DETAILED ACTION
Status of the Application
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . 

Status of the Claims
This action is in response to the applicant’s filing on September 26, 2019.  Claims 1 – 20 are pending and examined below.

Claim Objections
Claim 8 is objected to because of the following informalities: 
The redundant “and” in line 4 should be redundant.

Appropriate correction is required.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. § 102 and 103 (or as subject to pre-AIA  35 U.S.C. § 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. § 103 which forms the basis for all obviousness rejections set forth in this Office action:


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. § 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1 – 3, 6 – 11, 13 – 16, and 19 - 20 are rejected under 35 U.S.C. § 103 as being unpatentable over U.S. Patent Application Publication No. 2019/0337526 A1 to RAVE et al. (herein after "Rave") in view of U.S. Patent Application Publication No. 2020/0084159 A1 to NOGIN et al. (herein after "Nogin").

As to Claim 1,
Rave is considered to disclose a method of operating a vehicle (see Figs. 1 - 2.  In particular, see Fig. 1), comprising: 
operating, at the vehicle, a local electronic control unit for control of the vehicle (see Figs. 1 - 2.  In particular, see Fig. 1); 
operating, at a remote computing platform, a backup electronic control unit for control of the vehicle (see Fig. 2, ¶0077, ¶0081, and ¶0110. In particular, see ¶0081, "Backup vehicle driving ECUs 208 may be designed to be physically inaccessible and/or designed to be physically assessed with difficulty, for example, ECUs 224 of backup vehicle driving ECUs 208 may be located in hard to access locations… for example, distributed across multiple virtual and/or physical servers, for example, located within a computing cloud and/or at multiple network connected processing nodes."  See Fig. 5, and ¶0110, "One or more ECUs of standard vehicle driving ECUs 506 are duplicated and reside in backup vehicle driving ECUs 524. For example, ECU 514A is duplicated as ECU 514A', ECU 514B is duplicated as ECU 514B', ECM 514C is duplicated as ECM 514C', TCM 514D is duplicated as TCM 514D', and ECU 514E is duplicated as ECU 514E'. ECUs of standard vehicle driving ECUs 506 are designated as active and in communication with CAN bus 550 (and/or other network(s)) of vehicle 504.")
Rave’s system for handling vehicle ECU malfunctions teaches a vehicle mechanism for handling vehicle electronic control unit (ECU) malfunction, wherein the vehicle backup ECUs provide at least basic driving related features, such that a controller switches from a standard vehicle driving mode operating according to a second set of standard vehicle ECUs to backup vehicle driving mode in response to a trigger indicative of malfunction of at least one ECU of the first set of vehicle ECUs (see Figs 1 - 2, ¶0045, ¶0058, and ¶0101 - ¶0102.  In particular, see Fig. 2 ~ process step method 104.  

    PNG
    media_image1.png
    230
    267
    media_image1.png
    Greyscale

See at least ¶0045, “The systems and/or methods (e.g., implemented in hardware and/or implemented using code instructions… improve performance of the vehicle… by providing sanitized backup vehicle driving ECUs (e.g., unaffected by malicious activity) when a compromise in integrity of data (e.g., due to malicious activity) is identified in standard vehicle driving ECUs.”  See at least ¶0101, "At 104, agent 202 switches active functions from standard vehicle driving ECUs 206 to backup vehicle driving ECUs 208 that are disconnected from data communication interface 206. Backup vehicle driving ECUs 208 include ECUs 224 designed to provide at least basic driving related features of the vehicle, for example, to provide the driver with the ability to safety continue driving the vehicle, for example, to a repair facility.”)
As the Applicant’s disclosure is focused on switching between ECUs based upon fault occurrences in particular though, Nogin is introduced to combine with Rave’s system for handling vehicle ECU malfunctions to cure the gaps that Rave has in disclosing the claimed invention.
transferring a control of the vehicle from the local electronic control unit to the backup electronic control unit upon occurrence of a fault at the local electronic control unit.  
Nogin’s work presents a process wherein vehicles can communicate with distributed servers representing a plurality of network nodes wherein one or more nodes proceed by agreeing on an order of two or more broadcast message derived events A and B.  If a nodes sees event A and / or event B transpiring longer than thresholds for broadcast reception protocols, then the controller recognizes this as a malfunction, error, and / or fault as having occurred.  The affected controller in the network is then isolated or removed from the network’s control scheme; thus eliminating the possibility of acting or proceeding with faulty messaging.
Nogin further teaches transferring a control of the vehicle from the local electronic control unit to the backup electronic control unit upon occurrence of a fault at the local electronic control unit.  (See Figs. 3 - 5, ¶0046, ¶0060, ¶0107 - ¶0108.  In particular, see ¶0107 - ¶0108, "if there are multiple redundant electronic control units in a vehicle ( e.g., a car or in an airplane that receive data from the sensors), it is important for the control units to have a consistent view of the sensor data... the control units can use this protocol to create a consensus ordering of sensor data, of decisions to consider a particular sensor faulty, and of decisions to consider one of the redundant controllers faulty... if the control units have a consistent view that one of the redundant controllers is faulty, that particular faulty controller can be isolated or otherwise removed from communications with the remaining control units."  Emphasis added.  Nogin’s work goes beyond Rave’s, in that Nogin’s work specifically drills down to the sensor level.  In the 

