DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-3 and 4-12 are pending in this office action.
Claim 4 cancelled and claim 12 is new added claim.
Examiner Note:
Examiner has cited particular columns and line numbers and/or figures in the references as applied to the claims for the convenience of the applicant.  Applicant is reminded that rejections are based on references as a whole and not just the cited passages.  Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested from the applicant, in preparing the responses, to fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the cited art (included in 892 form) or disclosed by the examiner.
Response to Arguments
Applicant's arguments filed 12/18/2020 have been fully considered but they are not persuasive. 
Argument is directed to new amendment, but let respond to such limitation. The argument is directed to rollback all the update applied to each ECU, if one of ECU update is not completed. While Ujiie update ECUs, Ujiie discloses the possibility of each ECUs to execute its original version if relation to an update failure is associated with 
Vangelov also is directed to update different control module of the vehicle and if all updates for each module are validated the update is activated. But if at least one module fail the validation , the other control units are reverted back to their original version even if the y are reactivated using their respective updated program due to compatibility issue between the controllers.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 

(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are
Place holders
functions
Claims
Update management device
manage
1, 9
Plurality of Electronic control units
execute
1
Switching unit
switch
1, 9, 10, 11
Requesting unit
request
1, 9, 10
Electronic control unit
prohibit
3
Electronic control unit
reactivate
5, 7, 8
Update management device
Execute updating, request to reactivate
12
Electronic control units
Receives, stores, updates, fails
12



If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

1-3, 5, and 9-12 are rejected under 35 U.S.C. 103 as being un-patentable over Ujiie et al (US PG-Pubs 2017/0192770) hereinafter “Ujiie” in view of Vangelov et al (USPG-Pubs 2016/0202966) hereinafter “Vangelov”.
As per claim 1, Ujiie disclose an updating system comprising: 
an update management device configured to manage updating of two or more programs among a plurality of programs for achieving a predetermined control
This element is interpreted under 35 U.S.C. 112(f) as the updating management device 100 of fig. 1, performing different function described in par [0022-0023] of the specification such as an update to the ECUs.
Ujiie teaches a gateway/ECU 300 disposed in the vehicle and perform function of updating the ECUs in [0074], [0058] and fig. 1.
Examiner interpretation:
[0074] “FIG. 3 is a configuration diagram of the gateway 300. The gateway 300 executes functions such as forwarding frames between buses, and communicating with the external server 500 (such as receiving FW update information for updating the firmware of the ECUs 100 a to 100 d or the like)”;
[0058] “The gateway 300 is a type of ECU that acts as a gateway device connecting the bus 200 a, to which the ECU 100 a, and the ECU 100 b are connected, and the bus 200 b, to which the ECU 100 c and the ECU 100 d are connected. The gateway 300 includes a function of forwarding a frame received from one bus to the other bus, and also includes a function of communicating with the server 500 via the network 400.

 and a plurality of electronic control units (ECUs) configured to execute the two or more programs:

Ujiie teaches a set of ECUs in [0057] each include a processor [0056] with different function (executing different programs) in a control system of vehicle in fig. 1.
Examiner interpretation.
[0057] "The ECUs 100 a to 100 d are connected to equipment such as an engine 101, a brake 102, a door open/close sensor 103, and a window open/close sensor 104, respectively, acquiring the respective states of the equipment and periodically transmitting frames indicating the states (data frames) to an in-vehicle network made up of devices such as the buses 200 a and 200 b"; See also [0056].
 wherein each of one or more ECUs of the plurality of ECUs includes: a storage unit that stores one or more un-updated programs and one or more updated programs based on updated data acquired by the update management device:
[0111] The FW update processing unit 166 updates (rewrites) the firmware inside the boot ROM of the ECU 100c based on FW data received from the gateway 300 and reported from the frame processing unit 150. The boot ROM is non-volatile memory set as a storage destination for firmware to be executed after a reset by the processor of the ECU 100c, for example. When updating the firmware inside the boot ROM, the FW update processing unit 166 stores (saves) the existing firmware in the FW cache storing unit 161, for example, to enable recovery to the pre-update state if the update fails. Additionally, the FW update processing unit 166 notifies the frame generating unit 180 to generate and transmit a frame indicating the update result of the firmware based on the FW data. 

and a switching unit (i) that switches one or more target programs to be executed by a corresponding one of the one or more ECUs of the plurality of ECUs from the one or more un-updated programs to the one or more updated programs:

Ujiie discloses firmware update processing unit 166/167 of figures 9/10 that switch the boot of the ECU from old program to new updated program [0147-0150]
Examiner interpretation:
 [0148] Next, the FW update processing unit 160 updates the firmware inside the boot ROM with the firmware (FW) in the FW data (step S1307), and reboots by resetting the processor of the ECU 100a (step S1308). 
[0149] The ECU 100a is preconfigured to boot from the contents of the FW cache storing unit 161 if booting from the boot ROM is unsuccessful”
[0150] If the reboot in step S1308 is successful, the ECU 100a transmits to the bus 200a a frame including an update result indicating that the firmware update succeeded,
 (ii) that switches the one or more target programs to be executed by the corresponding one of the one or more ECUs of the plurality of ECUs from the one or more updated programs to the one or more un-updated programs 
This element is interpreted under 35 U.S.C. 112(f) as a unit/module 323 of ECU 111 of fig. 3  performing the configuration  to revert to old  program[0072-0074] and not using the new updated program
Ujiie discloses firmware update processing unit 166/167 of figures 9/10 that switch the boot of the ECU from old program to new updated program [0147-0150]
Examiner interpretation:
 [0148] Next, the FW update processing unit 160 updates the firmware inside the boot ROM with the firmware (FW) in the FW data (step S1307), and reboots by resetting the processor of the ECU 100a (step S1308). 
[0149] The ECU 100a is preconfigured to boot from the contents of the FW cache storing unit 161 if booting from the boot ROM is unsuccessful, and thus if the reboot in step S1308 is unsuccessful (step S1309), the ECU 100a boots from the pre-
when the corresponding one of the one or more ECUs of the plurality of ECUs is requested by the update management device:
[0165] First, the gateway 300 requests the ECU whose firmware is to be updated, but which does not include the FW cache function, to transmit boot ROM data (the pre-update firmware inside the boot ROM) (step S1401a).
[0169] The ECU receiving the update ROM data updates the data inside the boot ROM with the update ROM data (step S1406), and reboots by resetting the processor of the ECU (step S1407). Note that when rebooting, the ECU is preconfigured to request retransmission of the boot ROM data if booting from the boot ROM is unsuccessful, and if the reboot in step S1407 is unsuccessful (step S1408), requests retransmission of the boot ROM data (step S1409a). Correspondingly, when the gateway 300 receives the request for retransmission of the boot ROM data (step S1409b), the gateway 300 transmits the boot ROM data stored in the FW cache storing unit 371 (step S1410a
…
the ECU receives the boot ROM data (step S1410b), updates the data inside the boot ROM with the boot ROM data (step S1406), reverts back to the original firmware, and reboots (step S1407). In step S1408, if the reboot is successful, the ECU ends the firmware update process. 

