Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Specification
The lengthy specification has not been checked to the extent necessary to
determine the presence of all possible minor errors. Applicant's cooperation is
requested in correcting any errors of which applicant may become aware in the
specification.

Examiner Notes
Examiner cites particular columns, paragraphs, figures and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in their entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner. The entire reference is considered to provide disclosure relating to the claimed invention. The claims & only the claims form the metes & bounds of the invention. Office personnel are to give the claims their broadest reasonable interpretation in light of the supporting disclosure. Unclaimed limitations appearing in the specification are not read into the claim. Prior art was referenced using terminology 


Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 1-16 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  These claims are directed to an abstract idea without significantly more. 
As to claim 1,
Step 1: Claim 9 is directed to a system. Therefore, the claim is eligible under Step 1 for being directed to machine. 

Step 2A Prong One
Claim 1 recites 
two or more components with at least one inport for receiving failure data and one out- port for transmitting failure data, (insignificant activity: mere data gathering or outputting)
wherein for analysis of the failures data of the two or more components and/or the unit a safety contract is used, (mental process)

The claimed concept is a method of evaluating failure database on safety contract is directed to “Mental Process” grouping. These limitations can be performed in a human mind or using pen and paper.
Therefore, claim 1 is an abstract idea.

Step 2A Prong Two
The collecting/outputting data step is recited at a high level of generality (i.e., as a general means of collecting input for use in the evaluation step and output the result) and amounts to mere data collecting/outputting, which is a form of insignificant extra-solution activity. 
The step “the safety contract is generated automatically by a model-based safety analysis model (SAM) comprising separate SAM modules which are related to the two or more components of the unit” is recited at a high level of generality (i.e. as a general means of application), which is a form of insignificant extra-solution activity.
The claim recites additional elements such as “unit”, “system” and “component”. Each of the additional limitations is no more than mere instructions to apply the exception using a generic computer component. Simply implementing the abstract idea on a generic computer is not a practical application of the abstract idea. 
The judicial exception is not integrated into a practical application.

Step 2B:
Simply using a conventional machine to collect/output data. The present claim does not recite any limitation that would integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B. See MPEP 2106.05(d).
The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception. In particular, the claim limitations do not recite a combination of additional elements that tie or “integrate the invention into a practical application”. 
Thus, claim 1 is not patent eligible. Same conclusion for dependent claims of claim 1. See below.

2. The system as claimed in claim 1, wherein the failure data received at the inport are modelled by using an inport failure mode and the data transmitted from the outport are modelled by using an outport failure mode, wherein the inport failure mode and the outport failure mode is defined by the model-based safety analysis model. (insignificant activity: mere data gathering or outputting)

3. The system as claimed in claim 1, wherein an internal failure behavior is defined for each component and/or the unit. (mental process)

4. The system as claimed in claim 1, wherein a component fault tree model is used for the model-based safety analysis model.  (insignificant applicantion)

5. The system as claimed in claim 1, wherein the safety contract is defined by assumptions and guarantees, wherein an assumption is related to an inport failure and a guarantee is related to an outport failure. (mental process)

6. The system as claimed in claim 1, wherein an interface contract and/or a component contract can be generated as a safety contract for the components and/or the unit. (mental process)

7. The system as claimed in claim 1, wherein safety requirements and safety-related application conditions, SRAC, are defined for each of the components and/or the unit. (mental process)

8. The system as claimed in claim 1, wherein an integrity level is defined for the inport. (mental process)

Same conclusion for independent claims 9 and dependent claims. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception. In particular, the claim limitations do not recite a combination of additional elements that tie or “integrate the invention into a practical application”. 
Thus, claims 1-16 are not patent eligible.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1-16 are rejected under 35 U.S.C. 103 as being unpatentable over Hofig et al (US 2017/0185470 A1), hereinafter Hofig, in view of Kaier et al (NPL: Contract-Based design of embedded systems integrating nominal behavior and safety, 2015), hereinafter Kaiser.