It would have been obvious to one having ordinary skill in the art before the time the invention was filed to provide Rave’s system for handling vehicle ECU malfunctions with the control transfer between vehicles' ECUs based upon fault occurrences, as taught by Nogin.  Motivation for combining the element(s) can include, but are not limited to:  providing consistent, accurate, and reliable control data input for vehicle control that excludes erroneous data or malicious code as a result of malicious activity, such as hackers, thieves, or terrorists.  The aim is to have continuity of vehicle operations in the event of malicious activity, including but not limited to that described above.

As to Claim 2,
Modified Rave substantially discloses the method of claim 1, wherein the remote computing platform is a cloud processor and the backup electronic control unit is a virtual electronic control unit.  (See Fig. 2, and ¶0023, "the controller is implemented as a hypervisor managing backup code and standard driving code stored and concurrently executed by different virtual machines, wherein the 

As to Claim 3,
Modified Rave substantially discloses the method of claim 1. 
However, Rave’s system for handling vehicle ECU malfunctions does not teach, or suggest comprising sending a same input to both the local electronic control unit and the backup electronic control unit. 
Conversely, Nogin’s vehicle control transfer system between vehicles' ECUs based upon fault occurrences teaches wherein the local electronic control unit and the backup electronic control unit operate using a same input.  (See Figs. 3 - 5, ¶0054, ¶0107 - ¶0108.  In particular, see ¶0054, “networking protocol for multiple nodes (e.g., computer systems or other devices capable of implementing such a protocol) on a network that supports broadcast operations… such that if at least one recipient receives the message, then all recipients participating in the exchange would receive the same message.”  Emphasis added.  See ¶0107 - ¶0108, "if there are multiple redundant electronic control units in a vehicle ( e.g., a car or in an airplane that receive data from 
It would have been obvious to one having ordinary skill in the art before the time the invention was filed to provide Rave’s system for handling vehicle ECU malfunctions with the similar control input data transfer between vehicle local and backup ECUs, as taught by Nogin.  Motivation for combining the element(s) can include, but are not limited to:  providing consistent, accurate, and reliable control data input for vehicle control that excludes erroneous data or malicious code as a result of malicious activity, such as hackers, thieves, or terrorists.  The aim is to have continuity of vehicle operations in the event of malicious activity, including but not limited to that described above.

As to Claim 6,
Modified Rave substantially discloses the method of claim 1, further comprising sending a local state of the local electronic control unit to the remote computing platform (see Figs. 1 - 2, and ¶0078 - ¶0086.  In particular, see ¶0081.  See ¶0085, "systems... e.g., implemented in hardware and/or implemented using code instructions executed by one or more processors... may be used with existing cyber security solutions... in the vehicle ( or used alone) by providing... layer of protection, 
and updating a backup state of the backup electronic control unit to the local state of the local electronic control unit.  (See ¶0053, ¶0059, and ¶0078 - ¶0086, and ¶0095 - ¶0097.  In particular see ¶0053, ¶0081, and ¶0085.  Rave teaches a network of interconnected computers / servers that communicate states between one another, especially in the case where the state of local ECU is interpreted by backup ECU, and likewise backup ECU updates machine code and data back to local ECU, upon conditions such as in fail safe and limp modes.)

As to Claim 7,
Modified Rave substantially discloses the method of claim 1, wherein the backup electronic control unit further comprises a first backup electronic control unit generating a first backup output (see Figs. 1 - 2, ¶0068 - ¶0074, and ¶0110.  In particular, see ¶0070, and ¶0110) and 
a second backup electronic control unit generating a second backup output (see Figs. 1 - 2, ¶0077, "Backup vehicle driving ECUs 208 includes one or more ECUs 224 that provide at least basic driving related features of the car"), 
further comprising comparing a local output of the local electronic control unit to at least one of the first backup output (see Figs. 1 - 2, 5, and ¶0110, "One or more ECUs of standard vehicle driving ECUs 506 are duplicated and reside in backup vehicle driving ECUs 524. For example, ECU 514A is duplicated as ECU 514A', ECU 514B is duplicated as ECU 514B', ECM 514C is duplicated as ECM 514C', TCM 514D is duplicated as TCM 514D', and ECU 514E is duplicated as ECU 514E'. ECUs of standard vehicle driving ECUs 506 are designated as active and in communication with CAN bus 550 (and/or other network(s)) of vehicle 504”) and 
the second backup output at the remote computing platform.  (See Figs. 1 - 2, and ¶0036, "The standard vehicle driving ECUs includes a data interface (optionally a network interface) that provides data communication with computing device(s) that are non-integrated with the vehicle, for example, located externally to the network and/or ECUs of the vehicle, for example, remotely accessed by a server using a wireless network connection, and/or locally accessed by a mobile device connected to the vehicle network using a cable."  See ¶0081, "Backup vehicle driving ECUs 208 may be designed to be physically inaccessible and/or designed to be physically assessed with difficulty, for example, ECUs 224 of backup vehicle driving ECUs 208 may be located in hard to access locations… for example, distributed across multiple virtual and/or physical servers, for example, located within a computing cloud and/or at multiple network connected processing nodes.")