But not explicitly:
 and the update management device includes a requesting unit that requests switching the one or more target programs to be executed by an ECU that is included in the one or more ECUs of the plurality of ECUs and that has switched the one or more target programs from the one or more un-updated programs to the one or more updated programs from the one or more updated programs to the one or more un-updated programs, 

Vangelov discloses:
and the update management device includes a requesting unit that requests switching the one or more target programs to be executed by an ECU that is included in the one or more ECUs of the plurality of ECUs and that has switched the one or more target programs from the one or more un-updated programs to the one or more updated programs from the one or more updated programs to the one or more un-updated programs: 
This element is interpreted under 35 U.S.C. 112(f) as a unit/module 315 of management device 100 of fig. 3 performing to use old or new program.
Vanglev discloses a management devices 216 of fig 2 that perform the function of fig. 8 in switching ECU/modules to use the old software (pre-update program) .
Examiner interpretation:
[0109] At operation 805, it is determined if there are any control updates that are dependent on failed or unverified control update. If there are no control updates that are dependent on the failed control update, then the process 800 moved to operation 809. If there are control updates that depend on the failed control update, then these control updates revert to their prior versions. The process 800 then loops back to operation 805 to check for additional dependent updates that depend on any of the reverted updates. That is, if a first control update fails and a second control update depends on the first control update both the first and second controls remain or are changed back to their prior version. A third control update may depend on the second control update, which has no reverted to a prior version of the control. This third control update is now reverted to it prior version as this control 
when the storage unit of at least one of the one or more ECUs of the plurality of ECUs fails to store at least a part of corresponding one or more updated programs, or when the switching unit of at least one of the one or more ECUs of the plurality of ECUs fails to switch to the corresponding one or more updated programs.
[0107]” When there are multiple control updates, the verification is performed on all control updates. If all of the control updates are verified, then the process 800 reports the positive verification for all control updates to the server 210 at operation 809. If at least one control update fails verification, then process 800 moves to operation 803. 
[0108] At operation 803, the activation of the failed control update is stopped and will go active in the vehicle. The failed control update will not be used to control any module in the vehicle. 
Examiner interpretation: Vangelov also discloses that each ECU module has 2 storage as in fig. 2
 
It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate teaching of Vangelov into teaching of Ujiie to have the ability for the vehicle to completely revert an entire vehicle (ECUs/VMs) release in the event of a catastrophic error to the previous version., thus ensuring that the system is running as expected using a same/compatible software between different units. 

As per claim 2, the rejection of claim 12 is incorporated and furthermore Ujiie discloses:
Wherein the updating management device including a central processing unit is configured to notify the electronic control units:
 [0180] “The gateway 1300 specifies the ECU whose firmware is to be updated from the ECU-ID of the FW data in the FW update information in step S1203, references the list of ECU information stored by the ECU information storing unit 372 (see FIG. 6), and determines whether or not the ECU to update includes the signature verification function (step S1204).

Of starting requests for requesting that the electronic control units respectively start predetermined controls using the updated programs when corresponding stored update results indicate that the updating of the programs in the electronic control units is completed:
[0147] “If the verification of the FW data signature is successful, the FW update processing unit 160 saves the firmware, that is, the contents of the boot ROM in the ECU 100 a, by copying the firmware to the FW cache storing unit 161 (step S1306).
[0148] “Next, the FW update processing unit 160 updates the firmware inside the boot ROM with the firmware (FW) in the FW data (step S1307), and reboots by resetting the processor of the ECU 100 a (step S1308).

 And respectively start the predetermined controls using the updated programs according to the notified starting requests:
[0111]” The boot ROM is non-volatile memory set as a storage destination for firmware to be executed after a reset by the processor of the ECU 100 c, for example”;
[0150] “If the reboot in step S1308 is successful, the ECU 100 a transmits to the bus 200 a, a frame including an that the firmware update succeeded, whereas if the reboot in step S1308 is unsuccessful, after step S1311, the ECU 100 a transmits to the bus 200 a, a frame including an update result indicating that the firmware update failed (step S1312). Consequently, the firmware update result is reported to the gateway 300.

As per claim 3, the rejection of claim 2 is incorporated and furthermore Ujiie does not explicitly discloses:
Wherein the electronic control unit is configured to prohibit the predetermined control using the updated program until the starting request to be transmitted from the updating management device is received;
Vangelov disclose:
Wherein the electronic control unit is configured to prohibit the predetermined control using the updated program until the starting request to be transmitted from the updating management device is received;
This element is interpreted under 35 U.S.C. 112(f) as the ECUs 111 a-112b of fig. 1 each performing different function but not using them under the management device request.
Vangelov discloses a set of vehicle module 202 in fig. 2 and that are prohibited from using the update until the management 216 executing steps of fig. 5 request to do so.
Examiner interpretation:
[0095] At operation 516, the activation of the controls is determined, which can include checking to determine if the downloaded control is operable with other currently running controls or requires an update of another control. If the downloaded control requires an update to another control, then the downloaded control is flagged to not be operated until the control is updated.


As per claim 5, the rejection of claim 2 is incorporated and furthermore Ujiie discloses:
Wherein the electronic control unit is configured to reactivate the electronic control unit by using the un-updated program stored in the first storage region when the switching request is received from the updating management device after the electronic control unit is reactivated by using the updated program:
This element is interpreted under 35 U.S.C. 112(f) as a unit/module 323 of ECU 111 of fig. 3  performing the configuration  to use the new update instead of old  program or vis-versa [0072-0074]
Ujiie discloses firmware update processing unit 166/167 of figures 9/10 that switch the boot of the ECU from old program to new updated program or vis-versa [0147-0150]
Examiner interpretation:

[0160]The ECU 100 c is preconfigured to boot from the contents of the FW cache storing unit 161 if booting from the boot ROM is unsuccessful, and thus if the reboot in step S1308 is unsuccessful (step S1309), the ECU 100 c boots from the pre-update firmware saved in the FW cache storing unit 161 (step S1310). Subsequently, under the control of the pre-update 161 is copied to the boot ROM, thereby reverting the contents of the boot ROM back to the pre-update state (step S1311).
[0169] “Note that when rebooting, the ECU is preconfigured to request retransmission of the boot ROM data if booting from the boot ROM is unsuccessful, and if the reboot in step S1407 is unsuccessful (step S1408), requests retransmission of the boot ROM data (step S1409a). Correspondingly, when the gateway 300 receives the request for retransmission of the boot ROM data (step S1409b), the gateway 300 transmits the boot ROM data stored in the FW cache storing unit 371 (step S1410a). Consequently, the ECU receives the boot ROM data (step S1410b), updates the data inside the boot ROM with the boot ROM data (step S1406), reverts back to the original firmware, and reboots (step S1407). In step S1408, if the reboot is successful, the ECU ends the firmware update process.”

