|European Case Law Identifier:||ECLI:EP:BA:1998:T052896.19981118|
|Date of decision:||18 November 1998|
|Case number:||T 0528/96|
|IPC class:||G06F 11/00|
|Language of proceedings:||EN|
|Download and more information:||
|Title of application:||Fail safe architecture for a computer system|
|Applicant name:||Mirowski, Mieczyslaw|
|Opponent name:||Joh. Vaillant GmbH u. Co|
|Relevant legal provisions:||
|Keywords:||Inventive step (yes, after amendment)
Basis of decisions - opportunity to comment (yes)
Summary of Facts and Submissions
I. This is an appeal against the decision of the Opposition Division to revoke European patent No. 240 428 on the ground that the subject-matter of independent claims 1 and 23 lacked an inventive step having regard to the disclosure of each of the following documents considered separately:
D1: Regelungstechniches Praxis, volume 23 (1981) No. 8, pages 268 to 275, Knörnschild: "SPEICHERPROGRAMMIERBARE STEUERUNGEN für den sicherheitstechnischen EINSATZ-ANFORDERUNGEN und PRÜFUNGEN"
D2: EP-B-88 364
II. The appellant (patentee) lodged an appeal against this decision and paid the prescribed fee. A written statement setting out the grounds of appeal was subsequently received. In this statement the appellant argued that the claims of the patent were inventive and that the decision was not based on grounds or evidence on which the parties concerned had had an opportunity to present their comments, Article 113(1) EPC. The impugned decision, it was argued, was the first occasion on which the appellant had been informed that the grounds of opposition were considered to prejudice the maintenance of the patent. No substantive communication had been received from the Opposition Division before the decision had been taken and oral proceedings had not been appointed even though they were clearly appropriate. The violation of the appellant's rights constituted a substantial procedural violation within the meaning of Rule 67 EPC.
III. Following the communication from the Board the appellant submitted two new sets of claims of first and second auxiliary requests.
IV. Oral proceedings were held before the Board on 16 March 1997.
At the oral proceedings the appellant requested that the decision under appeal be set aside and that the patent be maintained on the basis of either a main request, maintenance on the basis of the patent as granted, or an auxiliary request based on the first auxiliary request, the second auxiliary request having been withdrawn.
The respondent (opponent) did not appear at the oral proceedings. He had previously, in response to the statement of grounds, requested that the appeal be dismissed.
V. Claim 1 of the main request reads as follows:
"1. A computer system (10), having a processor (14) with an internal register, a storage means (22) for storing at least operation code instructions executable by said processor (14), and a temporary memory (24) storing at least data manipulated by said processor (14), said computer system (10) comprising:
means for verifying the contents of said storage means (22) by applying an algorithm to the stored operation code instructions;
means for testing the integrity of said temporary memory (24);
means for checking the validity of operation of said processor (14) by executing said operation code instructions in discrete subsets and monitoring the condition of said internal register during the execution;
characterized in that:
said means for testing the integrity of the temporary memory (24) includes:
means for saving the current data stored in said temporary memory (24);
means for writing a test pattern into said temporary memory (24) and algorithmically verifying said test pattern; and,
means for restoring said current data in said temporary memory (24); and in that said computer system (10) further comprises:
means for periodically activating said means for verifying the contents of said storage means (22), said means for testing the integrity of said temporary memory (24), and said means for checking the validity of operation of said processor (14) during the execution of said operation code instructions by said processor (14); said means for periodically activating comprising a timer (T1) which periodically provides a non-maskable interrupt (NMI) to the processor (14) of the computer system (10) and,
means for inhibiting the execution of said operation code instructions by said processor (14) dependent upon the verification of said storage means (22), the testing of the integrity of said temporary memory (24), and the validity check of the operation of said processor (14) by the respective said means for verifying the contents of said storage means (22), said means for testing the integrity of said temporary memory (24) and said means for checking the validity of operation of said processor (14)."
Claim 23 of the main request is an independent method claim having features corresponding to those of claim 1.
VI. The appellant argued that the impugned decision did not adopt the problem-and-solution approach and failed to indicate what problem was solved either in the impugned patent or in D1. D1 constituted a catalogue of different safety measures to be performed on a test specimen at the time of manufacturing and was not concerned with operational running. There was no disclosure in D1 of the use of non-maskable interrupts in order to provide a periodic inhibition of execution of operation code instructions. It had moreover not been shown that all the features of claim 23, the independent method claim, were derivable from D1, nor that the constructional features of claim 1, which defined means to carry out the method of claim 23, were to be found in D1.
Similarly, the discussion of D2 in the impugned decision contained assertions that this document solved the same problem and disclosed the same means as in the patent, but D2 did not in fact disclose all the claimed features and was in any case directed to a fundamentally different problem. Finally, the Opposition Division had asserted that the features of the dependent claims were obvious but had given no reasoning as to why this was held to be so.