As to Claim 8,
Rave is considered to disclose an operating system for a vehicle (see Figs. 1 - 2.  In particular, see Fig. 1), comprising: 
a local electronic control unit of the vehicle configured to control the vehicle (see Figs. 1 - 2.  In particular, see Fig. 1); and 
a remote computing platform configured to provide a backup electronic control unit configured to control the vehicle.  (See Fig. 2, ¶0077, ¶0081, and ¶0110. In particular, see ¶0081, "Backup vehicle driving ECUs 208 may be designed to be physically inaccessible and/or designed to be physically assessed with difficulty, for example, ECUs 224 of backup vehicle driving ECUs 208 may be located in hard to access locations… for example, distributed across multiple virtual and/or physical servers, for example, located within a computing cloud and/or at multiple network connected processing nodes."  See Fig. 5, and ¶0110, "One or more ECUs of standard vehicle driving ECUs 506 are duplicated and reside in backup vehicle driving ECUs 524. For example, ECU 514A is duplicated as ECU 514A', ECU 514B is duplicated as ECU 514B', ECM 514C is duplicated as ECM 514C', TCM 514D is duplicated as TCM 514D', and ECU 514E is duplicated as ECU 514E'. ECUs of standard vehicle driving ECUs 506 are designated as active and in communication with CAN bus 550 (and/or other network(s)) of vehicle 504.")
Rave’s system for handling vehicle ECU malfunctions teaches a vehicle mechanism for handling vehicle electronic control unit (ECU) malfunction, wherein the 

    PNG
    media_image1.png
    230
    267
    media_image1.png
    Greyscale

See at least ¶0045, “The systems and/or methods (e.g., implemented in hardware and/or implemented using code instructions… improve performance of the vehicle… by providing sanitized backup vehicle driving ECUs (e.g., unaffected by malicious activity) when a compromise in integrity of data (e.g., due to malicious activity) is identified in standard vehicle driving ECUs.”  See at least ¶0101, "At 104, agent 202 switches active functions from standard vehicle driving ECUs 206 to backup vehicle driving ECUs 208 that are disconnected from data communication interface 206. Backup vehicle driving ECUs 208 include ECUs 224 designed to provide at least basic driving related features of the vehicle, for example, to provide the driver with the ability to safety continue driving the vehicle, for example, to a repair facility.”)

Nogin speaks more directly to transferring a control of the vehicle from the local electronic control unit to the backup electronic control unit upon occurrence of a fault at the local electronic control unit.  
Nogin’s work presents a process wherein vehicles can communicate with distributed servers representing a plurality of network nodes wherein one or more nodes proceed by agreeing on an order of two or more broadcast message derived events A and B.  If a nodes sees event A and / or event B transpiring longer than thresholds for broadcast reception protocols, then the controller recognizes this as a malfunction, error, and / or fault as having occurred.  The affected controller in the network is then isolated or removed from the network’s control scheme; thus eliminating the possibility of acting or proceeding with faulty messaging.
Nogin further teaches transferring a control of the vehicle from the local electronic control unit to the backup electronic control unit upon occurrence of a fault at the local electronic control unit.  (See Figs. 3 - 5, ¶0046, ¶0060, ¶0107 - ¶0108.  In particular, see ¶0107 - ¶0108, "if there are multiple redundant electronic control units in a vehicle ( e.g., a car or in an airplane that receive data from the sensors), it is important for the control units to have a consistent view of the sensor data... the control units can use this protocol to create a consensus ordering of sensor data, of decisions to consider a particular sensor faulty, and of decisions to consider one of the redundant controllers if the control units have a consistent view that one of the redundant controllers is faulty, that particular faulty controller can be isolated or otherwise removed from communications with the remaining control units."  Emphasis added.  Nogin’s work goes beyond Rave’s, in that Nogin’s work specifically drills down to the sensor level.  In the event that an ECU detects a fault with a sensor it is in communication with, where the fault is the result of an error, including but not limited to erroneous data, loss of data integrity, and / or malicious activity, such as hackers, thieves, or terrorists; then the ECU having the fault, will be isolated and removed from controlling in the network; and the backup ECU, among a plurality of ECUs in the vehicle control network, will subsequently intervene and assume supervisory control.)