As per claim 9, Ujiie discloses an electronic control unit (ECU) of an updating system that updates two or more programs executed by a plurality of ECUs that 115628.0000008 EMFUS 82552955v4PATENTU.S. Application No. 16/159,117 Attorney Docket No. 115628.0000008perform a predetermined control:
[0074] “FIG. 3 is a configuration diagram of the gateway 300. The gateway 300 executes functions such as forwarding frames between buses, and communicating with the external server 500 (such as receiving FW update information for updating the firmware of the ECUs 100 a to 100 d or the like)”;
[0056] “For example, by having the processor operate by following the control program (computer program), the ECU realizes various functions”;

 wherein an update management device is configured to manage updating of the two or more programs among a plurality of programs for achieving the predetermined control:
This element is interpreted under 35 U.S.C. 112(f) as the updating management device 100 of fig. 1, performing different 
Ujiie teaches a gateway/ECU 300 disposed in the vehicle and perform function of updating the ECUs in [0074], [0058] and fig. 1.
Examiner interpretation:
[0074] “FIG. 3 is a configuration diagram of the gateway 300. The gateway 300 executes functions such as forwarding frames between buses, and communicating with the external server 500 (such as receiving FW update information for updating the firmware of the ECUs 100 a to 100 d or the like)”;
[0058] “The gateway 300 is a type of ECU that acts as a gateway device connecting the bus 200 a, to which the ECU 100 a, and the ECU 100 b are connected, and the bus 200 b, to which the ECU 100 c and the ECU 100 d are connected. The gateway 300 includes a function of forwarding a frame received from one bus to the other bus, and also includes a function of communicating with the server 500 via the network 400.
the ECU comprising: a storage unit that stores one or more un-updated programs and one or more updated programs based on updated data acquired by the update management device,
[0111] The FW update processing unit 166 updates (rewrites) the firmware inside the boot ROM of the ECU 100c based on FW data received from the gateway 300 and reported from the frame processing unit 150. The boot ROM is non-volatile memory set as a storage destination for firmware to be executed after a reset by the processor of the ECU 100c, for example. When updating the firmware inside the boot ROM, the FW update processing unit 166 stores (saves) the existing firmware in the FW cache storing unit 161, for example, to enable recovery to the pre-update state if the update fails. Additionally, the FW update processing unit 166 notifies the frame generating unit 180 to generate and transmit a frame indicating the update result of the firmware based on the FW data. 

This element is interpreted under 35 U.S.C. 112(f) as a unit/module 323 of ECU 111 of fig. 3  performing the configuration  to use the new update instead of old  program[0072-0074]
Ujiie discloses firmware update processing unit 166/167 of figures 9/10 that switch the boot of the ECU from old program to new updated program [0147-0150]
Examiner interpretation:
 [0148] Next, the FW update processing unit 160 updates the firmware inside the boot ROM with the firmware (FW) in the FW data (step S1307), and reboots by resetting the processor of the ECU 100a (step S1308). 
[0149] The ECU 100a is preconfigured to boot from the contents of the FW cache storing unit 161 if booting from the boot ROM is unsuccessful”
[0150] If the reboot in step S1308 is successful, the ECU 100a transmits to the bus 200a a frame including an update result indicating that the firmware update succeeded,
 
(ii) that switches the one or more target programs to be executed by the corresponding one of the one or more ECUs of the plurality of ECUs from the one or more updated programs to the one or more un-updated programs
This element is interpreted under 35 U.S.C. 112(f) as a unit/module 323 of ECU 111 of fig. 3  performing the configuration  to revert to old  program[0072-0074] and not using the new updated program
Ujiie discloses firmware update processing unit 166/167 of figures 9/10 that switch the boot of the ECU from old program to new updated program [0147-0150]
Examiner interpretation:

[0149] The ECU 100a is preconfigured to boot from the contents of the FW cache storing unit 161 if booting from the boot ROM is unsuccessful, and thus if the reboot in step S1308 is unsuccessful (step S1309), the ECU 100a boots from the pre-update firmware saved in the FW cache storing unit 161 (step S1310). Subsequently, under the control of the pre-update firmware, the pre-update firmware saved in the FW cache storing unit 161 is copied to the boot ROM, thereby reverting the contents of the boot ROM back to the pre-update state (step S1311). 
when the corresponding one of the one or more ECUs of the plurality of ECUs is requested by the update management device:
[0165] First, the gateway 300 requests the ECU whose firmware is to be updated, but which does not include the FW cache function, to transmit boot ROM data (the pre-update firmware inside the boot ROM) (step S1401a).
[0169] The ECU receiving the update ROM data updates the data inside the boot ROM with the update ROM data (step S1406), and reboots by resetting the processor of the ECU (step S1407). Note that when rebooting, the ECU is preconfigured to request retransmission of the boot ROM data if booting from the boot ROM is unsuccessful, and if the reboot in step S1407 is unsuccessful (step S1408), requests retransmission of the boot ROM data (step S1409a). Correspondingly, when the gateway 300 receives the request for retransmission of the boot ROM data (step S1409b), the gateway 300 transmits the boot ROM data stored in the FW cache storing unit 371 (step S1410a
…
the ECU receives the boot ROM data (step S1410b), updates the data inside the boot ROM with the boot ROM data (step S1406), reverts back to the original firmware, and reboots (step S1407). In step S1408, if the reboot is successful, the ECU ends the firmware update process. 

