DETAILED ACTION
Claims 1-18 are pending.  
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
The claims are objected to because of the following informalities: 
In claim 10, it appears that the phrase ‘a plurality of plurality of processors’ should read ‘a plurality of 
Appropriate correction is required.
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(B)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.
The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention. 

Claim(s) 1-18 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.

Further, claims 1 and 10 recite ‘different respective portions’ and it is unclear what these portions are respective to.
Further, claims 1 and 10 recite ‘its corresponding shadow function output’ and it is unclear what ‘its corresponding’ output refer to.
Further, claims 1 and 10 recite ‘under conditions where the safety function output and the shadow function output are free from error’ and it is not clear what these conditions are.  It appears from the specification that the intent is that the safety function and the shadow function operate without error, however, there is also the sensor input to consider.
With regard to claims 2 and 11, these claim recites ‘its corresponding shadow function output’ and it is unclear what ‘its corresponding’ output refer to.
With regard to claims 3 and 12, these claim recite ‘approximately equal’ and it is unclear what the metes and bounds are of ‘approximately’.
With regard to claim 9 and 18, these claim recite ‘different respective portions’ and it is unclear what these portions are respective to.
Further, claims 9 and 18 recite ‘approximately concurrently’ and it is unclear what the metes and bounds are of ‘approximately’.
Further, claims 9 and 18 recite ‘the selected first sensor’, which lacks antecedent basis.

With regard to claim 18, this claim recites ‘the first diagnostic interval’ and the ‘the second diagnostic interval’ for which there is no antecedent basis.
With regard to claims 11-18, these claims depend on the method of claim 9, for which there is no antecedent basis.  For examination purposes, they have been considered to depend on claim 10. 
Note that, in the action below, a best effort has been made to interpret the claims in view of the numerous ambiguities cited above. 
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claim(s) 1-18 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a non-statutory subject matter. The claims do not fall within at least one of the four categories of patent eligible subject matter because the claimed invention is directed to the mental processes (abstract ideas) of processing sensor data to generate other condition data.  
Claim 1 recites a diagnostic system, i.e. a machine, which is a statutory category of invention.

comparing selected ones of the sensor measurements to respective predetermined alarm set points; 
determining a safety function output for the selected sensor measurements based upon the sensor measurement comparison, the safety function output representing a first status estimate for the monitored asset; and 
transmit the safety function output; 
executing a shadow function configured to determine a shadow function output corresponding to each safety function output during different respective portions of a diagnostic interval, and wherein the shadow function output represents a second status estimate for the monitored asset and is configured to replicate the safety function output under conditions where the safety function output and the shadow function output are free from error; and transmit the shadow function output for each safety function output; 
and validating each safety function output by comparing the safety function output with its corresponding shadow function output, i.e. under the broadest reasonable interpretation, these limitations comprise a mental process involving comparing sensor data to alarm set points twice and comparing the results of these comparisons to determine if they agree that may be performed in the human mind, or by a human using a pen and paper.  Thus the claim recites an abstract idea (mental processes), see MPEP 2106.04(a).

The claims do not include additional elements that are sufficient to amount to significantly more than the judicial exception. As discussed above with respect to integration of the abstract idea into a practical application, applying the method with a processor (merely applying the exception with a generic computer processor — see 2106.04(d)), and receiving data acquired by a sensor (insignificant extra-solution elements – mere data gathering, see MPEP 2106.05 I A) and outputting a condition for the monitored asset (insignificant extra-solution activity, see 2106.04(a)(2) III A regarding displaying information) are not considered significantly more.  Considering the additionally elements individually and in combination and the claim as a whole, the additional elements do not provide significantly more than the abstract idea. Thus the claim is not patent eligible.
Claim 2 recites making a determination/decision using a tolerance that may be performed mentally. Thus this claim recites an abstract idea.
Claim 3 recites an equivalence condition that may be evaluated mentally. Thus this claim recites an abstract idea.

Claim 5 recites assigning a fault based on the condition that may be performed mentally.  Thus this claim recites an abstract idea.
Claim 6 recites performing multiple evaluations (shadow functions) in various broadly specified time periods that may be performed mentally.  Thus this claim recites an abstract idea.
Claim 7 recites assigning an abstract value for an interval. Thus this claim recites an abstract idea.