It would have been obvious to one having ordinary skill in the art before the time the invention was filed to provide Rave’s system for handling vehicle ECU malfunctions with the control transfer between vehicles' ECUs based upon fault occurrences, as taught by Nogin.  Motivation for combining the element(s) can include, but are not limited to:  providing consistent, accurate, and reliable control data input for vehicle control that excludes erroneous data or malicious code as a result of malicious activity, such as hackers, thieves, or terrorists.  The aim is to have continuity of vehicle operations in the event of malicious activity, including but not limited to that described above.

As to Claim 9,
the operating system of claim 8, wherein the remote computing platform is a cloud processor and the backup electronic control unit is a virtual electronic control unit.  (See Fig. 2, and ¶0023, "the controller is implemented as a hypervisor managing backup code and standard driving code stored and concurrently executed by different virtual machines, wherein the hypervisor manages the switching to a backup mode by executing the backup code without triggering reboot of ECUs."  See ¶0081, "Backup vehicle driving ECUs 208 may be designed to be physically inaccessible and/or designed to be physically assessed with difficulty, for example, ECUs 224 of backup vehicle driving ECUs 208 may be located in hard to access locations… for example, distributed across multiple virtual and/or physical servers, for example, located within a computing cloud and/or at multiple network connected processing nodes."  Emphasis added.)

As to Claim 10,
Modified Rave substantially discloses the operating system of claim 8.
However, Rave’s system for handling vehicle ECU malfunctions does not teach, or suggest wherein the local electronic control unit and the backup electronic control unit operate using a same input. 
Conversely, Nogin’s vehicle control transfer system between vehicles' ECUs based upon fault occurrences teaches wherein the local electronic control unit and the backup electronic control unit operate using a same input.  (See Figs. 3 - 5, ¶0054, ¶0107 - ¶0108.  In particular, see ¶0054, “networking protocol for multiple nodes (e.g., 
It would have been obvious to one having ordinary skill in the art before the time the invention was filed to provide Rave’s system for handling vehicle ECU malfunctions with the similar control input data transfer between vehicle local and backup ECUs, as taught by Nogin.  Motivation for combining the element(s) can include, but are not limited to:  providing consistent, accurate, and reliable control data input for vehicle control that excludes erroneous data or malicious code as a result of malicious activity, such as hackers, thieves, or terrorists.  The aim is to have continuity of vehicle operations in the event of malicious activity, including but not limited to that described above.

As to Claim 11,
the operating system of claim 8, wherein the backup electronic control unit sends backup output to the vehicle (see  ¶0095 -  ¶0097) and 
the vehicle commences a failure mitigation procedure when the backup output is not received at the vehicle.  (See ¶0095 - ¶0097, and ¶0101.  In particular, see ¶0096, "It is noted that the backup mode described herein is different than a standard failsafe mode."  See ¶0097, "In response to failure of a limp mode, optionally implemented in hardware. The limp mode is designed to be triggered when failure of one or more ECUs and/or other components (e.g., network, sensor(s)) occurs. Failure to enter the limp mode (as originally designed) (e.g., detected by code instructions that monitor the triggering of the limp mode) may trigger the generation of the indication."  See ¶0101, "Backup vehicle driving ECUs 208 include ECUs 224 designed to provide at least basic driving related features of the vehicle, for example, to provide the driver with the ability to safety continue driving the vehicle, for example, to a repair facility.")

As to Claim 13,
Modified Rave substantially discloses the operating system of claim 8, wherein the vehicle sends a local state of the local electronic control unit to the remote computing platform (see Figs. 1 - 2, and ¶0078 - ¶0086.  In particular, see ¶0081.  See ¶0085, "systems... e.g., implemented in hardware and/or implemented using code instructions executed by one or more processors... may be used with existing cyber security solutions... in the vehicle ( or used alone) by providing... layer of and 
the backup electronic control unit updates its backup state to that of the local state of the local electronic control unit.  (See ¶0053, ¶0059, and ¶0078 - ¶0086, and ¶0095 - ¶0097.  In particular see ¶0053, ¶0081, and ¶0085.  Rave teaches a network of interconnected computers / servers that communicate states between one another, especially in the case where the state of local ECU is interpreted by backup ECU, and likewise backup ECU updates machine code and data back to local ECU, upon conditions such as in fail safe and limp modes.)

As to Claim 14,
Modified Rave substantially discloses the operating system of claim 8, wherein the backup electronic control unit (see Figs. 1 – 2) further comprises 
a first backup electronic control unit that generates a first backup output (see Figs. 1 - 3, ¶0019, ¶0022 - ¶0024, and ¶0101 - ¶0104) and 
a second backup electronic control unit that generates a second backup output Figs. 1 - 3,  In particular, see Figs. 2 – 3), wherein 
a cloud watchdog of the remote computing platform (see Fig. 2, ¶0081, "Backup vehicle driving ECUs 208 may be designed to be physically inaccessible and/or designed to be physically assessed with difficulty, for example, ECUs 224 of backup vehicle driving ECUs 208 may be located in hard to access locations…  for example, distributed across multiple virtual and/or physical servers, for example, located within a computing cloud and/or at multiple network connected processing nodes”) compares a local output of the local electronic control unit to at least one of the first backup output and the second backup output.  (See Figs. 1 - 5, ¶0086 - ¶0087, ¶0092 - ¶0093.  In particular, see Figs. 2 - 4.  See ¶0087.  See ¶0092, "methods of monitoring standard vehicle driving ECUs 206 to detect malfunction for generating the indication of the tampering of data include... Malicious activity detection code that detects breaches in integrity of data transmitted out from the vehicle based on a comparison with sensor data collected from sensor(s) of the vehicle, for example, as described with reference to International Patent Application No. IL2016/051033, titled "SYSTEMS AND METHODS FOR DETECTION OF MALICIOUS ACTIVITY IN VEHICLE DATA COMMUNICATION NETWORKS" filed on Sep. 18, 2016.")

