T 0855/15 (Security architecture/WONDERWARE) 10-01-2018

The invention

1. The application relates to "super­visory control and monitoring" of complex computerised industrial process control systems, disclosed as being "provided by both humans and higher-level control programs", i.e. at least in a semi-automatic manner (description, page 1, line 20, to page 2, line 8).

1.1 It is explained that process control systems have to adapt to changes in the process control devices and processes. In such situations, the reconfiguration of the system must be quick so as to limit the disruption of the system as a whole (see page 2, lines 9-14). The aim of the invention is to provide an architecture with the required flexibility by being "easily designed and altered for customized use" (see page 2, lines 15-23, and the sentence bridging pages 4 and 5).

1.2 The proposed architecture comprises three layers, an "application" layer and several layers below it. The application layer consists of "application objects", "hosted" by "engine objects" in a middle layer. The engine object, in turn, are hosted by "platform objects" in "the lowest of the three layers". Platform objects are launched by a "bootstrap object" in an "even lower layer" (see page 5, lines 11-18, and page 8, lines 5-11).

1.3 Amongst various "models" discussed in the application (see page 6, line 8, to page 7, line 19), there is a "security model", which is stated to be independent of the hardware employed and described as allowing "late binding" to "particular components of a system" (see page 6, lines 8-16, and page 34, line 26, to page 35, line 2). The security model is further explained with reference to figures 18 and 19. The "attributes" of the "objects" each have a "security classification" defining required access permissions (see e.g. page 36, lines 17-18, and figure 19). On the other hand, groups of objects referred to as "security groups" are bundled with access permissions into so-called "roles" (see page 36, lines 9-11, and figure 18). Users are assigned one or more roles and are thus, indirectly, given access to those attributes (of the objects in the security groups of the roles), the security classification of which matches the access permissions granted to the roles (page 35, last paragraph, and figure 18).

The decision under appeal

2. In its decision (point 11 of the reasons), the examining division stated that "various types of supervisory process control and manufacturing information systems associated with a plant process comprising various entities" had been known in the art, and, referring to the breadth of the claims, gave a "computer system controlling printer that produce text printed on paper" as an example of such a system.

2.1 It then identified two groups of differences between the claimed subject-matter and such a generic system, relating respectively to (1) the role-based access control policy and (2) the layered architecture, and stated that no "synergetic interaction" between them could be identified (points 11.1 to 11.4 of the reasons).

2.2 The features relating to the security policy were included in the objective technical problem because they were the "result of non-technical considerations" (see point 11.5 of the reasons). The features relating to the layered architecture were said to be commonplace, rea­lised, for example, by a Java application running on a JVM in a Linux environment, and thus obvious (point 11.6.1 of the reasons).

The alleged violation of the appellant's right to be heard,

Article 11 RPBA and Rule 103(1)(a) EPC

3. The appellant complained that the examining division had "asserted the existence of the closest prior art without prior notice" and "without giving opportunity to get knowledge of its content" (grounds of appeal, page 2, paragraph 2). Additionally, the chosen closest prior art was "very remote" from the claimed subject-matter (loc. cit.) because the printer scenario was not an "industrial" system in the sense of the application (see page 2, paragraphs 3-5 from the bottom, and page 3, third and last paragraphs) and, hence, the "skilled person would never select" it "to arrive at the invention as claimed". Reference was made, in this regard, to T 606/89 and the Guidelines G-VII, 5.1 (see grounds of appeal, page 4, paragraph 3).

4. In the minutes (dated 25 November 2014) of the telephone consultation held on 7 October 2014, the objection that "security requirements" were "non-techni­cal" was mentioned, but no "starting point" or "closest prior art" was referred to. The same applies to the minutes (dated 27 November 2014) of the oral procee­dings (see especially points 1.2 and 2.4). It thus appears that the "printer scenario" was first referred to in the written decision itself.

4.1 However, the written decision mentioned the printer scenario only by way of example (see the reasons, point 11.5, page 5, lines 5-7, and point 11.6.1, page 6, lines 1-6) and did not substantively depend on it.