Claim 1. A system for safety analysis of failure behavior for a unit comprising: 
Hofig discloses two or more components with at least one inport for receiving failure data and one outport for transmitting failure data, 
Hofig: [0031-0032] “As shown in the embodiment of FIG. 2, the method for generating automatically a component fault tree CFT of an investigated safety-critical system SYS may include several acts. In a first act S1, a continuous function chart CFC for each system component of the investigated safety-critical system SYS may be provided and  The system component C may be a hardware component of the safety-critical system SYS or a software component of the safety-critical system SYS.”
Hofig discloses wherein for analysis of the failures data of the two or more components and/or the unit) a safety contract is used, and 
Hofig: [0034-0035] “Finally, in act S3, for each generated component fault tree element of the system component C, the input failure modes IFM of the component fault tree element are connected to output failure modes OFM of the same component fault tree element via internal failure propagation paths based on interconnected function blocks FB of the continuous function chart CFC of the respective system component C. After the component fault tree CFT of the safety-critical system SYS has been generated automatically in acts S1 to S3, a fault tree analysis FTA may be performed on the basis of the generated component fault tree CFT. … In a further possible embodiment, the component fault tree is generated automatically in acts S1 to S3 as shown in FIG. 2 during a runtime of the safety-critical system SYS in response to an observed event of the safety-critical system SYS. [correspond to analysis of the failures data of the two or more components and/or the unit] The observed event may for instance include an observed failure of at least one system component C of the investigated safety-critical 
[0002] “The goal of a safety assessment process is to identify all failures that cause hazardous situations and to demonstrate that the probability of occurrence of such failures is sufficiently low. In the application domains of safety-critical systems, the corresponding safety assurance process may be defined by means of safety standards. [correspond to safety contract] The analysis of a safety-critical system may be performed by using bottom-up safety analysis approaches such as failure mode and effect analysis FMEA, or by using top-down safety analysis approaches such as fault tree analysis FTA. By performing a safety analysis it is possible to identify failure modes, their causes and effects having an impact on the system safety. Component fault trees CFTs provide a model- and component-based methodology for fault tree analysis FTA which supports a modular and compositional safety analysis of the respective safety-critical system….”

Hofig does not appear to explicitly disclose wherein the safety contract is generated automatically by a model-based safety analysis model (SAM) comprising separate SAM modules 
However, Kaiser discloses wherein the safety contract is generated automatically by a model-based safety analysis model (SAM) comprising separate SAM modules which are related to the two or more components of the unit on 
(page 72 section 2.4) “Moreover, failures can also be transformed into other failure modes (e.g., a too low actual value at the input of a proportional-integral controller 
Kaiser (page 78-79 section 4) “We suggest a modular top-down safety analysis applicable at the functional level, allowing early investigations and passing interfaces for component-based safety analysis down to the supplier, even before the technical solution has been defined. The steps of this proceeding are in essence the ones prescribed by ISO 26262. They involve formulating safety goals, performing safety analysis and setting up a safety concept that defines mechanisms to enable the system to deal with failures at runtime. [correspond to the safety contract is generated automatically by a model-based safety analysis model (SAM) comprising separate SAM modules] To benefit from the existing contracts for safety activities, we propose the following three-step approach:
1. Derivation of safety goals using contracts (see Section 4.1)
2. Contract-based modular safety analysis (see Section 4.2)
3. Definition of safety mechanisms by reusing the safety contracts (see Section 4.3)”

Hofig and Kaiser are analogous art because they are from the “same field of endeavor” safety analysis.
Before the effective filing date of the claimed invention” for AIA ], it would have been obvious to one of ordinary skill in the art, having the teachings of Hofig and Kaiser before him or her, to modify the safety analysis of Hofig to include the contract-based design feature of Kaiser because this combination provide flexibility to adapt new system development.
The suggestion/motivation for doing so would have been Kaiser (page 90 section 6) Solutions for contract negotiations at the instant of joining a convoy and runtime checking of contracts fulfillment before allowing certain operation modes (e.g., very close following) need to be developed, considering security aspects as well. Furthermore, the operational context is also dynamically variable for vehicles in traffic scenarios (e.g., number and quality of lanes on the highway). Hence, parameterized scenario set definitions are needed to replace today’s situation catalogues used for hazard analysis. Contract-based development seems a promising approach to deal with these new challenges. Our presented formulation of contracts make them suitable for an automated negotiation between partial systems connecting at runtime, and, hence, useful to address the above issues.”


