T 1853/12 (Protection system/FREESCALE) of 17.9.2015

European Case Law Identifier: ECLI:EP:BA:2015:T185312.20150917
Date of decision: 17 September 2015
Case number: T 1853/12
Application number: 06701214.6
IPC class: G06F 21/00
Language of proceedings: EN
Distribution: D
Download and more information:
Decision text in EN (PDF, 342 KB)
Documentation of the appeal procedure can be found in the Register
Bibliographic information is available in: EN
Versions: Unpublished
Title of application: PROTECTION SYSTEM AND METHOD OF OPERATION THEREIN
Applicant name: Freescale Semiconductor, Inc.
Opponent name: -
Board: 3.5.06
Headnote: -
Relevant legal provisions:
European Patent Convention 1973 Art 54
European Patent Convention 1973 Art 56
European Patent Convention 1973 Art 111(1)
Keywords: Novelty - (yes)
Remittal to the department of first instance - (yes)
Catchwords:

-

Cited decisions:
-
Citing decisions:
-

Summary of Facts and Submissions

I. The appeal lies against the decision of the examining division to refuse the European patent application no. 06701214.6 for lack of novelty over document

D1: US 2003/200451 A1.

Prior to this decision, the examining division issued a communi­cation under Rule 71(3) EPC announcing its in­ten­­tion to grant a patent based on a text which the appli­cant subsequently disapproved in its letter of 22 March 2012.

II. Notice of appeal was filed on 6 June 2012 together with sets of claims according to a main and 1st to 5th auxiliary requests. The appeal fee was paid on the same day, and a statement of grounds of appeal was received on 1 August 2012. The claims according to the 3rd auxiliary request corresponded to the claims on the basis of which the examining division had intended to grant a patent. The appellant requested that the deci­sion under appeal be set aside and that a patent be granted based on one of the sets of claims filed with the grounds of appeal. The appellant, in its reasons why the claimed invention differed from D1, re­ferred to three documents which D1 (paragraph 1) states are incor­­po­rated by refe­rence in their entirety. The appellant referred to these documents as D1A to D1C and took the position that documents D1 and D1A to D1C in combination "consti­tu­te[d] a single publication, and that, even if con­si­dered as sepa­rate publications, D1 should be read in the context of D1A-D1C".

III. In an annex to a summons to oral proceedings the board informed the appellant of its preliminary opinion that D1A to D1C did not form, in combination with D1, a "single publication" and did not affect the in­ter­pre­tation of D1. The board tended to agree that the claims were novel over D1, Article 54 EPC 1973, but also to consider that claim 1 of the main request and the 1st to 3rd and 5th auxiliary requests lacked an inventive step over D1, Article 56 EPC 1973. The board further noted that claim 1 of the 4th auxiliary request - prima facie and in view of the fact that the appellant had not provided any specific arguments on inventive step - appeared to lack an inven­tive step over D1, and expressed doubts as to whe­ther its sub­ject matter had specifically been searched and suggested that it might have to remit the case on this basis to the examining division for further prose­cution and to assess the need for an additional search.

IV. In response to the summons the appellant filed neither amendments nor arguments.

V. Oral proceedings took place on 17 September 2015 as scheduled. During the oral proceedings, the appellant withdrew its main and 1st to 3rd and 5th auxiliary requests and requested the grant of a pa­tent based on claims 1-10 filed with the grounds of appeal as the 4th auxiliary request. The further appli­cation documents on file are:

description, pages

1-3, 5-13 as published

4, 4a, 14 received on 8 November 2011

drawings, sheets

1/2-2/2 as published.

VI. Claim 1, the only independent claim of said "4th auxiliary request", reads as follows:

"A system on a chip (200), SoC, comprising one or more slave devices (275, 280, 285, 290, 295) of a first communication bus operably coupled to a plurality of master devices (205, 240, 250, 265) of the first communication bus, characterised in that

the SoC comprises a central protection function (270) operably coupled to the first communication bus (235) and configured to control data flow between the one or more slave devices (275, 280, 285, 290, 295) and the plurality of master devices (205, 240, 250, 265) via the communication bus (235),

the central protection function being arranged to ensure that no bus data transfers are initiated on the SoC without passing the central protection function and to process and verify each data transfer initiated by a master device (205, 240, 250, 265) according to protection settings assigned to the central protection function (270);

the plurality of master devices (205, 240, 250, 265) comprises an external bus interface and said central memory protection function is arranged to prohibit access to the slave elements via the external bus interface."

VII. At the end of the oral proceedings, the chairman announced the decision of the board.

Reasons for the Decision

The invention

1. The invention relates to a microprocessor architecture for the protection of slave devices, and in particular to centralised memory pro­tection for systems on a chip.

