Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Information Disclosure Statement
 The information disclosure statement (IDS) submitted on 01/13/2020 has been considered. The submission is in compliance with the provisions of 37 CFR 1.97.

Drawings
Drawings have been reviewed and accepted.
Specification
The specification filed on 01/13/2020 has been reviewed and accepted. 

Claim Objections
Claims 16 is objected to because of the following informalities:
Claim 6, line 2 recites “the safety processing module an the main processing module”.
“an the” is being interpreted as and the.  Appropriate correction is required.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 

Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are:  a “main processing module” in claims 1, 6, 7, 11, 12, and 16; and a “safety processing module” in claims 1, 5, 6, 7, 11, 12, 14, and 16.
The specification provides proper structure for the listed elements: main processing module, and safety processing module. Proper structure for the elements may be provided as (page 3, lines 27-28, page 4, lines 1-2) the controller 120 is a processor circuit enclosed in a housing. The controller 120 includes a main processing circuit 104, a main processing module 108, and an actuator drive 110. The controller 120 further includes a safety processing circuit 
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. 
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1, 2, 5-8, and 11 are rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more.

Claim 1 is rejected under 35 U.S.C. because the claimed invention is directed to an abstract idea without significantly more. The claim recites comparing the expected command output value with an actual command output value generated by the main processing module.
The limitations of comparing the expected command output value with an actual command output value generated by the main processing module under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting a “controller”, nothing in the claim element precludes the step from practically being performed in the mind. 
For example, but for the “controller”, in the context of this claim encompasses that “comparing” could be mentally seeing the difference two values. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. 
The judicial exception is not integrated into a practical application. In particular, the claim recites additional elements- “A controller for a vehicle, the controller comprising: a main processing module and a safety processing module, each configured to process one or more command inputs and to generate one or more command outputs”, “ wherein the safety processing module is independent of the main processing module, and is configured to perform one or more safety functions; and wherein the one or more safety functions comprise generating an expected command output value based on the one or more command inputs,” which is simply using a computer as a tool to perform abstract ideas. Accordingly these additional elements do not integrate the abstract idea into a practical application because it does not impose any meaningful limits on practicing the abstract idea.

Claim 2 is rejected under 35 U.S.C. because the claimed invention is directed to an abstract idea without significantly more. The claim inherits the abstract ideas from claim 1. This judicial exception is not integrated into a practical application. The claim recites additional elements- “wherein the one or more safety functions further comprise generating a safety control signal when a difference between the expected command output value and the actual command output value is greater than a defined tolerance”, which is simply further describing the abstract idea of “comparing” the values. The claim is not patent eligible.
Claim 5 is rejected under 35 U.S.C. because the claimed invention is directed to an abstract idea without significantly more. The claim recites “convert sensor data for compatibility with one or more processors in the safety processing module”. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. This judicial exception is not integrated into a practical application. The claim recites additional elements- “further comprising a main processing circuit and a safety processing circuit, wherein the safety processing circuit is independent of the main processing circuit”, which is simply 
Claim 6, is rejected under 35 U.S.C. because the claimed invention is directed to an abstract idea without significantly more. The claim inherits the abstract ideas from claim 1. This judicial exception is not integrated into a practical application. The claim recites additional elements- “wherein the safety processing module comprises a processor and memory, and wherein the processor and memory of the safety processing module are separate from a processor and memory in the main processing module”, which is simply further describing using a computer as a tool to perform abstract ideas -Mere instructions to apply an exception – see MPEP 2106.05(f). The claim is not patent eligible.
Claim 7 is rejected under 35 U.S.C. because the claimed invention is directed to an abstract idea without significantly more. The claim recites comparing the expected command output value with an actual command output value generated by the main processing module.
The limitations of comparing the expected command output value with an actual command output value generated by the main processing module under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components. That is, other than reciting a “controller”, nothing in the claim element precludes the step from practically being performed in the mind. 
For example, but for the “controller”, in the context of this claim encompasses that “comparing” could be mentally seeing the difference two values. If a claim limitation, under its broadest reasonable interpretation, covers performance of the limitation in the mind but for the recitation of generic computer components, then it falls within the “Mental Processes” grouping of abstract ideas. 