Claim 8 recites performing multiple evaluations (safety functions) that may be performed mentally and transmitting a safety function output (extra-solution activity, see MPEP 2106.05(d) II and MPEP 2106.05(g) e.g. receiving or transmitting data over a network).  Thus this claim recites an abstract idea.
Claim 9 recites performing multiple evaluations (shadow functions) that may be performed mentally and doing so during various times (intervals) that are approximately concurrent that may be evaluated mentally by making the various evaluations in sequence one after the other.  ).  Thus this claim recites an abstract idea.
Claim 10 recites a diagnostic method, i.e. a process, which is a statutory category of invention.  The recited process is however similar to that recited in claim 1 and considered to involve an abstract idea (mental process) and is rejected under the same rationale as claim 1.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1-6, 8, 10-15, and 17-18 is/are rejected under 35 U.S.C. 103 as being unpatentable over Nakagawa U.S. Patent Publication No. 20120221262 (hereinafter Nakagawa) in view of Izzo et al. U.S. Patent Publication No. 20180329397 (hereinafter Izzo).
Regarding claim 1, Nakagawa teaches a diagnostic system [0041, Fig. 2 — the integrity monitoring apparatus 2 in this embodiment that monitors the integrity of the electronic device 2], comprising: 
a plurality of processors, wherein at least a portion of the processors are configured to receive data acquired by a sensor [0041-0043, Fig. 2 — a first processor 13, a second processor 14…  control unit 23 is configured to generate a control signal for controlling the operation of the actuator 101, based on the command signal from the FCC 3 that is input via the I/F 12, a feedback signal that is transmitted from the actuator 101, and sensor signals that are input from various sensors; 0054 —  monitoring unit 26 generates a monitoring control signal, which is generated by the same calculation as that performed by the control unit 23 for generating the control signal for controlling the operation of the actuator 101, based on the command signal from the FCC 3 that is input via the I/F 12, a feedback signal that is transmitted from the actuator 101, and sensor signals that are input from various sensors ], the plurality of processors including, 
a first processor configured to, continuously execute a safety function, wherein the executed safety function is configured to perform operations including, determining one or more sensor measurements representing an operating parameter of a monitored asset from the received data [0041-0043, Fig. 2 —  first processor 13 includes a control unit 23, a first storage unit 24, a first caution signal output unit 25… control unit 23 is configured to generate a control signal for 
comparing selected ones of the sensor measurements to respective predetermined alarm set points [0049, Fig. 2 —  first caution signal output unit 25 is configured to compare the input/output electric signal into/from the control unit 23 with the above-described first reference value stored in the first storage unit 24, calculating the amount of deviation therebetween]; 
determining a safety function output for the selected sensor measurements based upon the sensor measurement comparison, the safety function output representing a first status estimate for the monitored asset [0049, Fig. 2 —  first caution signal output unit 25 is configured to compare the input/output electric signal into/from the control unit 23 with the above-described first reference value…  the first caution signal output unit 25 outputs a first caution signal for signaling that degradation of the control unit 23 has been detected]; and 
transmit the safety function output [0049-0050, Fig. 2 — a first caution signal is output from the first caution signal output unit 25 as a result of detection of degradation of the control unit 23 as described above, the first caution signal is input into the FCC 3]; 
a second processor configured to: execute a shadow function configured to determine a shadow function output corresponding to each safety function output during different respective portions 
a processor configured to: validate each safety function output by comparing the safety function output with its corresponding shadow function output, and output a condition for the monitored asset based upon the validation comparison [0053-0054, Fig. 2 — second processor 14 includes a monitoring unit 26, a second storage unit 27, a second caution signal output unit 28, and so forth… monitoring unit 26 is configured to monitor the state of the control unit 23 by performing the same calculation as that performed by the control unit 23. Accordingly, the monitoring unit 
But Nakagawa fails to clearly specify a third processor, different from the first and second processors, and configured to: validate each safety function output by comparing the safety function output with its corresponding shadow function output.