But not explicitly:

 when the storage unit of at least one of the one or more ECUs of the plurality of ECUs fails to store at least a part of corresponding one or more updated programs, or when the switching unit of at least one of the one or more ECUs of the plurality of ECUs fails to switch to the corresponding one or more updated programs.
Vangelov discloses:
wherein the update management device includes a requesting unit that requests switching the one or more target programs to be executed by an ECU that is included in the one or more ECUs of the plurality of ECUs and that has switched the one or more target programs from the one or more un-updated programs to the one or more updated programs from the one or more updated programs to the one or more un-updated programs:
This element is interpreted under 35 U.S.C. 112(f) as a unit/module 315 of management device 100 of fig. 3 performing to use old or new program.
Vanglev discloses a management devices 216 of fig 2 that perform the function of fig. 8 in switching ECU/modules to use the old software (pre-update program).
Examiner interpretation:
[0109] At operation 805, it is determined if there are any control updates that are dependent on failed or unverified control update. If there are no control updates that are updates revert to their prior versions. The process 800 then loops back to operation 805 to check for additional dependent updates that depend on any of the reverted updates. That is, if a first control update fails and a second control update depends on the first control update both the first and second controls remain or are changed back to their prior version. A third control update may depend on the second control update, which has no reverted to a prior version of the control. This third control update is now reverted to it prior version as this control update depends on a version of the second control update not now being used in the vehicle. This loop can iterate until there are no further depended control and then report the status of the control(s) and control update(s) to the server 210 at operation 809. Thereafter, the process 800 can end.

when the storage unit of at least one of the one or more ECUs of the plurality of ECUs fails to store at least a part of corresponding one or more updated programs, or when the switching unit of at least one of the one or more ECUs of the plurality of ECUs fails to switch to the corresponding one or more updated programs.
[0107]” When there are multiple control updates, the verification is performed on all control updates. If all of the control updates are verified, then the process 800 reports the positive verification for all control updates to the server 210 at operation 809. If at least one control update fails verification, then process 800 moves to operation 803. 
[0108] At operation 803, the activation of the failed control update is stopped and will go active in the vehicle. The failed control update will not be used to control any module in the vehicle. 
Examiner interpretation: Vangelov also discloses that each ECU module has 2 storage as in fig. 2
 


 As per claim 10, Ujiie teaches an updating management device that manages updating of two or more programs among a plurality of programs for achieving a predetermined control, the two or more program being executed by a plurality of electronic control units (ECUs):
[0009]” In one general aspect, the techniques disclosed here feature a gateway device connected via one or more buses to a plurality of electronic controllers on-board a vehicle, the gateway device comprising: one or more memories; and circuitry, that in operation, receives firmware update information from an external device external to the vehicle, the firmware update information including updated firmware to be applied to a first electronic controller from among the plurality of electronic controllers”;
[0054] “The firmware update method is a method for updating the firmware (FW) installed in each ECU on-board a vehicle to new, updated firmware (in other words, replacing the firmware with updated firmware) delivered from a server located externally to the vehicle”.
 
each having a storage unit  which stores an one or more un-updated programs and one or more updated programs based on updated data acquired by the update management device:
inside the boot ROM of the ECU 100c based on FW data received from the gateway 300 and reported from the frame processing unit 150. The boot ROM is non-volatile memory set as a storage destination for firmware to be executed after a reset by the processor of the ECU 100c, for example. When updating the firmware inside the boot ROM, the FW update processing unit 166 stores (saves) the existing firmware in the FW cache storing unit 161, for example, to enable recovery to the pre-update state if the update fails. Additionally, the FW update processing unit 166 notifies the frame generating unit 180 to generate and transmit a frame indicating the update result of the firmware based on the FW data. 
and the plurality of ECUs each having a switching unit (i) that switches one or more target programs to be executed by a corresponding one of one or more ECUs of the plurality of ECUs from the one or more un-updated programs to the one or more updated programs:
This element is interpreted under 35 U.S.C. 112(f) as a unit/module 323 of ECU 111 of fig. 3  performing the configuration  to use the new update instead of old  program[0072-0074]
Ujiie discloses firmware update processing unit 166/167 of figures 9/10 that switch the boot of the ECU from old program to new updated program [0147-0150]
Examiner interpretation:
 [0148] Next, the FW update processing unit 160 updates the firmware inside the boot ROM with the firmware (FW) in the FW data (step S1307), and reboots by resetting the processor of the ECU 100a (step S1308). 
[0149] The ECU 100a is preconfigured to boot from the contents of the FW cache storing unit 161 if booting from the boot ROM is unsuccessful”
[0150] If the reboot in step S1308 is successful, the ECU 100a transmits to the bus 200a a frame including an update result indicating that the firmware update succeeded”;


This element is interpreted under 35 U.S.C. 112(f) as a unit/module 323 of ECU 111 of fig. 3  performing the configuration  to revert to old  program[0072-0074] and not using the new updated program
Ujiie discloses firmware update processing unit 166/167 of figures 9/10 that switch the boot of the ECU from old program to new updated program [0147-0150]
Examiner interpretation:
 [0148] Next, the FW update processing unit 160 updates the firmware inside the boot ROM with the firmware (FW) in the FW data (step S1307), and reboots by resetting the processor of the ECU 100a (step S1308). 
[0149] The ECU 100a is preconfigured to boot from the contents of the FW cache storing unit 161 if booting from the boot ROM is unsuccessful, and thus if the reboot in step S1308 is unsuccessful (step S1309), the ECU 100a boots from the pre-update firmware saved in the FW cache storing unit 161 (step S1310). Subsequently, under the control of the pre-update firmware, the pre-update firmware saved in the FW cache storing unit 161 is copied to the boot ROM, thereby reverting the contents of the boot ROM back to the pre-update state (step S1311). 
 when the corresponding one of the one or more ECUs of the plurality of ECUs is requested by the update management device:
[0165] First, the gateway 300 requests the ECU whose firmware is to be updated, but which does not include the FW cache function, to transmit boot ROM data (the pre-update firmware inside the boot ROM) (step S1401a).
[0169] The ECU receiving the update ROM data updates the data inside the boot ROM with the update ROM data (step S1406), and reboots by resetting the processor of the ECU (step S1407). Note that when rebooting, the ECU is preconfigured to request retransmission of the boot ROM data if booting from the boot ROM is unsuccessful, and if the reboot in step S1407 is unsuccessful (step S1408), requests retransmission of the boot ROM data (step S1409a). Correspondingly, when the gateway 300 receives the request for retransmission of the boot ROM data (step S1409b), the gateway 300 transmits the boot ROM data stored in the FW cache storing unit 371 (step S1410a
…
the ECU receives the boot ROM data (step S1410b), updates the data inside the boot ROM with the boot ROM data (step S1406), reverts back to the original firmware, and reboots (step S1407). In step S1408, if the reboot is successful, the ECU ends the firmware update process. 