Regarding Claim 9, the same ground of rejection is made as discussed above for substantially similar rationale. 

Claim 2 and 10.
Hofig discloses wherein the failure data received at the inport are modelled by using an inport failure mode and the data transmitted from the outport are modelled by using an outport failure mode, 
Hofig: [0029] “The apparatus 1 further includes a processing unit 3 adapted to generate for each continuous function chart CFC a corresponding component fault tree, CFT, element. Inports and outports of the component fault tree, CFT, elements are generated and interconnected by the processing unit 3 of the apparatus 1 based on unique names of the inputs and outputs of the corresponding continuous function chart CFC of the respective system component C of the investigated safety-critical system SYS. The processing unit 3 is further adapted to generate input failure modes IFM and output failure modes OFM of each generated component fault tree, CFT, element based on generic mapping between connector types of the continuous function chart CFC and failure types of failure modes of the component fault tree element. [correspond to the failure data received at the inport are modelled by using an inport failure mode and the data transmitted from the outport are modelled by using an outport failure mode] In a possible embodiment, the processing unit 3 is adapted to perform the generic mapping 
The safety-critical system correspond to model-based safety analysis model.
Hofig: [0033] “In a further act S2, input failure modes IFM and output failure modes OFM for each generated component fault tree element are generated based on generic mapping between connector types in the continuous function chart CFC and failure types of failure modes of the component fault tree element.”
Hofig discloses wherein the inport failure mode and the outport failure mode is defined by the model-based safety analysis model.  


Claim 3 and 11.
Hofig discloses wherein an internal failure behavior is defined for each component and/or the unit.  
Hofig: [0172] “The generated component fault tree CFT forms a Boolean data model associated to system components C of the investigated system SYS. In a component fault tree, a separate component fault tree element is related to each system component. Failures that are visible at the output of a system component C may be modelled using output failure modes OFM which are related to a specific outport. To model how specific failures propagate from an inport of a component C to an outport, input failure modes IFM are used. The internal failure behavior that also influences the output failure modes OFM may be modeled using Boolean gates such as OR and AND as well as so-called basic events BE. [correspond to an internal failure behavior is defined for each component and/or the unit] Every component fault tree CFT may be transformed to a classic fault tree by removing the input and output failure mode elements. In both trees, top events TE or output events may be modelled as well. The component fault tree data model CFT allows additionally to the Boolean formula that are also modelled within the classic fault tree to associate the specific top events TE to the corresponding ports where the failures may appear.”

Claim 4 and 12
Hofig discloses wherein a component fault tree model is used for the model-based safety analysis model.  
Hofig: [0029] “The apparatus 1 further includes a processing unit 3 adapted to generate for each continuous function chart CFC a corresponding component fault tree, CFT, element. Inports and outports of the component fault tree, CFT, elements are generated and interconnected by the processing unit 3 of the apparatus 1 based on unique names of the inputs and outputs of the corresponding continuous function chart CFC of the respective system component C of the investigated safety-critical system SYS. … The processing unit 3 is further adapted to connect for each generated component fault tree, CFT, element of the respective system component C the input failure modes IFM of said component fault tree element to output failure modes OFM of the component fault tree element via internal failure propagation paths based on interconnected function blocks FB of the continuous function chart CFC of the respective system component C of the investigated safety-critical system SYS. In a possible embodiment, the processing unit 3 of the apparatus 1 is adapted to read the interconnected function blocks FB of the continuous function chart CFC from a function block database 5 as shown in FIG. 1. In a possible embodiment, the processing unit 3 is adapted to generate the component fault tree CFT automatically during a runtime of the investigated safety-critical system SYS in response to an observed event. [correspond to a component fault tree model is used for the model-based safety analysis model] This event may be for instance a failure of at least one system component C of the safety-critical system SYS. The 