However, Izzo teaches a third processor, different from the first and second processors, and configured to: validate each safety function output by comparing the safety function output with its corresponding shadow function output [0039, Fig. 2  —  multicore processor 30 providing multiple processor cores 32 (processors) on a single integrated circuit die 34; 0061-0064, Fig. 6 —  this data matches, suggesting that the hardware associated with two different cores 32 are functioning correctly, the program proceeds to, process block 114 …  If at decision block 112, an error is indicated (in a failure of the data to match), the safety controller 12 moves to a safe state indicated by process block 116 where the output values revert to predetermined safe output values; 0065 — program 46a may be statically assigned to a first core A (for example, core 32a), 46b may be statically assigned to a second core B (for example, core 32b) during the execution of the programs 46a and 46b… The comparison steps of process blocks 110, 112 and the scanning output of process block 112 may again be implemented by the core designated C. This static assignment of cores allows the programs 46A and 46b to more accurately identify hardware error associated with the course. This operation may be used to implement SIL-2 safety] and output a condition for the monitored asset based upon the validation comparison [0061-0064, Fig. 6 —  this data matches, suggesting that the hardware associated with two different cores 32 are functioning correctly, the program proceeds to, process block 114 …  If at decision block 112, an error is indicated (in a failure of the data to match), the safety controller 12 moves to a safe state indicated by process block 116 where the output values revert to predetermined safe output values].
Nakagawa and Izzo are analogous art.  They relate to control systems, particularly with failure/safety monitoring.
Therefore before the effective filing date of the claimed invention, it would have been obvious to a person of ordinary skill in the art to modify the above electronic integrity monitoring system and method, as taught by Nakagawa, by incorporating the above limitations, as taught by Izzo.  
One of ordinary skill in the art would have been motivated to do this modification to more accurately identify hardware error, as taught by Izzo [0065] or to ensure that a hardware problem affecting either of the first or second processor does not affect the comparison function or to ensure that the first and second processors function similarly without either of them needing to provide the additional resources for the comparison function.
Regarding claim 2, the combination of Nakagawa and Izzo teaches all the limitations of the base claims as outlined above.  
Further, Nakagawa teaches that an output condition is a first condition when the safety function output differs from its corresponding shadow function output by greater than a predetermined fault tolerance, and wherein the first condition represents an error in determining at least one of the first status estimate and the second status estimate [0049 — first caution signal output unit 25 is configured to compare the input/output electric signal into/from the control unit 23 with the above-described first reference value stored in the first storage unit 24, calculating the amount of deviation therebetween. Furthermore, if the magnitude of the calculated amount of deviation exceeds a predetermined first threshold value that has been set in advance, the first caution signal output unit 25 outputs a first caution signal for signaling that degradation of the control unit 23 has been detected.; 0069 —  if the above-described amount of deviation exceeds a predetermined threshold value (first threshold value), or in other words, if the degree of degradation progresses to a degree greater than a predetermined degree, the first caution signal output unit 25 detects degradation and outputs a caution signal (first caution signal); 0072-0073 — it is also possible to configure an integrity monitoring apparatus 2 in which each of the first and the second threshold values is set across a plurality of levels and a plurality of types of the first and second caution signals respectively corresponding to the levels are output. With the integrity monitoring apparatus 2, the degree of degradation of each of the control unit 23 and the monitoring unit 26 is detected in a step-wise manner across a plurality of stages and then signaled. Accordingly, it is possible to take different countermeasures in a step-wise manner during maintenance, depending on the level of the caution signal; 0053-0054, Fig. 2 — second processor 14 includes a monitoring unit 26, a second storage unit 27, a second caution signal output unit 28, and so 
Regarding claim 3, the combination of Nakagawa and Izzo teaches all the limitations of the base claims as outlined above.  
Further, Nakagawa teaches that an output condition is a second condition when the safety function output and the shadow function output are approximately equivalent [0053-0054, Fig. 2 — second processor 14 includes a monitoring unit 26, a second storage unit 27, a second caution signal output unit 28, and so forth… monitoring unit 26 is configured to monitor the state of the control unit 23 by performing the same calculation as that performed by the control unit 23. Accordingly, the monitoring unit 26 generates a monitoring control signal, which is generated by the same calculation as that performed by the control unit 23… monitoring unit 26 is configured to monitor an abnormality of the control unit 23 by comparing a result of calculation performed by the monitoring unit 26 with a result of calculation performed by the control unit 23. Thereby, the ACE 2 is configured to monitor the occurrence of a generic failure, that is, a failure that may occur commonly among the same pieces of software or hardware. — An abnormality in processing is indicated if the results are different but not if the results are the same/equivalent.].