As noted above, the appellant also argued that the Opposition Division had committed a substantial procedural violation in that the grounds on which it was proposed to revoke the patent had not been communicated in advance of the written decision, either by a communication or by appointing oral proceedings.
VII. The respondent referred to the arguments contained in their original grounds of opposition and to the Opposition Division's decision. They requested that the revocation of the patent be upheld, i.e. that the appeal be dismissed.
VIII. At the oral proceedings the Board refused the main request and decided to continue the procedure in writing on the basis of the auxiliary request.
IX. Following a communication from the Board, raising issues of clarity, the appellant filed a revised set of claims of the auxiliary request.
X. Claim 1 of this request reads as follows:
Reasons for the Decision
The appeal is admissible.
1. The Right to Comment, Article 113(1) EPC
1.1. The appellant argued in the statement of grounds that because the opposition division did not issue a communication before the decision was taken there was an infringement of Article 113(1) EPC, which requires that the decision must be based on grounds or evidence on which the parties concerned have had an opportunity to present their comments. The issue of a communication is argued to be mandatory in the light of Article 101(2) and Rule 58(3) EPC.
1.2. However, no requirement is derivable from the EPC or Rules that the opposition division must itself issue a communication other than in the special case under Rule 71(a) when oral proceedings are appointed. Article 113(1) EPC may be satisfied if the reasoning of the decision has previously been raised and discussed in the proceedings by the parties themselves. Reference is directed to decision T 275/89 (OJ EPO 1992, 126), which makes this point and states that an opposition division is not obliged in every case to issue at least one [substantive] communication. It is noted that in the statement of grounds at page 2, second full paragraph, the appellant observed that the impugned decision "merely referred to passages of the Notice of Opposition". Since the ooposition file shows that the appellant was invited to comment on the opposition the requirement of Article 113(1) EPC has been met.
2. The Right to Oral Proceedings, Article 116 EPC
2.1. The final paragraph in the patentee's response to the opposition, the last document on the file before the opposition division took its decision, reads as follows:
"Should the opposition division feel that further information is required, the patentee will be pleased to respond in due course, either in writing or during the oral hearing"
2.2. The opposition division argued in its decision that this statement did not constitute a request for oral proceedings. In the file as a whole the only other reference to oral proceedings or to an "oral hearing" is to be found in the notice of opposition, in which the opponent makes a conditional request for oral proceedings if the opposition division rejects the main request for revocation of the patent.
2.3. The established jurisprudence of the Boards of Appeal (see eg T 299/86 OJ EPO 1988, 88) is that oral proceedings are a very important procedural right and that, whether or not the EPO considers it to be expedient, a party is entitled to oral proceedings upon request. However, this right is subject to a clear and unconditional request for such proceedings. In the present case the Board takes the view that the reference in the patentee's response to an "oral hearing", although apparently a reference to oral proceedings within the meaning of Article 116 EPC, does not constitute a formal request for such proceedings. The cited passage seems to assume that oral proceedings will in fact take place even though an appropriate request was never made. Although the opposition division might reasonably have been expected to query whether such a request was in fact intended, the fact that it did not do so does not constitute a procedural violation since the onus to make a clear request is on the party itself.
2.4. In accordance with Rule 67 EPC the reimbursement of appeal fees shall be ordered where the Board of Appeal deems an appeal to be allowable, if such reimbursement is equitable by reason of a substantial procedural violation. Since there was no procedural violation the appeal fee cannot be reimbursed.
3. Inventive Step (main request)
3.1. At the oral proceedings it was accepted by the appellant that document D1 relates to a computer system in accordance with the preamble of claim 1 in which operational testing of the system is cyclically effected. It was also accepted that known computer systems possess both stored opcode in the form of a ROM BIOS and a temporary memory (RAM), whereby during the power-on self-test (POTS) the contents of the ROM are verified by applying an algorithm in the form of a BIOS checksum and RAM integrity is tested by performing a memory parity check.
3.2. D1 discloses at page 273, point 126.96.36.199 a cyclically performed ROM test and at point 188.8.131.52, second paragraph a RAM test in which existing data is moved to a second RAM for the duration of the test, i.e. the current data is saved; the test itself is performed by "walking" a bit through the memory, i.e. writing a "0" to all locations and moving a "1" through each location in turn, followed by writing a "1" to all locations and moving a "0" through. This procedure constitutes "algorithmically verifying a test pattern written into said temporary memory" within the meaning of the claim. It is not explicitly stated that this particular test is performed cyclically, although various other tests, including the RAM test described at point 184.108.40.206, first paragraph are stated to be performed cyclically, and point 220.127.116.11 implies that this is also true of the RAM testing. The Board takes the view that the skilled person would understand that this test is also performed cyclically.