But not explicitly:
 the updating management device comprising a requesting unit that requests switching the one or more target programs to be executed by an ECU that is included in the one or more ECUs of the plurality of ECUs and that has switched the one or more target programs from the one or more un-updated programs to the one or more updated programs from the one or more updated programs to the one or more un-updated programs, when the storage unit of at least one of the one or more ECUs of the plurality of ECUs fails to store at least a part of corresponding one or more updated programs, or when the switching unit of at least one of the one or more ECUs of the plurality of ECUs fails to switch to the corresponding one or more updated programs.
Vangelov discloses:
the updating management device comprising a requesting unit that requests switching the one or more target programs to be executed by an ECU that is included in the one or more ECUs of the plurality of ECUs and that has switched the one or more target programs from the one or more un-updated programs to the one or more updated programs from the one or more updated programs to the one or more un-updated programs:

Vanglev discloses a management devices 216 of fig 2 that perform the function of fig. 8 in switching ECU/modules to use the old software (pre-update program).
Examiner interpretation:
[0109] At operation 805, it is determined if there are any control updates that are dependent on failed or unverified control update. If there are no control updates that are dependent on the failed control update, then the process 800 moved to operation 809. If there are control updates that depend on the failed control update, then these control updates revert to their prior versions. The process 800 then loops back to operation 805 to check for additional dependent updates that depend on any of the reverted updates. That is, if a first control update fails and a second control update depends on the first control update both the first and second controls remain or are changed back to their prior version. A third control update may depend on the second control update, which has no reverted to a prior version of the control. This third control update is now reverted to it prior version as this control update depends on a version of the second control update not now being used in the vehicle. This loop can iterate until there are no further depended control and then report the status of the control(s) and control update(s) to the server 210 at operation 809. Thereafter, the process 800 can end.
when the storage unit of at least one of the one or more ECUs of the plurality of ECUs fails to store at least a part of corresponding one or more updated programs, or when the switching unit of at least one of the one or more ECUs of the plurality of ECUs fails to switch to the corresponding one or more updated programs.
[0107]” When there are multiple control updates, the verification is performed on all control updates. If all of the control updates are verified, then the process 800 reports the positive verification for all control updates to the server 210 at operation 809. If at least one control update fails verification, then process 800 moves to operation 803. 
[0108] At operation 803, the activation of the failed control update is stopped and will go active in the vehicle. The 
Examiner interpretation: Vangelov also discloses that each ECU module has 2 storage as in fig. 2
It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate teaching of Vangelov into teaching of Ujiie to have the ability for the vehicle to completely revert an entire vehicle (ECUs/VMs) release in the event of a catastrophic error to the previous version., thus ensuring that the system is running as expected using a same/compatible software between different units. 

As per claim 11, Ujiie teaches an updating management method in an updating system that includes a plurality of electronic control units (ECUs):
[0054] “The firmware update method is a method for updating the firmware (FW) installed in each ECU on-board a vehicle to new, updated firmware (in other words, replacing the firmware with updated firmware) delivered from a server located externally to the vehicle.
each having a storage unit which stores one or more un-updated programs and one or more updated programs based on updated data acquired by an update management device:
[0111]: The FW update processing unit 166 updates (rewrites) the firmware inside the boot ROM of the ECU 100 c based on FW data received from the gateway 300 and reported from the frame processing unit 150. The boot ROM is non-volatile memory set as a storage destination for firmware to be executed after a reset by the processor of the ECU 100 c, for example. When updating the firmware inside the boot ROM, the FW update processing unit 166 stores (saves) the existing firmware in the FW cache storing unit 161, for example, to enable recovery to the pre-update state if the update fails. Additionally, the FW update processing unit 166 notifies the frame generating unit 180 to generate and transmit a frame indicating the update result of the firmware based on the FW data:
 the updating management device which manages updating of two or more programs among a plurality of programs for achieving a predetermined control:
[0009]” In one general aspect, the techniques disclosed here feature a gateway device connected via one or more buses to a plurality of electronic controllers on-board a vehicle, the gateway device comprising: one or more memories; and circuitry, that in operation, receives firmware update information from an external device external to the vehicle, the firmware update information including updated firmware to be applied to a first electronic controller from among the plurality of electronic controllers”;
the two or more programs being executed by the plurality of ECUs :
[0056] “For example, by having the processor operate by following the control program (computer program), the ECU realizes various functions. Note that the computer program herein is made up of a plural combination of instruction codes indicating commands to the processor in order to achieve a designated function. Note that the firmware may also include all or some of the microcode for command interpretation in the processor.
[0057] "The ECUs 100 a to 100 d are connected to equipment such as an engine 101, a brake 102, a door open/close sensor 103, and a window open/close sensor 104, respectively, acquiring the respective states of the equipment and periodically transmitting frames indicating the states (data frames) to an in-vehicle network made up of devices such as the buses 200 a and 200 b";

and the plurality of ECUs each having a switching unit (i) that switches one or more target programs to be executed by a corresponding one of one or more ECUs of the plurality of ECUs from the one or more un-updated programs to the one or more updated programs:

Ujiie discloses firmware update processing unit 166/167 of figures 9/10 that switch the boot of the ECU from old program to new updated program [0147-0150]
Examiner interpretation:
 [0148] Next, the FW update processing unit 160 updates the firmware inside the boot ROM with the firmware (FW) in the FW data (step S1307), and reboots by resetting the processor of the ECU 100a (step S1308). 
[0149] The ECU 100a is preconfigured to boot from the contents of the FW cache storing unit 161 if booting from the boot ROM is unsuccessful”
[0150] If the reboot in step S1308 is successful, the ECU 100a transmits to the bus 200a a frame including an update result indicating that the firmware update succeeded,
 