4.2 Therefore, the board takes the view that the inclusion of the printer example in the written decision did not substantially contribute to the reasons for the decision, on which the appellant had had sufficient opportu­nity to present its comments, Article 113(1) EPC 1973.

4.3 Therefore, the fact that the appellant could not comment on the printer scenario is not a fundamental deficiency within the meaning of Article 11 RPBA.

5. The appellant also took issue with the examining division's general assertion that "various types of supervisory control and manufacturing information systems associated with a plant comprising various entities" were known in the art (see the grounds of appeal, page 2, paragraphs 5 and 6).

5.1 In the board's view, the examining division's statement is in line with the application itself, which discusses industrial control systems in its background section and even refers to "known supervisory process control applications" (see page 2, line 20-21, and page 4, lines 31-32). Moreover, the appellant failed to explain where exactly a possible imprecision in the assertion by the examining division might have affected the reasons of the decision as a whole.

5.2 Thus, the board cannot see a fundamental deficiency in within the meaning of Article 11 RPBA in this regard either.

6. Accordingly, the board decided not remit the case to the examining division.

7. For the same reasons, the board considers that no substantial procedural violation within the meaning of Rule 103(1)(a) EPC occurred. Therefore, and also because the appeal is not allowable (see below), a reimbursement of the appeal fee is not possible.

8. As regards the appellant's argument that the chosen "closest prior art" is so "remote" from the invention that the skilled person would not select it (see point 3 above), the board makes two additional observations.

8.1 Firstly, the board considers that the "remoteness" of a piece of prior art from the claimed invention does not, in itself, rule out an assessment of inventive step in view of that prior art. If a piece of prior art is "too remote" from an invention, it should be possible to show that the invention is not obvious to a skilled person having regard to this piece of prior art (see Article 56 EPC, and T 1742/12, point 9 of the reasons).

8.2 Secondly, the board disagrees with the appellant's suggestion that it is relevant for the question of inventive step whether or not the "skilled person would [...] select" a piece of prior art "as a starting point to arrive at the invention" (see the grounds of appeal, page 4, paragraph 3). Article 56 EPC requires the assessment of whether an invention would be obvious to the skilled person "having regard to the state of the art". For this assessment, the deciding body will select one or more documents for consideration. However, no argument is required as to whether the skilled person would select a document. In fact, the board considers that a consideration of what the skilled person would do, in particular whether the skilled person "would select" a document, in order "to arrive at the invention as claimed" would amount to hindsight reasoning, because the skilled person would have to be assumed to know the invention before an argument could be made as to what he would do in order "to arrive at" it.

Inventive step

9. The claims recite a software architecture defined in in terms of layers comprising "automation", "engine" and "platform" objects. These objects may be thought of as representing (i.e. modelling) a "plant", but no control of the plant seems to be implied by the claimed subject-matter. The modelling is not specific to a particular plant or type of plant or any specific "process control" and "manufacturing information" task in that context.

9.1 The same applies to the security model. The claims refer to a "set of security groups", each comprising "automation objects" having "attributes" with "security classifications", a "set of user roles", and an associated way of granting "access to an attribute of an object", but they fail to specify what the objects, attributes, accesses or roles are or how they may be "associated with a plant process" as the preamble of the claim indicates. As mentioned above, this hardware independence is intentional (see the description, page 6, lines 8-16, and point 3.3 above).

9.2 Thus the invention is not concerned with any specific industrial process - or control thereof - but rather with modelling or programming a control system (and its access control) in such a way that reconfigu­ration (i.e. re-programming) becomes simple (or "easily designed and altered for customized use", as the application itself puts it). The board considers it questionable whether this goal (i.e. simplicity or speed of design, (re-)configuration, or customisation) and its consequences (such as reduction of system idle time, see the description, page 2, lines 12-14) are plausibly achieved by the claimed system and, furthermore, how it could be established (e.g. quantified and measured) whether they are achieved. Moreover, the board follows its earlier jurisprudence, according to which providing a programming system does not solve a technical problem merely because it makes the programmer's task easier (see e.g. T 1630/11, points 6 to 8 of the reasons).

10. The board thus concludes that the claimed invention lacks an inventive step over the common general knowledge in the art because it does not solve a technical problem, Article 56 EPC 1973.