As to Claim 15,
Rave is considered to disclose a vehicle (see Figs. 1 - 2.  In particular, see Fig. 1), comprising: 
a local electronic control unit of the vehicle configured to control the vehicle (see Figs. 1 - 2.  In particular, see Fig. 1); and 
the vehicle in communication with a remote computing platform configured to provide a backup electronic control unit for controlling the vehicle.  (See Fig. 2, ¶0077, ¶0081, and ¶0110. In particular, see ¶0081, "Backup vehicle driving ECUs 208 may be designed to be physically inaccessible and/or designed to be physically assessed with difficulty, for example, ECUs 224 of backup vehicle driving ECUs 208 may be located in hard to access locations… for example, distributed across multiple virtual and/or physical servers, for example, located within a computing cloud and/or at multiple network connected processing nodes."  See Fig. 5, and ¶0110, "One or more ECUs of standard vehicle driving ECUs 506 are duplicated and reside in backup vehicle driving ECUs 524. For example, ECU 514A is duplicated as ECU 514A', ECU 514B is duplicated as ECU 514B', ECM 514C is duplicated as ECM 514C', TCM 514D is duplicated as TCM 514D', and ECU 514E is duplicated as ECU 514E'. ECUs of standard vehicle driving ECUs 506 are designated as active and in communication with CAN bus 550 (and/or other network(s)) of vehicle 504.")
Rave’s system for handling vehicle ECU malfunctions teaches a vehicle mechanism for handling vehicle electronic control unit (ECU) malfunction, wherein the vehicle backup ECUs provide at least basic driving related features, such that a controller switches from a standard vehicle driving mode operating according to a second set of standard vehicle ECUs to backup vehicle driving mode in response to a trigger indicative of malfunction of at least one ECU of the first set of vehicle ECUs (see 

    PNG
    media_image1.png
    230
    267
    media_image1.png
    Greyscale

See at least ¶0045, “The systems and/or methods (e.g., implemented in hardware and/or implemented using code instructions… improve performance of the vehicle… by providing sanitized backup vehicle driving ECUs (e.g., unaffected by malicious activity) when a compromise in integrity of data (e.g., due to malicious activity) is identified in standard vehicle driving ECUs.”  See at least ¶0101, "At 104, agent 202 switches active functions from standard vehicle driving ECUs 206 to backup vehicle driving ECUs 208 that are disconnected from data communication interface 206. Backup vehicle driving ECUs 208 include ECUs 224 designed to provide at least basic driving related features of the vehicle, for example, to provide the driver with the ability to safety continue driving the vehicle, for example, to a repair facility.”)
As the Applicant’s disclosure is focused on switching between ECUs based upon fault occurrences in particular though, Nogin is introduced to combine with Rave’s system for handling vehicle ECU malfunctions to cure the gaps that Rave has in disclosing the claimed invention.
transferring a control of the vehicle from the local electronic control unit to the backup electronic control unit upon occurrence of a fault at the local electronic control unit.  
Nogin’s work presents a process wherein vehicles can communicate with distributed servers representing a plurality of network nodes wherein one or more nodes proceed by agreeing on an order of two or more broadcast message derived events A and B.  If a nodes sees event A and / or event B transpiring longer than thresholds for broadcast reception protocols, then the controller recognizes this as a malfunction, error, and / or fault as having occurred.  The affected controller in the network is then isolated or removed from the network’s control scheme; thus eliminating the possibility of acting or proceeding with faulty messaging.
Nogin further teaches transferring a control of the vehicle from the local electronic control unit to the backup electronic control unit upon occurrence of a fault at the local electronic control unit.  (See Figs. 3 - 5, ¶0046, ¶0060, ¶0107 - ¶0108.  In particular, see ¶0107 - ¶0108, "if there are multiple redundant electronic control units in a vehicle ( e.g., a car or in an airplane that receive data from the sensors), it is important for the control units to have a consistent view of the sensor data... the control units can use this protocol to create a consensus ordering of sensor data, of decisions to consider a particular sensor faulty, and of decisions to consider one of the redundant controllers faulty... if the control units have a consistent view that one of the redundant controllers is faulty, that particular faulty controller can be isolated or otherwise removed from communications with the remaining control units."  Emphasis added.  Nogin’s work goes beyond Rave’s, in that Nogin’s work specifically drills down to the sensor level.  In the 

It would have been obvious to one having ordinary skill in the art before the time the invention was filed to provide Rave’s system for handling vehicle ECU malfunctions with the control transfer between vehicles' ECUs based upon fault occurrences, as taught by Nogin.  Motivation for combining the element(s) can include, but are not limited to:  providing consistent, accurate, and reliable control data input for vehicle control that excludes erroneous data or malicious code as a result of malicious activity, such as hackers, thieves, or terrorists.  The aim is to have continuity of vehicle operations in the event of malicious activity, including but not limited to that described above.