1.1 The application describes (see page 2, 2nd and 3rd para­graphs) how systems with several bus master de­vi­ces and several slave devices need to provide a mech­a­nism for the masters to agree which one obtains owner­ship of a de­sired resource (i.e. slave). More specifi­cally, it is disclosed that "the typical microprocessor architec­ture [...] provides protection to memory devi­ces and peri­phe­rals using" so-called "memory protection units (MPUs)" or "memory management units (MMUs)". These are located in the processor main core and can only "pro­tect accesses from one master device to mul­tiple slave devices" (page 2, last paragraph - page 3, 2nd para­graph). The application does not describe in detail the kind of protection provided by MPUs or MMUs. The appli­cation also states that slave devices may have indivi­dual protection units (see e.g. page 3, lines 14-15).

1.2 It is disclosed that conventional microprocessor archi­tectures only protect memory and peripherals from "erro­­­­neous accesses" by the main CPU core (page 4, 3rd paragraph) with the consequence that many such accesses are "unprotected". Furthermore, the memory protection me­cha­nisms provided for individual bus masters (or slaves) separately may be inconsistent with each other (page 3, 3rd and 4th paragraphs). The invention thus seeks to provide a mecha­nism "for fully controlled and protected memory access for system-on-chip (SoC) devi­ces, to encompass all poten­tial master devices and all memory destina­tions" (page 4, last paragraph).

1.3 In contrast to the prior art depicted in figure 1 of the application, the invention contains a "Central Memory Protection (CMP)" between the bus mas­ters and the bus to which several slaves are connected (see the embodiment depicted in figure 2). The CMP checks all accesses initiated by a master device against the settings in the CMP and allows the access or, other­wise, sets an error or war­ning flag or raises an inter­rupt or bus transfer abort (page 7, 2nd paragraph). The CMP is said to be "central" in that it is "de­signed to ensure that no bus data transfers are ini­ti­ated on the SoC without passing through the central me­mory protec­tion function", and that this "ensures full observa­bi­lity of all bus data transfers within the protection system" (page 6, 2nd paragraph). In particular, it is disclosed that "all accesses to the slave elements [...] are checked" and that "the CMP function 270 is arranged such that all memory map accesses ('read' and/or 'write' operations) are under its full control" (page 10, 1st paragraph).

Article 123(2) EPC

2. Present claim 1 is based on claims 1, 7 and 10 as ori­ginally filed in combination with the de­scription on page 6, lines 16-19, and page 9, lines 22-26, and fi­gure 2. The board is thus satisfied that the re­quire­ments of Article 123(2) EPC are complied with.

Clarity, Article 84 EPC 1973, and claim construction

3. The board is also satisfied that claim 1 is clear, Article 84 EPC 1973. However, several of the terms require interpretation, as set out below.

3.1 Claim 1 refers to a system on a chip (SoC) "comprising" several slave and master devices and a central pro­tec­tion function (henceforth CPF) "configured to control data flow between" them. Since the term "comprising" is conventionally construed as non-exhaustive, this leaves the possibility that there may be master and/or slave devices the data flow between which is not controlled by the CPF. However, the further feature in claim 1 that the CPF ensures "that no bus data transfers are initia­ted on the SoC without passing the central pro­tection function" goes beyond this. In the board's judg­ment the skilled person would interpret claim 1 as requiring a CPF which "controls" the data flow between all master and slave devices on the SoC.

3.2 Claim 1 requires the CPF to "control data flow" and to "pro­cess and verify [...] data transfer[s]". The board takes the view that the skilled person would, in the context of claim 1, understand "process and verify" and "control" to be synonyms. During the oral proceedings the representative agreed with this interpretation. The board notes however, that claim 1 lacks any detail as to what specific control of the pertinent data flow the CFP is to exercise.

3.3 The "bus data transfers initiated on the SoC" con­trolled by the CPF are not detailed any further in claim 1. However, claim 1 specifies that the CFP is configured to "con­trol data flow between [...] slave devices [...] and [...] master devices" which are "initiated by a master device". The skilled person would, in the board's view, understand claim 1 to refer to accesses by master de­vi­ces to slave devices - as opposed to master-master communi­ca­tion which the appellant referred to during oral pro­ceedings. The description exclusively refers to masters accessing slaves, in particular to processors accessing memory devices, and does not mention master-master communica­tion. This was specifically confirmed by the representative during the oral procee­dings.

Article 83 EPC 1973

4. The board is also satisfied that the invention as claimed is disclosed in a manner sufficiently clear and complete for it to be carried out by a person skilled in the art. This applies, in par­ti­cular, to the last fea­ture of claim 1, according to which an external bus interface is to be provided as a master device, all accesses to slave elements via this interface being prohibited by the CPF.

The prior art

5. D1 relates to a system on a chip and its accesses to external devices or memory components and, in par­ti­cular, to "prevent[ing] unau­thorized access to pro­tec­ted memory spaces" (see paragraphs 6 and 8).