The claim does not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, the additional elements of collecting command inputs, and receiving command outputs and control signals are simply insignificant extra solution activity of data gathering and transmitting which is considered to be well-understood, routine, conventional activity- see MPEP 2106.05(d) buySAFE Inc. v. Google Inc. (computer receives and sends information over a network). The additional elements of the safety processing module being independent of the main processing module, the safety processing module performing one or more safety functions, and where the safety function comprises generating an expected command output value amounts to no more than mere functions using a generic computer component, which cannot provide an inventive concept. The additional elements are Mere instructions to apply an exception – see MPEP 
Claim 8 is rejected under 35 U.S.C for similar reasons as claim 2.  
Claim 11 is rejected under 35 U.S.C for similar reasons as claim 6.  

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claim(s) 1, 2, 7 and 8, are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Forest et al. (US20060126256, herein Forest).
Regarding claim 1, A controller for a vehicle (Fig. 2, element 30), the controller comprising: a main processing module (Fig. 2 primary processor 48 as main processing module) 
and a safety processing module (Fig. 2 secondary processor 36 as safety processing module , [0028] the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode),
 each configured to process one or more command inputs and to generate one or more command outputs ([0019] transfers information, such as the input data received by the primary processor 48, [0023] the primary processor 48 forwards the input data, used by the primary processor 48 in generating the control commands, to the secondary processor 36 as previously mentioned herein. The secondary processor 36 generates command values using the input data); 
wherein the safety processing module is independent of the main processing module (Fig. 2 primary processor 48, secondary processor 36), 
and is configured to perform one or more safety functions; and wherein the one or more safety functions comprise generating an expected command output value based on the one or more command inputs ([0028] a safe operation mode, the secondary processor 36 disables or resets the primary processor 48 under one or more of the following conditions: when no data is received by the secondary processor 36 from the primary processor 48 for a pre-determined amount of time; when no data is received by the redundant control path 44 from the primary control path 32 for a pre-determined amount of time; when the data contained in the message from the actuator control units 20, 22, 24 does not match the corresponding signature; when the data contained in the message from the actuator control units 20, 22, 24 exceeds the range of values; when the signature does not match the command values computed by the secondary processor 36; and, when a request is received from the redundant control path 44), 
and comparing the expected command output value with an actual command output value generated by the main processing module ([0023] The secondary processor 36 generates command values using the input data and compares Such command values with the signature contained in the 

Regarding claim 2, The controller of claim 1, wherein the one or more safety functions further comprise generating a safety control signal when a difference between the expected command output value and the actual command output value is greater than a defined tolerance ([0028] When the secondary processor 36 determines that a failed verification has occurred, the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode. In one exemplary embodiment of a safe operation mode, the secondary processor 36 disables or resets the primary processor 48 under one or more of the following conditions:… when the data contained in the message from the actuator control units 20, 22, 24 does not match the corresponding signature; when the data contained in the message from the actuator control units 20, 22, 24 exceeds the range of values, [0024] the secondary processor 36 may compute a range of values based on the input data received from the primary processor 48 for comparison with the data in the messages from the actuator control unit 20, 22, 24. A failed verification results when the data in the messages falls outside of the range of values).

