its accesses to external devices or memory components and, in particular, to "prevent[ing] unauthorized access to protected memory spaces" (see paragraphs 6 and 8).
5.1 D1 thus discloses an "access control function which resides between functional masters and slave devices" (paragraph 9). The access control component receives requests from the masters and determines whether to deny, grant or qualify access (the latter e.g. by imposing encryption to the access; see paragraphs 10 and 40). The proposed access control is said to reduce several security risks which exist in conventional architectures (see figures 1-3 and paragraph 33) including the risk of unintentional corruption of shared memory by several masters; see paragraph 37.
5.2 According to D1 (paragraph 39), figure 4 "illustrates one embodiment of a system [...] which includes an access control function [...] in accordance with an aspect of the present invention". In this embodiment, the access control is placed between the bus and the slaves, and apparently all accesses from all masters to all slaves are routed through the access control function.
5.3 Further according to D1, figure 9 "depict[s] [an] exemplary system employing an access control function as disclosed" in D1 (paragraph 54). In figure 9, the access control component is placed as a bridge element between two buses (920 and 950), thus acting as a slave of the first bus and a master of the second. In this embodiment, not all accesses are routed through the access control bridge; see, in particular, those between masters and slaves connected to the same single bus (see paragraph 55).
6. Figure 10 also depicts as an "exemplary system employing an access control function as disclosed" in D1 (paragraph 54) which is said to be "an extension of the embodiment of figure 4 in that slaves are explicitly shown as an external bus controller and a memory controller" (see paragraph 56).
Novelty, Article 54 EPC 1973
7. The board agrees with the appellant that D1 focuses on slaves external to the system chip (see, in particular, paragraphs 6-8) and thus does not disclose the slaves being part of a system on a chip as claimed. Already for this reason, the board concludes that the subject matter of claim 1 is new over D1.
8. The board however disagrees with the appellant that this difference makes D1 an "accidental anticipation not relevant for inventive step" (see grounds of appeal, page 10, 1st paragraph). Specifically, the board considers that the risk of data corruption in (slave) memory devices caused by memory sharing is, in principle, independent of whether the memory devices are integrated on a single system chip or are external to it. As a consequence, the functionality provided by the access control of D1 for "external" slaves is also useful for and applicable to "internal" slaves.
Interpretation of D1
9. The access control according to D1 is not "central" to the system chip according D1, since it does not comprise the external slaves (see grounds of appeal, point 3.2.1, especially the paragraph bridging pages 5 and 6). This difference has already been established above. However, the board considers that the "access control" of D1 is central to the integrated system as a whole by virtue of its placement between all masters and slaves depicted in figure 4 and a plurality of masters and slaves depicted in figures 9 and 10, i.e. "central" with respect to the pertinent master and slave devices. The board disagrees with the appellant that the term "central" as such must be read in a more limited way.
10. The board also considers that the control exercised by the access control function according to D1 (see, in particular, paras. 37, 38 and 56) falls within the meaning of the claimed central protection function. During the oral proceedings the appellant's representative specifically agreed with the board on this point.
11. Moreover, the board agrees with the examining division that figure 4 of D1 discloses the control of the entire data flow between all master and slave devices on a SoC.
11.1 The appellant argued that this finding relied on the wrong understanding that figure 4 depicted a "separate embodiment" within D1, and that instead figure 4 had to be interpreted as merely a simplified version of the invention of D1, in particular the more detailed figure 9 in which at least some masters and slaves are not connected to the access control component (see nos. 915 and 965 in figure 9; see also the grounds of appeal, page 6, last paragraph, and page 7, 1st paragraph). The appellant stressed that the description in D1 relating to figure 4 did not explicitly state that the depicted masters and slaves were all there were.
11.2 The board notes that the figures of patent applications typically generalise certain details in order to emphasize others. In this sense, for instance, figure 4 depicts the slaves only generically, whereas figure 10 shows the slaves "explicitly [...] as an external bus controller [...] and a memory controller" (see paragraph 56). While the board agrees with the appellant that such figures need to be interpreted in view of the description, the board points out that the selection of features depicted in a figure also constitutes part of the disclosure of the application as a whole. The situation in which all masters and all slaves are connected via the access control function is, in the board's view, consistent with the rest of the disclosure of D1. Figure 9, in particular, depicts an "exemplary system" which does not exclude others, and it is stressed that "in this implementation" - i.e., in the board's view, as opposed to other implementations - there are some masters and slaves which are not governed by the access control unit (paragraphs 54-55). In the board's view, this means that figures 4 and 9 depict two embodiments which both fall within the scope of the invention according to D1. The board concludes that the presence of "uncontrolled" masters and slaves in figure 9 has no bearing on the interpretation of figure 4.
