DETAILED ACTION

Status of Claims

This action is in reply to the communication filed on 05/31/2021.
Claims 1, 11, and 14 have been amended.
Claims 2-4 have been canceled.
Claim 16 has been added.
Claims 1 and 5-16 are currently pending and have been examined.

	Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 05/31/2021 with respect to the rejections under 35 USC § 112 to claim 14 have been fully considered but they are not persuasive.

On pg. 7 of the Remarks, Applicant essentially argues: 
“With respect to the indefiniteness rejection of claim 14, that claim has now been amended so as to recite "wherein the rules in the set of rules are staggered according to effects of a respective revocation of resources on the industrial facility as a whole by slowing non-time-critical processes" rather than "wherein the rules in the set of rules are staggered according to effects of a respective revocation of resources on the industrial facility as a whole," as before. Support for the amendments can be found, for example, at least in paragraph [0045] of the present published application.”

slowing non-time-critical processes”. Although the amended language (“slowing non-time-critical processes”) is, in isolation, definite, it does not resolve the ambiguity issues because it is still unclear what is required by the preceding language (“the rules in the set of rules are staggered according to effects of a respective revocation of resources on the industrial facility as a whole”) and unclear how its presence affects the meets and bounds of the claim. Expanded explanation has been provided in the 35 USC § 112(b) rejection below.

Applicant’s arguments filed 05/31/2021 with respect to the rejections under 35 USC § 103 have been considered but are essentially moot in view of the new grounds of rejection. However:

On pg. 8 of the Remarks, Applicant “presents a synergistic effect”:
“As Applicant discussed in its March 26, 2021 Response to Office Action, it is respectfully submitted that the combination of the two foregoing claimed features-even prior to the additional claim amendments set forth herein-presents a synergistic effect. In particular, the combination of the claimed features results in better reliability of the controller in the event of a programming error that results in exhaustion of some resources in the execution environment. One example of such a programming error is a memory leak, i.e., some memory is allocated by the software and not freed again after use. With more and more memory being essentially locked up and the key thrown away, at some point the memory in the execution environment will be exhausted. In such a situation, rebooting will cause the instance to start with clean memory again. See present published specification at [0033][0034]. Without software diversity, there is no point in restarting failed software instances, because all instances will end up restarting at roughly the same time, likely not fulfilling the requirement that there is at least one functional instance at any one time. It is respectfully submitted that the Advisory Action does not address this first synergistic effect. See April 27, 2021 Advisory Action, Applicant-Initiated Interview Summary.”



“The goal of our research is to combine the advantages of the virtual system with the advantageous properties of the Triple Modular Redundancy (TMR) [1, 2], Dual Modular Redundancy (DMR) and N-version programming [3, 4]. We derived a virtual TMR system that offers fast restart, fast migration if there is a full system failure, better use of hardware resources and high availability (pg. 261, col. 2)... Our architecture combines the TMR, DMR and virtual computing in order to examine the advantages and disadvantages of the hybrid architecture. N-version programming is also a well-established field” (pg. 262, sect. II, para. 1).

Thus the prior art enjoys the same “synergistic effect” as described by Applicant.

The remaining arguments on pg. 8-11 are directed a new limitation for claim 1 and new claim 16 and are moot in view of the new grounds of rejection. Examiner observes on pg. 8 Applicant argues the new claim 1 limitation “has a further synergistic effect” and “It is respectfully submitted that Caglar, Lappa, Schmid, and Paharsingh, whether alone or in combination, fail to teach or suggest the two synergistic effects”, but as noted above it is uncertain was analysis with regard to the “synergistic .

	Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claims 14 is rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claim 14 recites “wherein the rules in the set of rules are staggered according to effects of a respective revocation of resources on the industrial facility as a whole by slowing non-time-critical processes”; the phrase “wherein the rules in the set of rules are staggered according to effects of a respective revocation of resources on the industrial facility as a whole” is wholly ambiguous and has no discernable meets and bounds. The recitation that the “rules in the set of rules are staggered” is nonsensical; it is unknown if the language is a consequence of a mistranslation or the literal translation of an idiom, but in English the combination of words has no decipherable meaning. The verb “stagger” has a number of possible definitions, none of which has a definite or clear meaning when applied to “the rules in the set of rules” as recited in claim 14: 

stagger 
verb intransitive
1. to walk, move, or stand unsteadily.
2. to falter or begin to give way, as in an argument.
3. to waver or hesitate, as in purpose or resolve.

verb transitive
4. to cause to reel, totter, or become unsteady.
5. to astonish or shock

7. to arrange in an alternating pattern

From https://www.thefreedictionary.com/stagger
Citing: Random House Kernerman Webster's College Dictionary, © 2010 K Dictionaries Ltd. Copyright 2005, 1997, 1991 by Random House, Inc. All rights reserved.