Regarding claim 7, Forrest teaches A driving system for a vehicle ([0017] The vehicle electrical infrastructure 26 may include various systems and/or Subsystems on the vehicle 10, including by way of example and not of limitation a human vehicle interface, a battery power management system, an 
the system comprising: one or more sensors configured to collect one or more command inputs ([0018] receive a variety of vehicle data from the vehicle electrical infrastructure 26 or from various sensors); 
a controller comprising a main processing module (Fig. 2 primary processor 48 as main processing module) 
and a safety processing module (Fig. 2 secondary processor 36 as safety processing module , [0028] the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode), 
one or more electromechanical actuators configured to receive an actual command output value generated by the main processing module ([0021] Each actuator control unit 20, 22, 24 receiving data from the primary processor 48 generates a message that is transmitted to the primary processor 48 for verification of control commands); 
and a safety shutdown switch configured to receive a control signal generated by the safety processing module ([0028] When the secondary processor 36 determines that a failed verification has occurred, the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode. In one exemplary embodiment of a safe operation mode, [0030] switches operation mode of the vehicle control system 12 (FIG. 1) to the safe mode in response to failed verifications through the reset/disable sub-system 60, [0029] the primary processor 48, that transmits a reset or disable signal to the primary processor 48 for an amount of time sufficient for the actuator control units 20, 22, 24 to take remedial action); 
wherein the safety processing module is independent of the main processing module (Fig. 2 primary processor 48, secondary processor 36), 
and the safety processing module is configured to perform one or more safety functions; wherein the one or more safety functions comprise generating an expected command output value based on the one or more command inputs ([0028] a safe operation mode, the secondary processor 36 disables or resets the primary processor 48 under one or more of the following conditions: when no data is received by the secondary processor 36 from the primary processor 48 for a pre-determined amount of time; when no data is received by the redundant control path 44 from the primary control path 32 for a pre-determined amount of time; when the data contained in the message from the actuator control units 20, 22, 24 does not match the corresponding signature; when the data contained in the message from the actuator control units 20, 22, 24 exceeds the range of values; when the signature does not match the command values computed by the secondary processor 36; and, when a request is received from the redundant control path 44),
 and comparing the expected command output value with the actual command output value generated by the main processing module ([0023] The secondary processor 36 generates command values using the input data and compares Such command values with the signature contained in the messages from the actuator control units 20, 22, 24. A matching signature implies that the secondary processor 36 has a substantially unmodified copy of the message originally sent by the actuator control unit 20, 22, 24, [0024] the message from the actuator control unit 20, 22, 24 additionally includes the copy of the data received by the actuator control unit 20, 22, 24 from the primary processor 48. The secondary processor 36 compares the computed command values with the data in the messages from the actuator control unit 20, 22, 24 which, in turn, is the command data actually sent by the primary processor 48).

Regarding claim 8, Forrest teaches the system of claim 7, wherein the one or more safety functions further comprise generating the safety control signal if a difference between the expected output value and the actual output value is greater than a defined tolerance ([0028] When the secondary processor 36 determines that a failed verification has occurred, the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode. In one exemplary embodiment of a safe operation mode, the secondary processor 36 disables or resets the primary processor 48 under one or more of the following conditions:… when the data contained in the message from the actuator control units 20, 22, 24 does not match the corresponding signature; when the data contained in the message from the actuator control units 20, 22, 24 exceeds the range of values, [0024] the secondary processor 36 may compute a range of values based on the input data received from the primary processor 48 for comparison with the data in the messages from the actuator control unit 20, 22, 24. A failed verification results when the data in the messages falls outside of the range of values).


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 3, 4, 9, 10, 12-13, and 15  are rejected under 35 U.S.C. 103 as being unpatentable over Forest et al. (US20060126256, herein Forest), further in view of Koda et al. (JP2005291173A, herein Koda, note a translation is being used).
Regarding claim 3, Forest teaches the controller of claim 2, wherein the safety control signal activates a safety shutdown switch… ([0028] When the secondary processor 36 determines that a failed verification has occurred, the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode. In one exemplary embodiment of a safe operation mode, [0030] switches operation mode of the vehicle control system 12 (FIG. 1) to the safe mode in response to failed verifications through the reset/disable sub-system 60, [0029] the primary processor 48, that transmits a reset or disable signal to the primary processor 48 for an amount of time sufficient for the actuator control units 20, 22, 24 to take remedial action).
Forest does not teach that returns an electromechanical actuator to a fail-safe state.
Koda teaches that returns an electromechanical actuator to a fail-safe state (page 3 lines 35-36 when the abnormality (1) occurs, execution of fail-safe measures for avoiding danger is a top priority).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety shutdown switch with Koda’s teaching of returning an electromechanical actuator to a fail-safe state. The combined teaching provides an 