11.3 Moreover, although paragraphs 39 and 40 do not explicitly state that the depicted masters and slaves are "all" there are, it also gives no indication that there are others. The board also notes that figure 4 contains a dashed line representing the "integrated device" as a whole. In the board's view, the skilled person would therefore take figure 4 to disclose an integrated device in which all masters and slaves communicate through the access control component.
12. With regard to the appellant's argument that D1 does not disclose that all accesses to the slaves are checked "against settings of the central protection function" (grounds of appeal, point 3.2.3) and is, in particular, silent on anything other than read and write accesses, the board notes firstly that the claims do not mention any specific accesses either, let alone any accesses other than read and write, and secondly that the application also discloses at least one instance of the invention in which the relevant accesses are memory read and write operations (page 10, 1st paragraph). The board consequently does not accept this difference either.
Inventive Step, Article 56 EPC 1973
13. In summary, the board concludes that claim 1 differs from D1 in that
a) the integrated device according to D1 is not a system on a chip, since the slave devices are external to the system chip, and
b) D1 does not explicitly disclose an external bus interface provided as a master device, and, in particular, that
c) D1 does not disclose that the access control function is arranged to prohibit access to the slave elements via the external bus interfaces.
13.1 The board considers that difference a) has no functional relevance for the access control function itself. Therefore, the board considers that this difference serves the goal of miniaturization and integration. Such integration is considered to be a general trend in chip design, the "system on a chip" being a case in point. To achieve this goal, the board considers it obvious to integrate external slaves into the system on a chip. The board finds this to be particularly obvious for memory devices (cf. the mention of external memory in D1, paragraph 6, and of internal memory in the application, see page 8, 2nd paragraph).
13.2 As regards difference b), it was common ground between the board and the appellant during the oral proceedings that the provision of an external bus interface as a master for the local communication bus had to be considered well-known and usual in the art and did not, per se, establish an inventive step.
14. Inventive step of the claimed invention vis-à-vis D1 therefore turns on the assessment of difference c). In this regard the board notes the following.
14.1 The appellant asserted in its grounds of appeal, that claim 1 of the 4th auxiliary request showed an inventive step over D1, but did not, in its notice of appeal or its grounds of appeal, provide any arguments supporting this conclusion. It was only during the oral proceedings that it made submissions in this respect. It argued that the prohibition of all accesses by external masters to local slaves via the external bus interface was of a different nature to checking that local masters access local slaves in a consistent manner, and that it did not make the interface useless because communication with local masters via the external bus interface remained possible.
14.2 At least prima facie, the board finds these arguments to be plausible and that D1 does not suggest difference c). However, in the oral proceedings the board considered that it was not possible to decide on inventive step, since doubts remained as to whether the original search had covered present claim 1.
14.3 Claim 1 is based on claim 10 as originally filed, but limited over that claim using features taken from the description. Although the board takes the view that this limitation is an admissible one and therefore should have been covered by the initial search of claim 1, the board cannot exclude that this has, in fact, not been the case. In particular, the "control" exercised over accesses to slave elements via the external bus interfaces cannot, from claim 10 as originally filed, be distinguished from the control set out in claim 1 of local masters on the SoC. The board therefore has doubts as to whether the prohibition of accesses to local slaves via an external bus interface, and its enforcement by a "central protection function" has been covered by the original search. This is a matter for the examining division to decide.
Remittal for further prosecution
15. Hence, in view of the facts that the novelty objection, on which the decision under appeal exclusively relied, has been overcome, that the inventive step of claim 10 as originally filed was not explicitly discussed during the examining procedure, let alone, of course, present amended claim 1, that the appellant's arguments in favour of inventive step were only made during the oral proceedings, and that the board could not establish that the original search had covered present claim 1, the board exercised its discretion under Article 111(1) EPC 1973 to remit the case to the department of first instance for further prosecution.
For these reasons it is decided that:
1. The decision under appeal is set aside.
2. The case is remitted to the examining division for further prosecution on the basis of auxiliary request 4, received on 6 June 2012.