32 are functioning correctly, the program proceeds to, process block 114 …  If at decision block 112, an error is indicated (in a failure of the data to match), the safety controller 12 moves to a safe state indicated by process block 116 where the output values revert to predetermined safe output values].
Regarding claim 4, the combination of Nakagawa and Izzo teaches all the limitations of the base claims as outlined above.  
Further, Nakagawa teaches that a second condition indicates no asset fault is detected [0053-0054, Fig. 2 — second processor 14 includes a monitoring unit 26, a second storage unit 27, a second caution signal output unit 28, and so forth… monitoring unit 26 is configured to monitor the state of the control unit 23 by performing the same calculation as that performed by the control unit 23. Accordingly, the monitoring unit 26 generates a monitoring control signal, which is generated by the same calculation as that performed by the control unit 23… monitoring unit 26 is configured to monitor an abnormality of the control unit 23 by comparing a result of calculation performed by the monitoring unit 26 with a result of calculation performed by the control unit 23. Thereby, the ACE 2 is configured to monitor the occurrence of a generic failure, that is, a failure that may occur commonly among the same pieces of software or hardware. — An abnormality in processing is indicated if the results are different but no fault if the results are the same/equivalent.].
Regarding claim 5, the combination of Nakagawa and Izzo teaches all the limitations of the base claims as outlined above.  
Further, Nakagawa teaches that a second condition indicates that an asset fault is detected [0049 — first caution signal output unit 25 is configured to compare the input/output electric signal into/from the control unit 23 with the above-described first reference value stored in the first storage unit 24, calculating the amount of deviation therebetween. Furthermore, if the magnitude of the calculated amount of deviation exceeds a predetermined first threshold value that has been set in advance, the first caution signal output unit 25 outputs a first caution signal for signaling that degradation of the control unit 23 has been detected.; 0069 —  if the above-described amount of deviation exceeds a predetermined threshold value (first threshold value), or in other words, if the degree of degradation progresses to a degree greater than a predetermined degree, the first caution signal output unit 25 detects degradation and outputs a caution signal (first caution signal); 0072-0073 — it is also possible to configure an integrity monitoring apparatus 2 in which each of the first and the second threshold values is set across a plurality of levels and a plurality of types of the first and second caution signals respectively corresponding to the levels are output. With the integrity monitoring apparatus 2, the degree of degradation of each of the control unit 23 and the monitoring unit 26 is detected in a step-wise manner across a plurality of stages and then signaled. Accordingly, it is possible to take different countermeasures in a step-wise manner during maintenance, depending on the level of the caution signal; 0053-0054, Fig. 2 — second processor 14 includes a monitoring unit 26, a second storage unit 27, a second caution signal output unit 28, and so forth… monitoring unit 26 is configured to monitor the state of the control unit 23 by performing the same calculation as that performed by the control unit 23. Accordingly, the monitoring unit 26 generates a monitoring control signal, which is generated by 
Regarding claim 6, the combination of Nakagawa and Izzo teaches all the limitations of the base claims as outlined above.  
Further, Nakagawa teaches that the first processor executes a plurality of safety functions [0078-0079, Fig. 3 — first processor 13a of the ACE 2a includes a control unit 23, a storage unit 24a, a first caution signal output unit 25a, a second caution signal output unit 28a].
Further, Izzo teaches that an executed shadow function is configured to: determine a first shadow function output corresponding to a first safety function of the plurality of safety functions only during a first portion of the diagnostic interval, determine a second shadow function output corresponding to a second safety function of the plurality of safety functions only during a second portion of the diagnostic interval, the second portion of the diagnostic interval following immediately after the first portion of the diagnostic interval [0066-0068, Figs. 8-9 —  alternating executions (different times) of a full or partial execution of one cycle of the program 46a per process block 106 and one cycle of the program 46b per process block 108. The same core A may then execute the steps of process blocks 110, 112 and the scanning output of process 112. The diversity of the programs 46a and 46b (shadow function) may continue to reveal certain types of hardware failures if the outputs generated by these successive executions of the programs 46a and 46b do not match during the comparison process.].