Regarding claim 4, the combination of Forest and Beck teach the controller of claim 3, 
Koda further teaches wherein the fail-safe state disables one or more functions of a vehicle (page 3 lines 28-30 strong fail-safe treatment is performed so that the engine operation is immediately stopped or restricted. For example, the first CPU 11 stops the fuel injection or reduces the fuel injection amount, and the second CPU 12 controls the throttle opening to the fully closed side to reduce the intake air amount).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety shutdown switch with Koda’s teaching of the fail-safe state disabling a function of a vehicle. The combined teaching provides an expected result the fail-safe state disabling a function of a vehicle. Therefore, one of ordinary skill in the art would be motivated to allow and ensure safety for the system and user.
Regarding claim 9, Forest teaches the system of claim 8, wherein the safety control signal activates the safety shutdown switch…([0028] When the secondary processor 36 determines that a failed verification has occurred, the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode. In one exemplary embodiment of a safe operation mode, [0030] switches operation mode of the vehicle control system 12 (FIG. 1) to the safe mode in response to failed verifications through the reset/disable sub-system 60, [0029] the primary processor 48, that transmits a reset or disable signal to the primary processor 48 for an amount of time sufficient for the actuator control units 20, 22, 24 to take remedial action).
 to return the one or more electromechanical actuator to a fail-safe state.
Koda teaches to return the one or more electromechanical actuator to a fail-safe state (page 3 lines 35-36 when the abnormality (1) occurs, execution of fail-safe measures for avoiding danger is a top priority).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety shutdown switch with Beck’s teaching of returning an electromechanical actuator to a fail-safe state. The combined teaching provides an expected result of a safety shutdown switch that returns an electromechanical actuator to a fail-safe state. Therefore, one of ordinary skill in the art would be motivated to allow and ensure safety for the system and user.

Regarding claim 10, the combination of Forest and Beck teach the system of claim 9, wherein the fail-safe state disables one or more functions of a vehicle.
Koda further teaches wherein the fail-safe state disables one or more functions of a vehicle. (page 3 lines 28-30 strong fail-safe treatment is performed so that the engine operation is immediately stopped or restricted. For example, the first CPU 11 stops the fuel injection or reduces the fuel injection amount, and the second CPU 12 controls the throttle opening to the fully closed side to reduce the intake air amount).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety shutdown switch with Koda’s teaching of the fail-safe state disabling a function of a vehicle. The combined teaching provides an expected result the fail-safe state disabling a function of a vehicle. Therefore, one of ordinary skill in the art would be motivated to allow and ensure safety for the system and user.