As to Claim 16,
Modified Rave substantially discloses the vehicle of claim 15.
However, Rave’s system for handling vehicle ECU malfunctions does not teach, or suggest wherein the local electronic control unit and the backup electronic control unit operate using a same input.

It would have been obvious to one having ordinary skill in the art before the time the invention was filed to provide Rave’s system for handling vehicle ECU malfunctions with the similar control input data transfer between vehicle local and backup ECUs, as taught by Nogin.  Motivation for combining the element(s) can include, but are not limited to:  providing consistent, accurate, and reliable control data input for vehicle control that excludes erroneous data or malicious code as a result of malicious activity, such as hackers, thieves, or terrorists.  The aim is to have continuity of vehicle 


As to Claim 19,
Modified Rave substantially discloses the vehicle of claim 15, wherein the vehicle is further configured to 
send a local state of the local electronic control unit to the remote computing platform (see Figs. 1 - 2, and ¶0078 - ¶0086.  In particular, see ¶0081.  See ¶0085, "systems... e.g., implemented in hardware and/or implemented using code instructions executed by one or more processors... may be used with existing cyber security solutions... in the vehicle ( or used alone) by providing... layer of protection, irrespective of the efficacy of the implemented cyber security solution. The systems and/or methods (e.g., implemented in hardware and/or implemented using code instructions executed by one or more processors) described herein provide a backup vehicle system when security of the vehicle is breached, for example, the frontline cyber security solution failed to prevent malicious activity from occurring, for example, the vehicle malfunctioned due to the malicious activity. Conceptually, for example, the back-up provided by the systems and/or methods described herein may be considered in reference to an airbag that is deployed when accident safety vehicle of the features have failed in preventing an accident”) for 
updating the backup state of the backup electronic control unit to the local state of the local electronic control unit.  (See ¶0053, ¶0059, and ¶0078 - ¶0086, and ¶0095 - ¶0097.  In particular see ¶0053, ¶0081, and ¶0085.  Rave teaches a network of interconnected computers / servers that communicate states between one another, especially in the case where the state of local ECU is interpreted by backup ECU, and likewise backup ECU updates machine code and data back to local ECU, upon conditions such as in fail safe and limp modes.)

As to Claim 20,
Modified Rave substantially discloses the vehicle of claim 15, wherein the backup electronic control unit (see Figs. 1 – 2) further comprises 
a first backup electronic control unit that generates a first backup output (see Figs. 1 - 3, ¶0019, ¶0022 - ¶0024, and ¶0101 - ¶0104) and 
a second backup electronic control unit that generates a second backup output (see Figs. 1 - 3, In particular, see Figs. 2 – 3), wherein 
the vehicle is configured to operate based on a comparison of a local output of the local electronic control unit to at least one of the first backup output (see Figs. 1 - 5, ¶0086 - ¶0087, ¶0092 - ¶0093.  In particular, see Figs. 2 - 4.  See ¶0087.  See ¶0092, "methods of monitoring standard vehicle driving ECUs 206 to detect malfunction for generating the indication of the tampering of data include... Malicious activity detection code that detects breaches in integrity of data transmitted out from the vehicle based on a comparison with sensor data collected from sensor(s) of the vehicle, and 
the second backup output performed at a cloud watchdog of the remote computing platform.  (See Fig. 2, ¶0081, "Backup vehicle driving ECUs 208 may be designed to be physically inaccessible and/or designed to be physically assessed with difficulty, for example, ECUs 224 of backup vehicle driving ECUs 208 may be located in hard to access locations…for example, distributed across multiple virtual and/or physical servers, for example, located within a computing cloud and/or at multiple network connected processing nodes.")
Claims 4 – 5, 12, and 17 – 18 are rejected under 35 U.S.C. § 103 as being unpatentable over U.S. Patent Application Publication No. 2019/0337526 A1 to RAVE et al. (herein after "Rave") in view of U.S. Patent Application Publication No. 2020/0084159 A1 to NOGIN et al. (herein after "Nogin"), and further in view of U.S. Patent Application Publication No. 2019/0100237 A1 to KLESING (herein after "Klesing").