Therefore before the effective filing date of the claimed invention, it would have been obvious to a person of ordinary skill in the art to modify the above electronic integrity monitoring system and method, as taught by the combination of Nakagawa and Izzo, by incorporating the above limitations, as taught by Izzo.  
One of ordinary skill in the art would have been motivated to do this modification in order to be able to execute the various functions on the same processor, as suggested by Izzo [0066-0068].
Regarding claim 8, the combination of Nakagawa and Izzo teaches all the limitations of the base claims as outlined above.  
Further, Nakagawa teaches the first processor is configured to: 
execute a first safety function, wherein the executed first safety function is configured to perform operations including, determining one or more first sensor measurements from the received data [0041-0043, Fig. 2 —  first processor 13 includes a control unit 23, a first storage unit 24, a first caution signal output unit 25… control unit 23 is configured to generate a control signal for controlling the operation of the actuator 101, based on the command signal from the FCC 3 that is input via the I/F 12, a feedback signal that is transmitted from the actuator 101, and sensor signals that are input from various sensors; 0054 —  monitoring unit 26 generates a monitoring control signal, which is generated by the same calculation as that performed by the control unit 23 for generating the control signal for controlling the operation of the actuator 101, based on the 
comparing selected ones of the first sensor measurements to respective predetermined alarm set points [0049, Fig. 2 —  first caution signal output unit 25 is configured to compare the input/output electric signal into/from the control unit 23 with the above-described first reference value stored in the first storage unit 24, calculating the amount of deviation therebetween]; and 
determining a safety function output for the selected first sensor measurements based upon the first sensor measurement comparison [0049, Fig. 2 — first caution signal output unit 25 is configured to compare the input/output electric signal into/from the control unit 23 with the above-described first reference value… the first caution signal output unit 25 outputs a first caution signal for signaling that degradation of the control unit 23 has been detected]; 
execute a second safety function, wherein the executed second safety function is configured to perform operations including, determining one or more second sensor measurement from the received data; comparing selected ones of the second sensor measurements to respective predetermined alarm set points; and transmitting a safety function output for the selected second sensor measurements based upon the second sensor measurement comparison [0041-0043, Fig. 2 — a second processor 14; 0053-0054, 0061, Fig. 2 — second processor 14 includes a monitoring unit 26, a second storage unit 27, a second caution signal output unit 28, and so forth… monitoring unit 26 is configured to monitor the state of the control unit 23 by performing the same calculation as that performed by the control unit 23. Accordingly, the monitoring unit 26 generates a monitoring control signal, which is generated by the same calculation as that performed by the control unit 23… monitoring unit 26 is configured to monitor an abnormality 
Further, Izzo teaches execute a first safety function during a first diagnostic interval and a second diagnostic interval [0066-0068, Figs. 8-9 —  alternating executions (different times) of a full or partial execution of one cycle of the program 46a per process block 106 and one cycle of the program 46b per process block 108. The same core A may then execute the steps of process blocks 110, 112 and the scanning output of process block 112. The diversity of the programs 46a and 46b (shadow function) may continue to reveal certain types of hardware failures if the outputs generated by these successive executions of the programs 46a and 46b do not match during the comparison process.].
Therefore before the effective filing date of the claimed invention, it would have been obvious to a person of ordinary skill in the art to modify the above electronic integrity monitoring system and method, as taught by the combination of Nakagawa and Izzo, by incorporating the above limitations, as taught by Izzo.  
One of ordinary skill in the art would have been motivated to do this modification in order to be able to execute the various functions on the same processor, as suggested by Izzo [0066-0068].