Regarding claim 12, A method for controlling a vehicle ([0017] The vehicle electrical infrastructure 26 may include various systems and/or Subsystems on the vehicle 10, including by way of example and not of limitation a human vehicle interface, a battery power management system, an engine management System, a transmission management system, a body control module, and vehicle Sub systems such as an Antilock Brake System (ABS) and an All-Wheel Drive (AWD) system), 
the method comprising: collecting input commands ([0018] receive a variety of vehicle data from the vehicle electrical infrastructure 26 or from various sensors); 
generating an actual command output value by a main processing module [0023] the primary processor 48 forwards the input data, used by the primary processor 48 in generating the control commands, to the secondary processor 36 as previously mentioned herein. The secondary processor 36 generates command values using the input data)…; 
generating an expected command output value by a safety processing module for determining whether the vehicle is operating properly ([0028] a safe operation mode, the secondary processor 36 disables or resets the primary processor 48 under one or more of the following conditions: when no data is received by the secondary processor 36 from the primary processor 48 for a pre-determined amount of time; when no data is received by the redundant control path 44 from the primary control path 32 for a pre-determined amount of time; when the data contained in the message from the actuator control units 20, 22, 24 does not match the corresponding signature; when the data contained in the message from the actuator control units 20, 22, 24 exceeds the range of values; when the signature does not match the command values computed by the secondary processor 36; and, when a request is received from the redundant control path 44);9WO 2019/014475PCT/US2018/041870 
comparing the actual command output value with the expected command output value ([0023] The secondary processor 36 generates command values using the input data and compares Such 
returning … to a state if the actual command output value is outside a predefined range of the expected command output value ([0028] When the secondary processor 36 determines that a failed verification has occurred, the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode. In one exemplary embodiment of a safe operation mode, the secondary processor 36 disables or resets the primary processor 48 under one or more of the following conditions:… when the data contained in the message from the actuator control units 20, 22, 24 does not match the corresponding signature; when the data contained in the message from the actuator control units 20, 22, 24 exceeds the range of values, [0024] the secondary processor 36 may compute a range of values based on the input data received from the primary processor 48 for comparison with the data in the messages from the actuator control unit 20, 22, 24. A failed verification results when the data in the messages falls outside of the range of values).
Forest does not teach for changing a driving condition of a vehicle and returning an electromechanical actuator to a fail-safe state.
Koda teaches for changing a driving condition of a vehicle and returning an electromechanical actuator to a fail-safe state (page 3 lines 35-36 when the abnormality (1) occurs, execution of fail-safe measures for avoiding danger is a top priority, page 3 lines 50-53 fail-safe measure such as stopping fuel injection or reducing the fuel injection amount is executed in step S104. When the actual acceleration is 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety shutdown switch with Koda’s teaching of returning an electromechanical actuator to a fail-safe state. The combined teaching provides an expected result of a safety shutdown switch that returns an electromechanical actuator to a fail-safe state. Therefore, one of ordinary skill in the art would be motivated to allow and ensure safety for the system and user.
Regarding claim 13, Forest teaches the method of claim 12, 
Forest does not teach wherein the fail-safe state disables one or more driving functions of a vehicle.
Koda teaches wherein the fail-safe state disables one or more driving functions of a vehicle (page 3 lines 28-30 strong fail-safe treatment is performed so that the engine operation is immediately stopped or restricted. For example, the first CPU 11 stops the fuel injection or reduces the fuel injection amount, and the second CPU 12 controls the throttle opening to the fully closed side to reduce the intake air amount).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety shutdown switch with Koda’s teaching of the fail-safe state disabling a function of a vehicle. The combined teaching provides an expected result the fail-safe state disabling a function of a vehicle. Therefore, one of ordinary skill in the art would be motivated to allow and ensure safety for the system and user.


 the method of claim 12, further comprising retrieving the expected command output value from an actuator drive (Forest, actuator control unit as actuator drive [0021] Each actuator control unit 20, 22, 24 receiving data from the primary processor 48 generates a message that is transmitted to the primary processor 48 for verification of control commands.)

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Forest et al. (US20060126256, herein Forest), further in view of Oono et al. (US20170002763A1, herein Oono). 

Regarding claim 5, Forest teaches the controller of claim 1, further comprising a main processing circuit (Fig. 2 primary processor 48) 
and a safety processing circuit (Fig. 2 secondary processor 36 as safety processing module , [0028] the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode), 
wherein the safety processing circuit is independent of the main processing circuit (Fig. 2 primary processor 48, secondary processor 36, [0016] the present invention may employ various integrated circuit components, e.g., memory elements, digital signal processing elements, look-up tables, and the like, to carry out a variety of functions under the control of one or more microprocessors or other control devices.), 
Forest does not teach is configured to convert sensor data for compatibility with one or more processors in the safety processing module.
Oono teaches is configured to convert sensor data for compatibility with one or more processors in the safety processing module ([0041] An I/O unit 302, which converts the electrical signal of each sensor disposed in the engine 201 into a signal for digital calculation processing and converts the .
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a processing circuit with Oono’s teaching of converting sensor data for compatibility with one or more processors. The combined teaching provides an expected result of a safety shutdown switch that returns an electromechanical actuator to a fail-safe state. Therefore, one of ordinary skill in the art would be motivated to allow the CPU to communicate with the sensors and actuator.

Claims 6, and 11 are rejected under 35 U.S.C. 103 as being unpatentable over Forest et al. (US20060126256, herein Forest), further in view of Weiberle et al. (US20070277023A1, herein Weiberle). 