 (ii) that switches the one or more target programs to be executed by the corresponding one of the one or more ECUs of the plurality of ECUs from the one or more updated programs to the one or more un-updated program:
[0148] Next, the FW update processing unit 160 updates the firmware inside the boot ROM with the firmware (FW) in the FW data (step S1307), and reboots by resetting the processor of the ECU 100a (step S1308). 
[0149] The ECU 100a is preconfigured to boot from the contents of the FW cache storing unit 161 if booting from the boot ROM is unsuccessful, and thus if the reboot in step S1308 is unsuccessful (step S1309), the ECU 100a boots from the pre-update firmware saved in the FW cache storing unit 161 (step S1310). Subsequently, under the control of the pre-update firmware, the pre-update firmware saved in the FW cache storing unit 161 is copied
 when the corresponding one of the one or more ECUs of the plurality of ECUs is requested by the update management device, 
the gateway 300 requests the ECU whose firmware is to be updated, but which does not include the FW cache function, to transmit boot ROM data (the pre-update firmware inside the boot ROM) (step S1401a).
[0169] The ECU receiving the update ROM data updates the data inside the boot ROM with the update ROM data (step S1406), and reboots by resetting the processor of the ECU (step S1407). Note that when rebooting, the ECU is preconfigured to request retransmission of the boot ROM data if booting from the boot ROM is unsuccessful, and if the reboot in step S1407 is unsuccessful (step S1408), requests retransmission of the boot ROM data (step S1409a). Correspondingly, when the gateway 300 receives the request for retransmission of the boot ROM data (step S1409b), the gateway 300 transmits the boot ROM data stored in the FW cache storing unit 371 (step S1410a
…
the ECU receives the boot ROM data (step S1410b), updates the data inside the boot ROM with the boot ROM data (step S1406), reverts back to the original firmware, and reboots (step S1407). In step S1408, if the reboot is successful, the ECU ends the firmware update process. 
the updating management method comprising: storing in the storage unit the one or more un-updated programs and the one or more updated programs based on the updated data acquired by the update management device:
[0111]: The FW update processing unit 166 updates (rewrites) the firmware inside the boot ROM of the ECU 100 c based on FW data received from the gateway 300 and reported from the frame processing unit 150. The boot ROM is non-volatile memory set as a storage destination for firmware to be executed after a reset by the processor of the ECU 100 c, for example. When updating the firmware inside the boot ROM, the FW update processing unit 166 stores (saves) the existing firmware in the FW cache storing unit 161, for example, to enable recovery to the pre-update state if the update fails. Additionally, the FW update processing unit 166 notifies the frame generating unit 180 to generate and transmit a frame indicating the update result of the firmware based on the FW data:
switching by the switching unit the one or more target programs to be executed by the corresponding one of the one or more ECUs of the plurality of ECUs from the one or more un- updated programs to the one or more updated programs;

[0149] The ECU 100a is preconfigured to boot from the contents of the FW cache storing unit 161 if booting from the boot ROM is unsuccessful”
[0150] If the reboot in step S1308 is successful, the ECU 100a transmits to the bus 200a a frame including an update result indicating that the firmware update succeeded,
But not explicitly:
 requesting by the requesting unit switching the one or more target programs to be executed by an ECU that is included in the one or more ECUs of the plurality of ECUs and that has switched the one or more target programs from the one or more un-updated programs to the one or more updated programs from the one or more updated programs to the one or more un-updated programs:
when the storage unit of at least one of the one or more ECUs of the plurality of ECUs fails to store at least a part of corresponding one or more updated programs, or when the switching unit of at least one of the one or more ECUs of the plurality of ECUs fails to switch to the corresponding one or more updated programs;
and switching, by the switching unit, the one or more target programs to be executed by the corresponding one of the one or more ECUs of the plurality of ECUs from the one or more updated programs to the one or more un-updated programs when the corresponding one of the one or more ECUs of the plurality of ECUs is requested by the update management device:
Vangelov discloses:


[0109] At operation 805, it is determined if there are any control updates that are dependent on failed or unverified control update. If there are no control updates that are dependent on the failed control update, then the process 800 moved to operation 809. If there are control updates that depend on the failed control update, then these control updates revert to their prior versions. The process 800 then loops back to operation 805 to check for additional dependent updates that depend on any of the reverted updates. That is, if a first control update fails and a second control update depends on the first control update both the first and second controls remain or are changed back to their prior version. A third control update may depend on the second control update, which has no reverted to a prior version of the control. This third control update is now reverted to it prior version as this control update depends on a version of the second control update not now being used in the vehicle. This loop can iterate until there are no further depended control and then report the status of the control(s) and control update(s) to the server 210 at operation 809. Thereafter, the process 800 can end.
when the storage unit of at least one of the one or more ECUs of the plurality of ECUs fails to store at least a part of corresponding one or more updated programs, or when the switching unit of at least one of the one or more ECUs of the plurality of ECUs fails to switch to the corresponding one or more updated programs;
[0107]” When there are multiple control updates, the verification is performed on all control updates. If all of the control updates are verified, then the process 800 reports the positive verification for all control updates to the server 210 at operation 809. If at least one control update fails verification, then process 800 moves to operation 803. 

Examiner interpretation: Vangelov also discloses that each ECU module has 2 storage as in fig. 2
 and switching, by the switching unit, the one or more target programs to be executed by the corresponding one of the one or more ECUs of the plurality of ECUs from the one or more updated programs to the one or more un-updated programs when the corresponding one of the one or more ECUs of the plurality of ECUs is requested by the update management device:
[0109] At operation 805, it is determined if there are any control updates that are dependent on failed or unverified control update. If there are no control updates that are dependent on the failed control update, then the process 800 moved to operation 809. If there are control updates that depend on the failed control update, then these control updates revert to their prior versions. The process 800 then loops back to operation 805 to check for additional dependent updates that depend on any of the reverted updates. That is, if a first control update fails and a second control update depends on the first control update both the first and second controls remain or are changed back to their prior version. A third control update may depend on the second control update, which has no reverted to a prior version of the control. This third control update is now reverted to it prior version as this control update depends on a version of the second control update not now being used in the vehicle. This loop can iterate until there are no further depended control and then report the status of the control(s) and control update(s) to the server 210 at operation 809. Thereafter, the process 800 can end.
It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate teaching of Vangelov into teaching of Ujiie to 
 As per claim 12, Ujiie discloses a vehicle system comprising: 
a plurality of electronic control units (ECUs):
[0057] "The ECUs 100 a to 100 d are connected to equipment such as an engine 101, a brake 102, a door open/close sensor 103, and a window open/close sensor 104, respectively, acquiring the respective states of the equipment and periodically transmitting frames indicating the states (data frames) to an in-vehicle network made up of devices such as the buses 200 a and 200 b"; See also [0056].
 and an update management device which executes updating of programs of the ECUs:
This element is interpreted under 35 U.S.C. 112(f) as the updating management device 100 of fig. 1, performing different function described in par [0022-0023] of the specification such as an update to the ECUs.
Ujiie teaches a gateway/ECU 300 disposed in the vehicle and perform function of updating the ECUs in [0074], [0058] and fig. 1.
Examiner interpretation:
[0074] “FIG. 3 is a configuration diagram of the gateway 300. The gateway 300 executes functions such as forwarding frames between buses, and communicating with the external server 500 (such as receiving FW update information for updating the firmware of the ECUs 100 a to 100 d or the like)”;
is a type of ECU that acts as a gateway device connecting the bus 200 a, to which the ECU 100 a, and the ECU 100 b are connected, and the bus 200 b, to which the ECU 100 c and the ECU 100 d are connected. The gateway 300 includes a function of forwarding a frame received from one bus to the other bus, and also includes a function of communicating with the server 500 via the network 400.