Regarding claim 10, Nakagawa teaches a diagnostic method [0041, Fig. 2 — a method for operating the integrity monitoring apparatus 2 in this embodiment that monitors the integrity of the electronic device 2], comprising: 

executing, by a first processor of the plurality of processors, a safety function, wherein the executed safety function is configured to perform operations including: determining one or more sensor measurements representing an operating parameter of a monitored asset from the received data [0041-0043, Fig. 2 —  first processor 13 includes a control unit 23, a first storage unit 24, a first caution signal output unit 25… control unit 23 is configured to generate a control signal for controlling the operation of the actuator 101, based on the command signal from the FCC 3 that is input via the I/F 12, a feedback signal that is transmitted from the actuator 101, and sensor signals that are input from various sensors; 0054 —  monitoring unit 26 generates a monitoring control signal, which is generated by the same calculation as that performed by the control unit 23 for generating the control signal for controlling the operation of the actuator 101, based on the command signal from the FCC 3 that is input via the I/F 12, a feedback signal that is transmitted from the actuator 101, and sensor signals that are input from various sensors ]; 

determining a safety function output for the selected sensor measurements based upon the sensor measurement comparison, the safety function output representing a first status estimate for the monitored asset [0049, Fig. 2 —  first caution signal output unit 25 is configured to compare the input/output electric signal into/from the control unit 23 with the above-described first reference value…  the first caution signal output unit 25 outputs a first caution signal for signaling that degradation of the control unit 23 has been detected]; and transmitting, by the first processor, the safety function output [0049-0050, Fig. 2 — a first caution signal is output from the first caution signal output unit 25 as a result of detection of degradation of the control unit 23 as described above, the first caution signal is input into the FCC 3];
 executing, by a second processor of the plurality of processors, a shadow function, configured to determine a shadow function output corresponding to each safety function output during different respective portions of a diagnostic interval [0051 — the input/output electric signal that is to be compared with the first reference value is also acquired at the timing of each pre-flight check ], wherein the shadow function output represents a second status estimate for the monitored asset and is configured to replicate the safety function output under conditions where the safety function output and the shadow function output are free from error [0041-0043, Fig. 2 — a second processor 14; 0053-0054, 0061, Fig. 2 — second processor 14 includes a monitoring unit 26, a second storage unit 27, a second caution signal output unit 28, and so forth… monitoring unit 26 is configured to monitor the state of the control unit 23 by performing the 
receiving, by a processor, the safety function output and the shadow function output; validating, by the processor, each safety function output by comparing the safety function output with its corresponding shadow function output, and outputting, by the processor, a condition for the monitored asset based upon the validation comparison [0053-0054, Fig. 2 — second processor 14 includes a monitoring unit 26, a second storage unit 27, a second caution signal output unit 28, and so forth… monitoring unit 26 is configured to monitor the state of the control unit 23 by performing the same calculation as that performed by the control unit 23. Accordingly, the monitoring unit 26 generates a monitoring control signal, which is generated by the same calculation as that performed by the control unit 23… monitoring unit 26 is configured to monitor an abnormality of the control unit 23 by comparing a result of calculation performed by 
But Nakagawa fails to clearly specify a third processor, different from the first and second processors, and configured to: validate each safety function output by comparing the safety function output with its corresponding shadow function output.
However, Izzo teaches a third processor, different from the first and second processors, and configured to: validate each safety function output by comparing the safety function output with its corresponding shadow function output [0039, Fig. 2  —  multicore processor 30 providing multiple processor cores 32 (processors) on a single integrated circuit die 34; 0061-0064, Fig. 6 —  this data matches, suggesting that the hardware associated with two different cores 32 are functioning correctly, the program proceeds to, process block 114 …  If at decision block 112, an error is indicated (in a failure of the data to match), the safety controller 12 moves to a safe state indicated by process block 116 where the output values revert to predetermined safe output values; 0065 — program 46a may be statically assigned to a first core A (for example, core 32a), and program 46b may be statically assigned to a second core B (for example, core 32b) during the execution of the programs 46a and 46b… The comparison steps of process blocks 110, 112 and the scanning output of process block 112 may again be implemented by the 46A and 46b to more accurately identify hardware error associated with the course. This operation may be used to implement SIL-2 safety] and output a condition for the monitored asset based upon the validation comparison [0061-0064, Fig. 6 —  this data matches, suggesting that the hardware associated with two different cores 32 are functioning correctly, the program proceeds to, process block 114 …  If at decision block 112, an error is indicated (in a failure of the data to match), the safety controller 12 moves to a safe state indicated by process block 116 where the output values revert to predetermined safe output values].
Nakagawa and Izzo are analogous art.  They relate to control systems, particularly with failure/safety monitoring.
Therefore before the effective filing date of the claimed invention, it would have been obvious to a person of ordinary skill in the art to modify the above electronic integrity monitoring system and method, as taught by Nakagawa, by incorporating the above limitations, as taught by Izzo.  