Furthermore, although it cannot be fully assessed due to the ambiguities described above, the modifying clause “according to effects of a respective revocation of resources on the industrial facility as a whole” appears to also raise 112(b) issues. The “effect” of an action on an entity is a subjective description of the consequence of the action; at best it is a term of degree, and AppSpec does not provide any metric or standard of measurement to gauge the “effects” of a “revocation of resources on the industrial facility as a whole”. Compounding this ambiguity is that the characteristics of the ‘effected’ entity, “the industrial facility”, are variable and unspecified (see MPEP 2173.05(b)).
The 05/31/2021 amendment adds the additional language “by slowing non-time-critical processes”. Although the additional language is, in isolation, definite, it does not resolve the ambiguity issues because it is still unclear how the preceding language affects the meets and bounds of the claim.
In order to advance prosecution, Examiner has interpreted the limitation in view of AppSpec ¶00451 as essentially describing that resources are reallocated from non-time-critical processes in favor of time-critical processes in response to a resource shortage; or more particularly, interpreted as if written as:  
Claim 14: The programmable logic controller according to claim 13, wherein the of the at least one first sandbox is for in accordance with the rules in the set of rules.

.Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1 and 5-15 are rejected under 35 U.S.C. 103 as being unpatentable over Caglar et al. (EP 2506098 A12) in view of Lappa (Virtualization Applicability to Industrial Automation) in further view of Schmid et al. (US 20120030524 A1) and further supported by Paharsingh et al. (An Availability Model of a Virtual TMR System with Applications in Cloud/Cluster Computing) in further view of Vachharajani et al. (US 20130185586 A1).

Claim 1:
Caglar discloses the limitations as shown in the rejections below:
A programmable logic controller for at least one field device  (sensor and/or actuator) in an industrial facility, comprising: a hardware platform on which an operating system runs, the operating system being configured to execute, in at least one process, a plurality of execution environments (guest OSs of VMs) in each of which a control software (automation programs (APRG)) containing control logic of the programmable logic controller is runnable…the hardware platform comprising a main memory, a processor, and communication resources (see at least ¶0002-0003, 0011, 0018-0019, FIG. 1). 
a higher-level management system (management device/client software (CS) thereof + VMM/hypervisor) configured to…execute each of the plurality of execution environments in its own sandbox (VM/”encapsulated environment”) (¶0011, 0013, 0019; FIG. 1). 
the management system comprising a resource manager (management device/CS thereof) configured to allocate to each sandbox access to the main memory, the processor, and the communication resources of the hardware platform (¶0012-0013, 0015, 0020-0022).
Caglar is silent regarding implementation specifics of the hypervisor (management system) does not specifically disclose if it is a hosted hypervisor configured to run directly on the OS (i.e. a type 2 hypervisor) or if it integrates the OS kernel and runs on bare metal (type 1).
However, the various types of hypervisor and virtualization implementations, including where it is configured to run directly on the OS, are old and well-known as evidenced by Lappa (pg. 25-26, § 5.2) who provides a detailed analysis of the various VM alternatives specifically considering their applicability to industrial automation systems such as that of Caglar and the claims. Exemplary quotation:
“The hypervisors can be divided into two different types depending on how they are implemented. These types are type 1 and type 2…The main difference between these two types is that the type 1 implements everything by itself and the type 2 uses some functionality of an existing operating system kernel…The type 1 hypervisor can also be called as a bare metal hypervisor [116] and the type 2 hypervisor can be called as a hosted hypervisor…The type 2 hypervisor shares the hardware with an operating system kernel. The sharing is done so that the hypervisor can use the functionality the operating system kernel provides (pg. 25-26, § 5.2)…Ghosh and P. Sampath have also tested real-time virtualization for industrial control in their paper [38]. In their experiment they used VT-x enabled hardware. The hypervisor used was type 2 hypervisor” (pg. 78, para. 2).