As to Claim 4,
Modified Rave substantially discloses the method of claim 1.
However, Rave’s system for handling vehicle ECU malfunctions does not teach, or suggest wherein the backup electronic control unit sends backup output to the vehicle, further comprising commencing a failure mitigation procedure at the vehicle when the backup output is not received at the vehicle.
Therefore, Klesing’s triple redundancy failsafe for steering systems is introduced to combine with Rave’s system for handling vehicle ECU malfunctions in view of Nogin’s vehicle control transfer system between vehicles' ECUs based upon fault occurrences to cure the gaps that Rave has in disclosing the claimed invention.
Klesing’s work presents  a vehicle control system wherein a primary and secondary and /or other ECUs as backup or redundant ECUs, such that in response to detecting the failure at the first ECU, the second ECU operates as the primary ECU of the controller system, and initiates a domain controller to operate as the backup ECU.
Klesing further teaches wherein the backup electronic control unit sends backup output to the vehicle (see Fig. 7.  

    PNG
    media_image2.png
    277
    692
    media_image2.png
    Greyscale


    PNG
    media_image3.png
    290
    320
    media_image3.png
    Greyscale

See ¶0060 - ¶0062, “if the backup ECU of the controller system experiences the failure, the method includes switching off the path of the backup ECU in the controller system, as shown at 645… initiating and using the domain controller 510 as a new backup ECU of the controller system, as shown at 650… that is outside the steering system 12 thus facilitates providing redundancy to the controlling ECU of the controller system, that is the ECU that is now operating as the primary ECU… domain controller 510 as the backup ECU includes initiating the steering system model 515 on the domain controller 510, as shown at 652”), further comprising commencing a failure mitigation procedure at the vehicle when the backup output is not received at the vehicle.  (See Fig. 7, ¶0006, ¶0043, and ¶0056 - ¶0057, ¶0060 - ¶0063, and ¶0067 in particular, Fig. 7 ~ process step method 645.  

    PNG
    media_image4.png
    153
    359
    media_image4.png
    Greyscale


It would have been obvious to one having ordinary skill in the art before the time the invention was filed to provide Rave’s system for handling vehicle ECU malfunctions with the backup ECU recognition and start sequencing when the backup ECU has failed, as taught by Klesing.  Motivation for combining the element(s) can include, but are not limited to:  providing consistent, accurate, and reliable control data input for vehicle control that excludes erroneous data or malicious code as a result of malicious activity, such as hackers, thieves, or terrorists.  The aim is to have continuity of vehicle operations in the event of malicious activity, including but not limited to that described above.

As to Claim 5,
Modified Rave substantially discloses the method of claim 1.
However, Rave’s system for handling vehicle ECU malfunctions does not teach, or suggest wherein the local electronic control unit 
generates a local output and the backup electronic control unit generates a backup output, further comprising 
commencing a failure mitigation procedure 
when a difference is detected between the local output and the backup output.
Conversely, Klesing’s triple redundancy failsafe for steering systems wherein the local electronic control unit generates a local output and the backup electronic control unit generates a backup output (see Fig. 7, and ¶0057, "In response to detection of the failure, it is determined whether the primary ECU or the secondary ECU from the controller system experiences the failure, as shown at 630. Thus, which one of the two ECUs from the controller system failed is determined”), further comprising commencing a failure mitigation procedure when a difference is detected between the local output and the backup output.  (See Fig. 7, and ¶0058, "the backup ECU detects the failure at the primary ECU by comparing a first road wheel position as computed by the primary ECU corresponding to a handwheel position and a second road wheel position as computed by the backup ECU corresponding to the same handwheel position. If the difference in the resulting road wheel positions exceeds a predetermined threshold, and if the sensors and other components of the backup ECU are not indicating signs of failure, the backup ECU determines that the primary ECU is failing.")
It would have been obvious to one having ordinary skill in the art before the time the invention was filed to provide Rave’s system for handling vehicle ECU malfunctions with the backup ECU recognizes a failure and data integrity difference between it and a local ECU, as taught by Klesing.  Motivation for combining the element(s) can include, but are not limited to:  providing consistent, accurate, and reliable control data input for vehicle control that excludes erroneous data or malicious code as a result of malicious activity, such as hackers, thieves, or terrorists.  The aim is to have continuity of vehicle 

As to Claim 12,
Modified Rave substantially discloses the operating system of claim 8.
However, Rave’s system for handling vehicle ECU malfunctions does not teach, or suggest wherein the local electronic control unit generates a local output and the backup electronic control unit generates a backup output, and 
the vehicle commences a failure mitigation procedure when a difference is detected between the local output and the backup output.
On the contrary, Klesing’s triple redundancy failsafe for steering systems wherein the local electronic control unit generates a local output and the backup electronic control unit generates a backup output (see Fig. 7, and ¶0057, "In response to detection of the failure, it is determined whether the primary ECU or the secondary ECU from the controller system experiences the failure, as shown at 630. Thus, which one of the two ECUs from the controller system failed is determined”), further comprising commencing a failure mitigation procedure when a difference is detected between the local output and the backup output.  (See Fig. 7, and ¶0058, "the backup ECU detects the failure at the primary ECU by comparing a first road wheel position as computed by the primary ECU corresponding to a handwheel position and a second road wheel position as computed by the backup ECU corresponding to the same handwheel position. If the difference in the resulting road wheel positions exceeds a predetermined threshold, and 
It would have been obvious to one having ordinary skill in the art before the time the invention was filed to provide Rave’s system for handling vehicle ECU malfunctions with the backup ECU recognizes a failure and data integrity difference between it and a local ECU, as taught by Klesing.  Motivation for combining the element(s) can include, but are not limited to:  providing consistent, accurate, and reliable control data input for vehicle control that excludes erroneous data or malicious code as a result of malicious activity, such as hackers, thieves, or terrorists.  The aim is to have continuity of vehicle operations in the event of malicious activity, including but not limited to that described above.