One of ordinary skill in the art would have been motivated to do this modification to more accurately identify hardware error, as taught by Izzo [0065] or to ensure that a hardware problem affecting either of the first or second processor does not affect the comparison function or to ensure that the first and second processors function similarly without either of them needing to provide the additional resources for the comparison function.
Regarding claim 11, the combination of Nakagawa and Izzo teaches all the limitations of the base claims as outlined above and this claims is otherwise rejected under the same rationale as claim 2.  
Regarding claim 12, the combination of Nakagawa and Izzo teaches all the limitations of the base claims as outlined above and this claims is otherwise rejected under the same rationale as claim 3.  
Regarding claim 13, the combination of Nakagawa and Izzo teaches all the limitations of the base claims as outlined above and this claims is otherwise rejected under the same rationale as claim 4.  
Regarding claim 14, the combination of Nakagawa and Izzo teaches all the limitations of the base claims as outlined above and this claims is otherwise rejected under the same rationale as claim 5.  
Regarding claim 15, the combination of Nakagawa and Izzo teaches all the limitations of the base claims as outlined above and this claims is otherwise rejected under the same rationale as claim 6.  
Regarding claim 17, the combination of Nakagawa and Izzo teaches all the limitations of the base claims as outlined above and this claims is otherwise rejected under the same rationale as claim 8.  
Regarding claim 18, the combination of Nakagawa and Izzo teaches all the limitations of the base claims as outlined above and this claims is otherwise rejected under the same rationale as claim 9.  
Claim(s) 7, 9 and 16 is/are rejected under 35 U.S.C. 103 as being unpatentable over the combination of Nakagawa and Izzo in view of Vicentini et al. U.S. Patent Publication No. 20130245825 (hereinafter Vicentini).
Regarding claim 7, the combination of Nakagawa and Izzo teaches all the limitations of the base claims as outlined above.  
Further, Nakagawa teaches validating each sensor measurement of the safety function by the shadow function [0041-0043, Fig. 2 —  first processor 13 includes a control unit 23, a first storage unit 24, a first caution signal output unit 25… control unit 23 is configured to generate a control signal for controlling the operation of the actuator 101, based on the command signal from the FCC 3 that is input via the I/F 12, a feedback signal that is transmitted from the actuator 101, and sensor signals that are input from various sensors; 0054 —  monitoring unit 26 generates a monitoring control signal, which is generated by the same calculation as that performed by the control unit 23 for generating the control signal for controlling the operation of the actuator 101, based on the command signal from the FCC 3 that is input via the I/F 12, a feedback signal that is transmitted from the actuator 101, and sensor signals that are input from various sensors ; 0053-0054, Fig. 2 — second processor 14 includes a monitoring unit 26, a second storage unit 27, a second caution signal output unit 28, and so forth… monitoring unit 26 is configured to monitor the state of the control unit 23 by performing the same calculation as that performed by the control unit 23. Accordingly, the monitoring unit 26 generates a monitoring control signal, which is generated by the same calculation as that performed by the control unit 23… monitoring unit 26 is configured to monitor an abnormality of the control unit 23 by comparing a result of calculation performed by the monitoring unit 26 with a result of calculation performed by the control unit 23. Thereby, the ACE 2 is configured to monitor the occurrence of a generic failure; 0049-0050, Fig. 2 — a first caution signal is output from the first caution signal output unit 25; 0072 —an electronic device integrity monitoring apparatus 2 capable of monitoring the integrity of the electronic device 2 that outputs a control signal to an 
But the combination of Nakagawa and Izzo fails to clearly specify that a diagnostic interval is a maximum time duration permitted to validate each sensor measurement.
However, Vicentini teaches that a diagnostic interval is a maximum time duration permitted to validate each sensor measurement [0085-0086 — a maximum time period can be defined within which, with all probability, an error corresponding to the movement of the robot can be detected… a maximum acceptable error, which must take account of the possible error of drift of the integrated signal of the inertial sensor in the maximum time period considered, if such error is not exceeded at a time within a period of time equal to the maximum time period considered, then the verification of the kinematic values is satisfied].
Nakagawa, Izzo and Vicentini are analogous art.  They relate to control systems, particularly with failure/safety monitoring.