5.1 D1 thus discloses an "access control function which re­sides between functional masters and slave devi­ces" (paragraph 9). The access control component re­ceives re­quests from the mas­ters and determines whether to deny, grant or qualify access (the latter e.g. by impo­sing encryp­tion to the access; see paragraphs 10 and 40). The pro­posed access control is said to reduce se­ve­ral se­cu­rity risks which exist in conven­tio­nal archi­tectures (see figures 1-3 and paragraph 33) including the risk of uninten­tio­nal corruption of shared memory by several masters; see paragraph 37.

5.2 According to D1 (paragraph 39), figure 4 "illustrates one embodiment of a system [...] which includes an access control func­tion [...] in accordance with an aspect of the present invention". In this embodiment, the access control is placed between the bus ­and the slaves, and apparently all accesses from all mas­ters to all slaves are routed through the access control function.

5.3 Further according to D1, figure 9 "depict[s] [an] exem­plary system[] employing an access control function as disclosed" in D1­ (paragraph 54). In figure 9, the access con­trol component is placed as a bridge element be­tween two buses (920 and 950), thus acting as a slave of the first bus and a master of the se­cond. In this embo­di­ment, not all accesses are routed through the access con­trol bridge; see, in particular, those be­tween masters and slaves connected to the same single bus (see pa­ragraph 55).

6. Figure 10 also depicts as an "exemplary system[] em­ploy­ing an access control function as disclosed" in D1­ (pa­ragraph 54) which is said to be "an extension of the em­bodiment of figure 4 in that slaves are explicitly shown as an external bus controller and a memory con­troller" (see paragraph 56).

Novelty, Article 54 EPC 1973

7. The board agrees with the appellant that D1 fo­cuses on slaves external to the system chip (see, in particular, paragraphs 6-8) and thus does not disclose the slaves being part of a sys­tem on a chip as claimed. Already for this reason, the board concludes that the subject matter of claim 1 is new over D1.

Accidental anticipation

8. The board however disagrees with the appellant that this difference makes D1 an "accidental anticipation not re­le­vant for inventive step" (see grounds of appeal, page 10, 1st paragraph). Specifically, the board considers that the risk of data corruption in (slave) memory devices caused by memory sharing is, in principle, independent of whether the memory devices are integrated on a single system chip or are external to it. As a conse­quence, the functionality pro­vided by the access control of D1 for "external" slaves is also useful for and applicable to ­"internal" slaves.

Interpretation of D1

9. The access control according to D1 is not "central" to the system chip according D1, since it does not comprise the external slaves (see grounds of appeal, point 3.2.1, especially the paragraph bridging pages 5 and 6). This difference has al­ready been established above. How­ever, the board consi­ders that the "access control" of D1 is central to the integrated system as a whole by virtue of its place­ment between all masters and slaves depic­ted in figure 4 and a plurality of masters and slaves depicted in fi­gures 9 and 10, i.e. "central" with res­pect to the pertinent mas­ter and slave devices. The board disagrees with the appellant that the term "cen­tral" as such must be read in a more limited way.

10. The board also considers that the control exercised by the access control function according to D1 (see, in particular, paras. 37, 38 and 56) falls within the mea­ning of the claimed central protection function. During the oral proceedings the appellant's representative specifically agreed with the board on this point.

11. Moreover, the board agrees with the examining division that figure 4 of D1 discloses the control of the entire data flow between all master and slave devices on a SoC.

11.1 The appellant argued that this finding relied on the wrong understanding that figure 4 depicted a "separate embodiment" within D1, and that instead figure 4 had to be in­ter­preted as merely a simplified ver­sion of the in­vention of D1, in particular the more detailed figure 9 in which at least some masters and slaves are not connec­ted to the access control compo­nent (see nos. 915 and 965 in figure 9; see also the grounds of appeal, page 6, last paragraph, and page 7, 1st paragraph). The appellant stressed that the de­scription in D1 relating to figure 4 did not explicit­ly state that the depicted masters and slaves were all there were.

11.2 The board notes that the figures of patent applications typically generalise cer­tain details in order to empha­size others. In this sense, for instance, figure 4 de­picts the slaves only generi­cally, whereas figure 10 shows the slaves "expli­citly [...] as an external bus controller [...] and a memory controller" (see para­graph 56). While the board agrees with the appellant that such figures need to be in­ter­preted in view of the description, the board points out that the selection of features depic­ted in a figure also con­sti­tutes part of the disclosure of the applica­tion as a whole. The situ­ation in which all masters and all slaves are connec­ted via the access control function is, in the board's view, con­sis­tent with the rest of the disclo­sure of D1. Figure 9, in par­ticular, depicts an "exempla­ry sys­tem[]" which does not exclude others, and it is stressed that "in this imple­mentation" - i.e., in the board's view, as opposed to other implementations - there are some mas­ters and slaves which are not governed by the access control unit (paragraphs 54-55). In the board's view, this means that fi­gures 4 and 9 depict two embo­di­ments­ which both fall within the scope of the invention accor­ding to D1. The board concludes that the presence of "uncontrolled" masters and slaves in fi­gure 9 has no bearing on the interpretation of figure 4.