As to Claim 17,
Modified Rave substantially discloses the vehicle of claim 15.
However, Rave’s system for handling vehicle ECU malfunctions does not teach, or suggest wherein the backup electronic control unit sends backup output to the vehicle, further comprising commencing a failure mitigation procedure at the vehicle when the backup output is not received at the vehicle.
On the other hand, Klesing’s triple redundancy failsafe for steering systems teaches wherein the backup electronic control unit sends backup output to the vehicle (see Fig. 7.  

    PNG
    media_image2.png
    277
    692
    media_image2.png
    Greyscale


    PNG
    media_image3.png
    290
    320
    media_image3.png
    Greyscale

See ¶0060 - ¶0062, “if the backup ECU of the controller system experiences the failure, the method includes switching off the path of the backup ECU in the controller system, as shown at 645… initiating and using the domain controller 510 as a new backup ECU of the controller system, as shown at 650… that is outside the steering system 12 thus facilitates providing redundancy to the controlling ECU of the controller system, that is the ECU that is now operating as the primary ECU… domain controller 510 as the backup ECU includes initiating the steering system model 515 on the domain controller 510, as shown at 652”), further comprising commencing a failure mitigation 

    PNG
    media_image4.png
    153
    359
    media_image4.png
    Greyscale

See ¶0057, "In response to detection of the failure, it is determined whether the primary ECU or the secondary ECU from the controller system experiences the failure."  See ¶0060, "Alternatively, if the backup ECU of the controller system experiences the failure, the method includes switching off the path of the backup ECU in the controller system, as shown at 645.”)
It would have been obvious to one having ordinary skill in the art before the time the invention was filed to provide Rave’s system for handling vehicle ECU malfunctions with the backup ECU recognition and start sequencing when the backup ECU has failed, as taught by Klesing.  Motivation for combining the element(s) can include, but are not limited to:  providing consistent, accurate, and reliable control data input for vehicle control that excludes erroneous data or malicious code as a result of malicious activity, such as hackers, thieves, or terrorists.  The aim is to have continuity of vehicle operations in the event of malicious activity, including but not limited to that described above.

As to Claim 18,
the vehicle of claim 15.
However, Rave’s system for handling vehicle ECU malfunctions does not teach, or suggest wherein the local electronic control unit generates a local output and the backup electronic control unit generate a backup output, 
the vehicle further configured to commence a failure mitigation procedure when a difference is detected between the local output and the backup output.
Conversely, Klesing’s triple redundancy failsafe for steering systems wherein the local electronic control unit generates a local output and the backup electronic control unit generates a backup output (see Fig. 7, and ¶0057, "In response to detection of the failure, it is determined whether the primary ECU or the secondary ECU from the controller system experiences the failure, as shown at 630. Thus, which one of the two ECUs from the controller system failed is determined”), the vehicle further configured to commence a failure mitigation procedure when a difference is detected between the local output and the backup output.  (See Fig. 7, and ¶0058, "the backup ECU detects the failure at the primary ECU by comparing a first road wheel position as computed by the primary ECU corresponding to a handwheel position and a second road wheel position as computed by the backup ECU corresponding to the same handwheel position. If the difference in the resulting road wheel positions exceeds a predetermined threshold, and if the sensors and other components of the backup ECU are not indicating signs of failure, the backup ECU determines that the primary ECU is failing.")
It would have been obvious to one having ordinary skill in the art before the time the invention was filed to provide Rave’s system for handling vehicle ECU malfunctions 

Conclusion                                                                                                      
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ASHLEY L. REDHEAD, JR. whose telephone number is (571) 272 - 6952.  The examiner can normally be reached on weekdays, Monday through Thursday, between 7 a.m. and 5 p.m.
If attempts to reach the examiner by telephone are unsuccessful, the Examiner’s Supervisor, Peter Nolan can be reached Monday through Friday, between 9 a.m. and 5 p.m. at (571) 270 – 7016, or you can alternatively reach Supervisor Thomas Black at (571) 272 - 6956.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/ASHLEY L REDHEAD JR./Examiner, Art Unit 3661                                                                                                                                                                                                        	
/PETER D NOLAN/Supervisory Patent Examiner, Art Unit 3661