Therefore before the effective filing date of the claimed invention, it would have been obvious to a person of ordinary skill in the art to modify the above electronic integrity monitoring system and method, as taught by the combination of Nakagawa and Izzo, by incorporating the above limitations, as taught by Vicentini.  

Regarding claim 9, the combination of Nakagawa, Izzo and Vicentini teaches all the limitations of the base claims as outlined above.  
Further, Nakagawa teaches the shadow function is configured to, determine shadow function outputs corresponding to the selected first sensor measurements [0041-0043, Fig. 2 —  first processor 13 includes a control unit 23, a first storage unit 24, a first caution signal output unit 25… control unit 23 is configured to generate a control signal for controlling the operation of the actuator 101, based on the command signal from the FCC 3 that is input via the I/F 12, a feedback signal that is transmitted from the actuator 101, and sensor signals that are input from various sensors; 0054 —  monitoring unit 26 generates a monitoring control signal, which is generated by the same calculation as that performed by the control unit 23 for generating the control signal for controlling the operation of the actuator 101, based on the command signal from the FCC 3 that is input via the I/F 12, a feedback signal that is transmitted from the actuator 101, and sensor signals that are input from various sensors; 0041-0043, Fig. 2 — a second processor 14; 0053-0054, 0061, Fig. 2 — second processor 14 includes a monitoring unit 26, a second storage unit 27, a second caution signal output unit 28, and so forth… monitoring unit 26 is configured to monitor the state of the control unit 23 by performing the same calculation as that performed by the control unit 23. Accordingly, the monitoring unit 26 generates a monitoring control signal, which is generated by the same calculation as that performed by the control unit 23… monitoring unit 26 is configured to monitor an abnormality of the control unit 23 by comparing a result of calculation performed by the monitoring unit 26 with a result of 
Further, Izzo teaches  determining first shadow function outputs during different respective portions of a first diagnostic interval and determining second shadow function outputs during different respective portions of a second diagnostic interval immediately following the first diagnostic interval, first and second shadow function outputs are determined approximately concurrently [0066-0068, Figs. 8-9 —  alternating executions (different times) of a full or partial execution of one cycle of the program 46a per process block 106 and one cycle of the program 46b per process block 108. The same core A may then execute the steps of process blocks 110, 112 and the scanning output of process block 112. The diversity of the programs 46a and 46b (shadow function) may continue to reveal certain types of hardware failures if the outputs generated by these successive executions of the programs 46a and 46b do not match during the comparison process — shadow functions are determined for safety controllers 12 and 12’.].
Therefore before the effective filing date of the claimed invention, it would have been obvious to a person of ordinary skill in the art to modify the above electronic integrity monitoring system and method, as taught by the combination of Nakagawa, Izzo and Vicentini, by incorporating the above limitations, as taught by Izzo.  
One of ordinary skill in the art would have been motivated to do this modification in order to be able to execute the various functions on the same processor and to compare outputs for different controllers, as suggested by Izzo [0066-0068].
Regarding claim 16, the combination of Nakagawa and Izzo teaches all the limitations of the base claims as outlined above and this claims is otherwise rejected under the same rationale as claim 7.  
Citation of Pertinent Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
Mylaraswamy et al. U.S. Patent Publication No. 20110118905, which discloses methods and apparatus are provided for analyzing a complex system.
Martin U.S. Patent Publication No. 20120304017, which discloses a system and method for self-checking a bus.
Feintuch U.S. Patent Publication No. 20060200278, which discloses a flight control computer system with fault mitigation.
Kutschbach et al. U.S. Patent Publication No. 20200409332, which discloses a method for checking a time-discrete signal value of a sensor.
Kameda et al. U.S. Patent Publication No. 20120233506, which discloses a redundant computing system.
Tubel U.S. Patent No. 6046685, which discloses a redundant downhole control system.
Note that any citations to specific, pages, columns, lines, or figures in the prior art references and any interpretation of the reference should not be considered to be limiting in any way.  A reference is relevant for all it contains and may be relied upon for all that it would have reasonably suggested to one having ordinary skill in the art.  See MPEP 2123.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to BERNARD G. LINDSAY whose telephone number is (571)270-0665.  The examiner can normally be reached on IFP.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Mohammad Ali can be reached on (571)272-4105.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).  If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/BERNARD G LINDSAY/
Primary Examiner, Art Unit 2119