Regarding claim 6, Forest teaches The controller of claim 1, wherein the safety processing module comprises a processor and memory, ….a processor and memory in the main processing module [0016] the present invention may employ various integrated circuit components, e.g., memory elements, digital signal processing elements, look-up tables, and the like, to carry out a variety of functions under the control of one or more microprocessors or other control devices, [0025] the control module 30 has independent dual computational/memory control paths 32, 44 within the primary processor 48).
 wherein the processor and memory of the safety processing module are separate from a processor and memory in the main processing module.
Weiberle teaches wherein the processor and memory of the safety processing module are separate from a processor and memory in the main processing module (Fig. 1 [0023] memory region is configured to two parts, so that two first memory regions 150 and 151 are present, corresponding to two execution units.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety and main processing module with Weiberle’s teaching of each processor having their own memory. The combined teaching provides an expected result of a safety processing module and main processing module have separate processors and memories. Therefore, one of ordinary skill in the art would be motivated so it’s easier to access to operate their own memory allows for processing the data faster.
Regarding claim 11, Forest teaches The system of claim 7, wherein the safety processing module comprises one or more processors and memories ….a processors and memories in the main processing module [0016] the present invention may employ various integrated circuit components, e.g., memory elements, digital signal processing elements, look-up tables, and the like, to carry out a variety of functions under the control of one or more microprocessors or other control devices, [0025] the control module 30 has independent dual computational/memory control paths 32, 44 within the primary processor 48).
Forest does not teach wherein the processors and memories of the safety processing module are separate from a processors and memories in the main processing module.
Weiberle teaches wherein the processors and memories of the safety processing module are separate from a processors and memories in the main processing module (Fig. 1 [0023] memory region 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety and main processing module with Weiberle’s teaching of each processor having their own memory. The combined teaching provides an expected result of a safety processing module and main processing module have separate processors and memories. Therefore, one of ordinary skill in the art would be motivated so it’s easier to access to operate their own memory allows for processing the data faster.

Claim 14 and 16 rejected under 35 U.S.C. 103 as being unpatentable over Forest et al. (US20060126256, herein Forest), further in view of Koda et al. (JP2005291173A, herein Koda, note a translation is being used), and Weiberle et al. (US20070277023A1, herein Weiberle).

Regarding claim 14, the combination of Forest and Koda teach The method of claim 12, further comprising storing algorithms … in a memory of the safety processing module (Forest [0018] the control module 14 transmits commands to the actuators 20, 22, 24. The control module 14 additionally includes memory that contains operation algorithms for controlling the actuator units 20, 22, 24, [0025] the control module 30 has independent dual computational/memory control paths 32, 44 within the primary processor 48 for verifying control commands.)
The combination of Forest and Koda do not teach storing…expected performance data in a memory.
Weiberle teaches storing…expected performance data in a memory ([0027] The new commands and/or data are then correspondingly loaded from the respectively assigned first memory region 150 or 151, and are processed.

Regarding claim 16, the combination of Forest and Koda teach the method of claim 12, 
wherein there is no direct communication between the safety processing module an the main processing module.
The combination of Forest and Koda do not teach the method of claim 12, wherein there is no direct communication between the safety processing module an the main processing module.
Weiberle teaches the method of claim 12, wherein there is no direct communication between the safety processing module an the main processing module (Fig. 1 CPU 1 and CPU 2).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety processing module and a main processing module with Weiberle’s teaching of the no direct communication between the CPUs. The combined teaching provides an expected result CPUs with modules that are not directly communicating. Therefore, one of ordinary skill in the art would be motivated to prevent malware or software errors from spreading in order to limit it to one processing module rather than infecting both.  

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.  
US9475521B1 (Fung) teaches a failsafe component 130 that may disable the lane keep assist componenet110 based on a component determination indicating a failure of one or more of the touch sensors 122.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to YVONNE T FOLLANSBEE whose telephone number is (571)272-0634.  The examiner can normally be reached on Monday - Friday 9:30am - 5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rocio Del-Mar, Perez-Velez can be reached on (571) 270-5935.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/YTF/
Examiner, Art Unit 2117



/ROCIO DEL MAR PEREZ-VELEZ/               Supervisory Patent Examiner, Art Unit 2117