11.3 Moreover, although paragraphs 39 and 40 do not expli­cit­ly state that the depicted masters and slaves are "all" there are, it also gives no indication that there are others. The board also notes that figure 4 contains a dashed line representing the "integrated device" as a whole. In the board's view, the skilled person would therefore take figure 4 to disclose an integrated de­vice in which all masters and slaves communicate through the access control component.

12. With regard to the appellant's argument that D1 does not disclose that all accesses to the slaves are checked "against settings of the central protection func­tion" (grounds of appeal, point 3.2.3) and is, in particu­lar, silent on anything other than read and write accesses, the board notes firstly that the claims do not mention any specific accesses either, let alone any­ accesses other than read and write, and secondly that the appli­cation also discloses at least one in­stance of the inven­tion in which the relevant accesses are memory read and write operations (page 10, 1st paragraph). The board conse­quent­ly does not accept this difference either.

Inventive Step, Article 56 EPC 1973

13. In summary, the board concludes that claim 1 differs from D1 in that

a) the integrated device according to D1 is not a system on a chip, since the slave devices are external to the system chip, and

b) D1 does not explicitly disclose an external bus interface provided as a master device, and, in particular, that

c) D1 does not disclose that the access control function is arranged to prohibit access to the slave elements via the external bus interfaces.

13.1 The board considers that difference a) has no functio­nal relevance for the access control function itself. There­fore, the board considers that this difference serves the goal of miniaturization and integration. Such inte­gration is considered to be a general trend in chip de­sign, the "system on a chip" being a case in point. To achieve this goal, the board con­si­ders it obvi­ous to integrate external slaves into the system on a chip. The board finds this to be particu­larly obvious for me­mory devices (cf. the mention of external memory in D1, paragraph 6, and of internal memory in the applica­tion, see page 8, 2nd paragraph).

13.2 As regards difference b), it was common ground between the board and the appellant during the oral proceedings that the provision of an external bus interface as a master for the local communication bus had to be consi­dered well-known and usual in the art and did not, per se, estab­lish an inventive step.

14. Inventive step of the claimed invention vis-à-vis D1 therefore turns on the assessment of difference c). In this regard the board notes the following.

14.1 The appellant asserted in its grounds of appeal, that claim 1 of the 4th auxiliary request showed an inven­tive step over D1, but did not, in its notice of appeal or its grounds of appeal, provide any arguments suppor­ting this conclusion. It was only during the oral pro­ceedings that it made submissions in this respect. It argued that the prohibition of all accesses by external masters to local slaves via the external bus interface was of a different nature to checking that local mas­ters access local slaves in a con­sis­tent manner, and that it did not make the interface useless because commu­nication with local masters via the exter­nal bus interface remained possible.

14.2 At least prima facie, the board finds these arguments to be plau­sible and that D1 does not suggest difference c). However, in the oral proceedings the board con­si­dered that it was not possible to decide on inventive step, since doubts remained as to whether the original search had covered present claim 1.

14.3 Claim 1 is based on claim 10 as originally filed, but limited over that claim using features taken from the description. Although the board takes the view that this limitation is an admissible one and therefore should have been covered by the initial search of claim 1, the board cannot exclude that this has, in fact, not been the case. In particular, the "control" exercised over accesses to slave elements via the external bus interfaces cannot, from claim 10 as originally filed, be distinguished from the control set out in claim 1 of local masters on the SoC. The board therefore has doubts as to whether the prohibition of accesses to local slaves via an external bus interface, and its en­forcement by a "central protection function" has been covered by the original search. This is a matter for the examining division to decide.

Remittal for further prosecution

15. Hence, in view of the facts that the novelty objection, on which the decision under appeal exclusively relied, has been overcome, that the inventive step of claim 10 as ori­ginally filed was not explicitly discussed during the examining procedure, let alone, of course, present amended claim 1, that the appellant's arguments in fa­vour of inventive step were only made during the oral proceedings, and that the board could not estab­lish that the original search had covered present claim 1, the board exercised its dis­cre­tion under Article 111(1) EPC 1973 to remit the case to the department of first instance for further pro­secution.

Order

For these reasons it is decided that:

1. The decision under appeal is set aside.

2. The case is remitted to the examining division for further prosecution on the basis of auxiliary request 4, received on 6 June 2012.

Quick Navigation