 wherein each of the ECUs receives an updated program from the update management device based on updated information acquired by the update management device from a management server:
This element is interpreted under 35 U.S.C. 112(f) as the ECUs 111 a-112b of fig. 1 each performing different function by executing different programs described in par [0096-100] of the specification.
Ujiie teaches a set of ECUs in [0057] each include a processor [0056] that receive the update from the management device (gateway) [0169].
Examiner interpretation.
[0169] The ECU receiving the update ROM data updates the data inside the boot ROM with the update ROM data (step S1406), and reboots by resetting the processor of the ECU (step S1407).
[0054]”The firmware update method is a method for updating the firmware (FW) installed in each ECU on-board a vehicle to new, updated firmware (in other words, replacing the firmware with updated firmware) delivered from a server located externally to the vehicle. In the in-vehicle network system 10, the firmware update method is used so that when an ECU conducts a firmware update, the gateway device executes a process necessary for conducting a suitable firmware update safely (such as a signature verification process, for example) instead of an ECU unable to execute the process.

 and stores the updated program based on the updated information acquired by the update management device from the management server:

Ujiie teaches a set of ECUs in [0057] each include a processor [0056] that receive the update from the management device (gateway) and store the program in its storage[0111].
Examiner interpretation:
[0111] The FW update processing unit 166 updates (rewrites) the firmware inside the boot ROM of the ECU 100c based on FW data received from the gateway 300 and reported from the frame processing unit 150. The boot ROM is non-volatile memory set as a storage destination for firmware to be executed after a reset by the processor of the ECU 100c, for example. When updating the firmware inside the boot ROM, the FW update processing unit 166 stores (saves) the existing firmware in the FW cache storing unit 161, for example, to enable recovery to the pre-update state if the update fails. Additionally, the FW update processing unit 166 notifies the frame generating unit 180 to generate and transmit a frame indicating the update result of the firmware based on the FW data. 

 each of the ECUs updates boot information so as to activate using the updated program, and is activated using the updated program according to the boot information:
This element is interpreted under 35 U.S.C. 112(f) as the ECUs 111 a-112b of fig. 1 each performing different function by executing different programs described in par [0096-101] of the specification.
Ujiie teaches a set of ECUs in [0057] each include a processor [0056] that receive the update from the management device (gateway) and store the program in its storage[0111] and updates the boot information [0148].
Examiner interpretation.
[0148] Next, the FW update processing unit 160 updates the firmware inside the boot ROM with the firmware (FW) in the FW data (step S1307), and reboots by resetting the processor of the ECU 100a (step S1308)”
is successful, the ECU 100a transmits to the bus 200a a frame including an update result indicating that the firmware update succeeded, whereas if the reboot in step S1308 is unsuccessful, after step S1311, the ECU 100a transmits to the bus 200a a frame including an update result indicating that the firmware update failed (step S1312). Consequently, the firmware update result is reported to the gateway 300”
See also [0109] and [0111].

But not explicitly:

Attorney Docket No. 115628.0000008 the update management device requests to reactivate one or more ECUs among the plurality of ECUs in which activation has been completed by using the updated program with an un-updated program:
 in a case where the other ECUs among the plurality of ECUs fail to update the corresponding boot information in a state where the one or more ECUs among the plurality of ECUs in which activation has been completed by using the updated program exist,
 and the one or more ECUs among the plurality of ECUs in which the activation has been completed using the updated program are reactivated by a request of the update management device.
Vangelov discloses:
the update management device requests to reactivate one or more ECUs among the plurality of ECUs in which activation has been completed by using the updated program with an un-updated program:
This element is interpreted under 35 U.S.C. 112(f) as the updating management device 100 of fig. 1, performing different function described in par [0022-0023] of the specification such as an update to the ECUs.

Examiner interpretation.

[0109] At operation 805, it is determined if there are any control updates that are dependent on failed or unverified control update. If there are no control updates that are dependent on the failed control update, then the process 800 moved to operation 809. If there are control updates that depend on the failed control update, then these control updates revert to their prior versions. The process 800 then loops back to operation 805 to check for additional dependent updates that depend on any of the reverted updates. That is, if a first control update fails and a second control update depends on the first control update both the first and second controls remain or are changed back to their prior version. A third control update may depend on the second control update, which has no reverted to a prior version of the control. This third control update is now reverted to it prior version as this control update depends on a version of the second control update not now being used in the vehicle. This loop can iterate until there are no further depended control and then report the status of the control(s) and control update(s) to the server 210 at operation 809. Thereafter, the process 800 can end. 

 in a case where the other ECUs among the plurality of ECUs fail to update the corresponding boot information in a state where the one or more ECUs among the plurality of ECUs in which activation has been completed by using the updated program exist:
This element is interpreted under 35 U.S.C. 112(f) as the updating management device 100 of fig. 1, performing different 
Vangelov discloses an update management application 216 of fig. 1 executing steps of fig. 8 to activate the module(ECUs) 202 of fig. 2 with new update or old boot firmware.[0107].
Examiner interpretation:
[0107] “The verification can test the validity of the instructions in the control updates. In some instances the control updates may be dependent on another control or control update. When there are multiple control updates, the verification is performed on all control updates. If all of the control updates are verified, then the process 800 reports the positive verification for all control updates to the server 210 at operation 809. If at least one control update fails verification, then process 800 moves to operation 803”;

 and the one or more ECUs among the plurality of ECUs in which the activation has been completed using the updated program are reactivated by a request of the update management device:
[0109] At operation 805, it is determined if there are any control updates that are dependent on failed or unverified control update. If there are no control updates that are dependent on the failed control update, then the process 800 moved to operation 809. If there are control updates that depend on the failed control update, then these control updates revert to their prior versions. The process 800 then loops back to operation 805 to check for additional dependent updates that depend on any of the reverted updates. That is, if a first control update fails and a second control update depends on the first control update both the first and second controls remain or are changed back to their prior version. A third control update may depend on the second control update, which has no reverted to a prior version of the control. This third control update is now reverted to it prior version as this control update depends on a version of the second control update not now being used in the vehicle. This loop can iterate until there are no further depended control and then report the status of the 
It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate teaching of Vangelov into teaching of Ujiie to have the ability for the vehicle to completely revert an entire vehicle (ECUs/VMs) release in the event of a catastrophic error to the previous version., thus ensuring that the system is running as expected using a same/compatible software between different units. 