Claim 5 and 13.
Kaiser discloses wherein the safety contract is defined by assumptions and guarantees, wherein an assumption is related to an inport failure and a guarantee is related to an outport failure.  
Kaiser (page 70 section 2.1) “In the past couple of years the research on contract-based systems engineering has increased dramatically (for an overview see [3]). The preconditions are interpreted as assumptions of a component on the signals provided at their input-ports and their operational environment; the post conditions are guarantees that the same component is able to fulfill. [correspond to an assumption is related to an inport failure and a guarantee is related to an outport failure]  Accordingly, contracts are matching pairs consisting of an assumption (A) or a conjunction of several assumptions, and a guarantee (G) as provided in Figure 1. [correspond to the safety contract is defined by assumptions and guarantees] The assumption specifies how the context of the component, i.e., the environment from the point of view of the component, should behave. Only if the assumption holds, then the component will behave as guaranteed. This kind of specification allows replacing components by other ones with the same purpose and compatible interfaces, if they accept the same or weaker assumptions about the environment and provide the same or stronger guarantees towards the environment.”

    PNG
    media_image1.png
    286
    669
    media_image1.png
    Greyscale

Kaiser (page 84 section 4.4) “The contract specifying the safety mechanism defines the context, in which the safety mechanisms shall operate correctly, and how the result shall look like. The Plausibility Check in Figure 6 detects an invalid current signal and sets the valid signal to false. The assumption for this behavior is the absence of internal faults of the plausibility check. Hence, the contract will informally look like: 

    PNG
    media_image2.png
    110
    848
    media_image2.png
    Greyscale

From the assumption in our example (which could be derived from some process standard) it follows that it should be considered that, at the same time, the signal is faulty due to some sensor failure and the Sensor Diagnostics Component from Figure 6 is defective.” [correspond to an assumption is related to an inport failure and a guarantee is related to an outport failure]  

Claim 6 and 14.
wherein an interface contract and/or a component contract can be generated as a safety contract for the components and/or the unit.  
Kaiser: (page 73-75 section 3) “This section explains how to capture, refine, and allocate requirements using contracts while creating the hierarchical system architecture. Our aim is addressing both the top-down process from requirements towards implementation by step-wise refinement (see Section 3.4) and the bottom-up process where a system is composed of pre-existing and pre-qualified components described by assumptions and guarantees. The term “multi-aspect” contract refers to the possibility to make assertions about different system aspects, as for instance: …
We distinguish two flavors of contracts that have their specific advantages at different points of the development process: component contracts and interface contracts.”
Section 3.1 discloses interface contracts and section 3.2 discloses component contracts. 
Kaiser: (page 78 section 4) ) “We suggest a modular top-down safety analysis applicable at the functional level, allowing early investigations and passing interfaces for component-based safety analysis down to the supplier, even before the technical solution has been defined. The steps of this proceeding are in essence the ones prescribed by ISO 26262. They involve formulating safety goals, performing safety analysis and setting up a safety concept that defines mechanisms to enable the system to deal with failures at runtime. [correspond to wherein an interface contract and/or a component contract can be generated as a safety contract for the components and/or the unit] To benefit from the existing contracts for safety activities, we propose the following three-step approach:

2. Contract-based modular safety analysis (see Section 4.2)
3. Definition of safety mechanisms by reusing the safety contracts (see Section 4.3)”

Claim 7 and 15.
Kaiser discloses wherein safety requirements and safety-related application conditions, SRAC, are defined for each of the components and/or the unit.  
Kaiser: (page 78-81 section 4) “We suggest a modular top-down safety analysis applicable at the functional level, allowing early investigations and passing interfaces for component-based safety analysis down to the supplier, even before the technical solution has been defined. The steps of this proceeding are in essence the ones prescribed by ISO 26262. They involve formulating safety goals, performing safety analysis and setting up a safety concept that defines mechanisms to enable the system to deal with failures at runtime. To benefit from the existing contracts for safety activities, we propose the following three-step approach:
1. Derivation of safety goals using contracts (see Section 4.1)
2. Contract-based modular safety analysis (see Section 4.2)
3. Definition of safety mechanisms by reusing the safety contracts (see Section 4.3)” [correspond to safety requirements and safety-related application conditions]

Claim 8 and 16.
Kaiser discloses wherein an integrity level is defined for the inport.


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHUEN-MEEI GAN whose telephone number is (469)295-9127.  The examiner can normally be reached on Monday-Friday 9:00 am to 4:00 pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rehana Perveen can be reached on (571) 272-3676.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 






/CHUEN-MEEI GAN/Primary Examiner, Art Unit 2129