3.3. D1 also discloses at point 18.104.22.168 various tests for the registers and the ALU. These are stated to be monitored as part of either of the two previously described ROM tests which are carried out cyclically, implying that this is also true for the processor test. At point 22.214.171.124 a further processor test is described, referred to as a "watch-dog" timer, in which an independent hardware-based timer is used to monitor the time taken to perform processor operations. This is also said to be combinable with the ROM test, implying it is periodic.
3.4. From point 126.96.36.199 it can be seen that in the event of an error the processor is switched off, i.e. the execution of opcode instructions is inhibited.
3.5. D1 does not indicate what is meant by performing tests cyclically, nor does it mention the use of interrupts such as an NMI. In the course of the oral proceedings it was argued by the appellant that from page 6 lines 1 to 10 of the patent it was clear that a pointer register forming part of step 138 in Figure 2D served to initiate the various self-check modules in turn, each in response to a respective interrupt. D1, it was argued, did not suggest carrying out the individual tests in a predetermined sequence; the skilled person seeking to implement D1 might well provide a separate, unsynchronized, cycle for each module and/or might initiate the modules repetitively rather than in sequence, e.g. carrying out five RAM tests for each ROM test. Moreover, the suggestion that the testing in D1 might be interrupt-driven was ex post facto and depended on an impermissible combination of D1 and D2, the latter showing the use of an interrupt for testing although not a non-maskable interrupt. The skilled person would be prejudiced against interupt-driven testing in a program where safety was the prime consideration.
3.6. Dealing first with the matter of what the reference to testing "cyclically" in D1 means, it is noted that in point 188.8.131.52 it is stated that the sum of all test cycles must be smaller than the safety-critical process lag of the application. Although this does not exclude parallel and/or asynchronous test cycles with a separate timer controlling each test, the RAM and register testing is dependent on subroutines contained within the ROM (see point 184.108.40.206, last sentence of both paragraphs, and point 220.127.116.11, last sentence). This implies that the ROM cannot be tested at the same time as these devices and that, as each subroutine must be read out in sequence, testing is also sequential. The skilled person could therefore be expected to infer from D1 that testing must be carried out synchronously and under the control of a single timer.
3.7. It is observed that although at the oral proceedings the appellant argued that in the patent each interrupt led to a respective test, so that the tests were carried out in a fixed sequence, claim 1 of the main request does not require that the tests be performed in any particular order. It will be clear from the above discussion that in D1 the tests are activated periodically within the meaning of the claim.
3.8. Turning now to the remaining feature of claim 1, it is observed that processors generally possess a non-maskable interrupt, i.e. an interrupt of highest priority.
3.9. Since the subject-matter of claim 1 lacks an inventive step it follows that the same objection applies to claim 23, which is a method claim having the same features as claim 1.
4. Inventive Step (Auxiliary request)
4.1. Claim 1 of this request includes the feature of "fail safe trap means" which serve, on detection of a failure, to initiate resynchronization of the processor; these means are described at page 5 lines 18 to 31 in connection with Figure 2C. This procedure is stated to have the advantage that if a fault is only transient then successful resynchronization causes the system to reboot and continue where it left off. Only in the event of a persistent fault, resulting in a failure count of three within 10 interrupts, is the fail-safe condition activated.
4.2. The feature of resynchronization on failure detection is not derivable from the cited document D1. The Board accordingly concludes that the subject-matter of claim 1 of the main request involves an inventive step having regard to the disclosure of D1.
4.3. Turning now to D2, this document discloses interrupt-driven self-checking of the internal state of the processor, the interrupts being generated by a counter (60 in Figure 1). The processor enters an "interrupt disabled state" in which the further execution of opcode is inhibited if an error is encountered, see column 13 lines 9 to 33. From the discussion of Figure 7 at column 12 line 28 to column 14 line 10 of D2 it appears that the diagnostic functions which provide for RAM and ROM testing are however provided separately as part of the normal operating cycle of the processor. There is no mention of what happens to the existing contents of the RAM during testing. The effect of an interrupt is described in the passage bridging columns 12 and 13, and in connection with Figure 9 at column 14 line 11 to column 15 line 38; the processor halts its normal operating cycle, including a halt to dignostic checking, and enters a subroutine in which the processor registers are themselves checked. D2 accordingly provides for two separate and unrelated forms of self-checking, only one of which is interrupt-driven. If a failure is established the device enters a failure loop; there is no discussion of recovery from a transient failure.
4.4. The Board accordingly concludes that the skilled person, starting out from the teaching of D2, would not arrive at the subject-matter of claim 1 of the auxiliary request. Nor does it appear that there is any obvious combination of D1 and D2 which might be expected of the skilled person and which would lead to the claimed invention.
For these reasons it is decided that:
1. The decision under appeal is set aside.
2. The case is remitted to the first instance with the order to maintain the patent on the basis of the claims of the auxiliary request.