Claims 6-8  are rejected under 35 U.S.C. 103 as being un-patentable over Ujiie et al (US PG-Pubs 2017/0192770) hereinafter “Ujiie” in view of Vangelov et al (US PG-Pubs  2016/0202966) hereinafter “Vangelov” and  Duddles et al (USPG-Pubs 2007/0185624) hereinafter “Duddles”.
 
As per claim 6, the rejection of claim 1 is incorporated and furthermore, Ujiie discloses:
Wherein the electronic control units include a second electronic control unit that is mounted on the vehicle and is connected to a regular power supply of the vehicle:
[0095] “The ECU information stored by the ECU information storing unit 372 may be set during manufacturing, or may be acquired by the gateway 300 from an external device such as the server 500 when a supply of power to the gateway 300 is started, for example.

But not explicitly:
A first electronic control unit that is mounted on a vehicle and is connected to an ignition power supply of the vehicle;
Duddles discloses: 
A first electronic control unit that is mounted on a vehicle and is connected to an ignition power supply of the vehicle:
[0036] “In the illustrated embodiment, VSM 40 is resident on BCM 36 which is connected to receive the driver-controlled ignition key switch 42 as an input, and this ECU 36 controls operation of an ignition relay 44 to switch the vehicle ignition on and off. The switch 42 and relay 44 circuit arrangement shown is diagrammatic only and not intended to depict a complete ignition power control schematic. As is known by those skilled in the art, BCM 36 operates as the power mode master controlling the ignition power state (e.g., OFF, ACCESSORIES, RUN) using both the ignition key switch 42 input as well as other inputs to BCM 36.

It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate teaching of Duddles into teaching of Ujiie to enable an update of the ECU that reflash its corresponding memory to anew and desirable state while certain condition are meet and hold during the update [Duddles [0014] ].


Wherein the second electronic controlTSN201705706US00 TFN170596-US 36unit is configured to reactivate the second electronic control unit by using the updated program in response to ignition-on of the vehicle after the updated program is stored in the second storage regions;
Duddles discloses:
Wherein the second electronic controlTSN201705706US00 TFN170596-US 36unit is configured to reactivate the second electronic control unit by using the updated program in response to ignition-on of the vehicle after the updated program is stored in the second storage region:
Duddles discloses;
Wherein the second electronic controlTSN201705706US00 TFN170596-US 36unit is configured to reactivate the second electronic control unit by using the updated program in response to ignition-on of the vehicle after the updated program is stored in the second storage region:
This element is interpreted under 35 U.S.C. 112(f) as a unit/module 323 of ECU 111 of fig. 3  performing the configuration  to use the new update instead of old  program or vis-versa [0072-0074] and  [0143].
Duddles discloses VSM(ECU) and sets of ECUs  of gig. 1 to be reactivate after ignition using steps of fig.2 and [0039].
Examiner interpretation.
[0039] “here are a number of different types of actions that can be taken by the VSM 40 in implementing the vehicle hold state. For example, in terms of controllable vehicle conditions, VSM 40 can, for example, activate the ignition relay 44 and take over control of the power mode, ignoring certain vehicle or operator inputs such as ignition key switch position, transmission of a remote start signal, vehicle headlight switch position, valet key use, etc. VSM 40 can also, for example, take over control of the VLAN 34, inhibiting other uses of it that might conflict with the reprogramming operation.
72 by the telematics unit to ECU #3 that is undergoing reprogramming, although this step can be performed earlier and/or the programming can be passed through to ECU #3 via another route. ECU #3 is then reflashed 74 and, once completed, the telematics unit sends a completion message to VSM 40 at step 76, following which VSM 40 ends its hold state 78. The vehicle can then be operated normally with its newly programmed ECU #3. As will be appreciated, this reflash process can be used to reprogram more than one ECU at a time or can be repeated sequentially for each ECU to be programmed”
  
It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate teaching of Duddles into teaching of Ujiie to enable an update of the ECU that reflash its corresponding memory to anew and desirable state while certain condition are meet and hold during the update [Duddles [0014] ].

As per claim 8, the rejection of claim 6 is incorporated and furthermore Ujiie and Duddles discloses:
wherein the first electronic control unit and the second electronic control unit are configured to respectively reactivate the first electronic control unit and the second electronic control unit by using the updated programs according to switching instructions transmitted from the updating management device after the updated programs are stored in the respective second storage regions:
This element is interpreted under 35 U.S.C. 112(f) as a unit/module 323 of ECU 111 of fig. 3  performing the 
Duddles discloses VSM(ECU) and sets of ECUs  of gig. 1 to be reactivate after ignition using steps of fig.2 and [0038] based on update received.
Examiner interpretation:
Duddles[0038] “Once the hold state has been initiated, the new programming is sent 72 by the telematics unit to ECU #3 that is undergoing reprogramming, although this step can be performed earlier and/or the programming can be passed through to ECU #3 via another route. ECU #3 is then reflashed 74 and, once completed, the telematics unit sends a completion message to VSM 40 at step 76, following which VSM 40 ends its hold state 78. The vehicle can then be operated normally with its newly programmed ECU #3. As will be appreciated, this reflash process can be used to reprogram more than one ECU at a time or can be repeated sequentially for each ECU to be programmed”

It would have obvious to one having ordinary skill in the art before the effective filling date of the claimed invention to combine the teachings of cited references. Thus, one of ordinary skill in the art before the effective filling date of the claimed invention would have been motivated to incorporate teaching of Duddles into teaching of Ujiie to enable an update of the ECU that reflash its corresponding memory to anew and desirable state while certain condition are meet and hold during the update [Duddles [0014] ].
	Pertinent art:
	
US2019/0031203A1 - Coordinating dependency of an update within plurality of ECU’s.
US2019/0057214A1 – reverting and recovering blocks in ECU’s upon failure.
US2014/0372799A1 - Rollback ECU when update fails.
US2017/0212746A1. - ECU’s grouped into subsets that can be updated or not.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BRAHIM BOURZIK whose telephone number is (571)270-7155.  The examiner can normally be reached on Monday-Friday (8-4:30).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Wei Zhen can be reached on 571-270-2738.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.