It would have been obvious to one of ordinary skill in the art at the time the invention was filed to implement Caglar’s hypervisor as a hosted type 2 hypervisor as “hypervisors can be divided into two 
Regarding the redundancy manager, Caglar further discloses (¶0013, 0014, 0018, 0026)  the automation program (control software) instances are additionally controlled via the management device to provide functionality of the programmable logic controller to the devices of the industrial environment including a brief description (¶0014) of employing load balancing to facilitate redundancy; and Lappa (pg. 10, 88-89) discloses embodiments “where a redundant copy of a VM is running simultaneously with the primary copy of the VM” (pg. 88) in a standby/backup configuration to facilitate fault tolerance and security. But Caglar/Lappa do not describe employing either N-modular redundancy (NMR) or software design diversity such as N-version programming and do not disclose forward data inputs from the at least one field device to the multiple redundant instances of the control software, and make data outputs subsequently generated by the multiple redundant instances of the control software consistent with one another, wherein each of the multiple redundant instances of the control software is programmed differently.
Schmid, however, discloses (¶0001-0003, 0027, 0030, 0041; FIG. 1) a programmable logic controller for at least one field device (controlled devices, actuators) in an industrial facility (plant) which provides NMR via a plurality of execution environments (data processing means 110), in each of which a control software containing (task/channel software) control logic of the programmable logic controller is runnable so as to provide multiple redundant instances of the control software and is further configured to: provide a functionality of the programmable logic controller in relation to the at least one field device from the multiple redundant instances of the control software (task/channel software) (¶0036-0037, 0056, 0065), forward data inputs from the at least one field device (source device) to the multiple redundant instances of the control software (¶0025, 0040-0041, 0045), and make data outputs subsequently generated by the multiple redundant instances of the control software consistent with one another (¶0035, 0046-0050), wherein each of the multiple redundant instances of the control software is programmed differently (N-version programming/SW diversity) (¶0034, 0053, 0055). Exemplary quotation:
“By using redundant calculations a considerable amount of errors can be detected by comparison of the results of different calculations or devices. In computing, for example by triple modular redundancy (TMR) is understood a fault tolerant form of N-modular redundancy, in which three systems perform a process and that result is processed by a voting system to produce a single output…The TMR concept can be applied to many forms of redundancy, such as software redundancy in the form of N-version programming” (¶0034).

It would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Caglar/Lappa to employ NMR and N-version programming as taught by Schmid because it increases the reliability and safety of the control system (¶0034, 0053, 0055, 0062) as further evidenced/supported by Paharsingh (pg. 261-262, § I; pg. 262, § II, para. 1, 6-10; pg. 263, Fig. 2) disclosing that it was known in the art “to combine the advantages of the virtual system with the advantageous properties of the Triple Modular Redundancy (TMR), Dual Modular Redundancy (DMR) and N-version programming” because it facilitates creation of a “system that offers fast restart, fast migration if there is a full system failure, better use of hardware resources and high availability (pg. 261, § I, para. 12).
Regarding the monitoring/restarting functionality, Caglar further discloses (¶0012, 0025-0026, 0008) continuously monitor a functioning of the multiple redundant instances of the control software and, when an instance fails, to restart this instance and/or its execution environment. See also Paharsingh, pg. 261, col. 2; pg. 264, col. 1, para. 1; pg. 265, col. 2 disclosing exploiting the fast restart capabilities offered by virtual systems. See also Lappa pg. 80, para. 3: “The ability to create new virtual machines and containers quickly can be used as disaster recovery method”. Although the two recovery techniquest are taught individually the combination of Caglar/Lappa/Schmid/Paharsingh does not restart and also activate at least one additional instance in an additional execution environment in a further sandbox as a recovery technique.
However, it was known alternative in the high-availability/fault management arts to both restart a failed redundant instance and start an additional instance as shown by Vachharajani disclosing (¶148-0150, 0157-0159,0040, 0114-0115, 0146) a redundancy manager (health monitor) is configured to continuously monitor a functioning of the multiple redundant instances of the control software and, when an instance fails, to restart this instance and/or its execution environment, and to activate at least one additional instance in an additional execution environment in a further sandbox (virtual machine): “The health monitor application 1310 may monitor the state information for each of the application instances stored in the share system database 1105-g to dynamically detect and remedy problems arising with the application instances (¶0148)…If one instance of the load balancing application 215 crashes, the health monitor application 1310 may detect the crash…Upon detecting the crash, the health monitor application 1310 may…cause the controller application 205-e to attempt to restart the crashed instance of the load balancing application 215 and/or create a new instance of the load balancing application” (¶0149, emphasis added).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Caglar/Lappa/Schmid/Paharsingh’s fault response method with the fault remediation disclosed by Vachharajani to increase the flexibility of the of the fault handling and ensure the best remedy is applied for the particular fault detected (Vachharajani ¶0148-0150, 0157-0159).

Claim 5:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. Caglar further discloses (¶0014, 0027) the redundancy manager is configured to control a communication of multiple redundant instances of the control software with the at least one field device (sensor, actuator) according to a round robin method (evenly/proportionally distributed). See also Lappa pg. 84, para. 2.

Claim 6:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. Caglar further discloses wherein the functionality of the programmable logic controller is provided by the plurality of execution environments, the plurality of execution environments comprising two execution environments having different contents, and/or by two instances of the control software (¶0022, 0009, 0002-0003). See also Paharsingh pg. 263, Fig. 2.

Claim 7:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. The combination of Caglar/Lappa further discloses wherein at least one sandbox contains an abstraction layer (Caglar: “runtime environment” providing emulation; Lappa VMM3/“Device Model”) configured to react to system calls originating from an execution environment of the plurality of execution environments in a same way as…the hardware of a control unit (proprietary hardware) for which the execution environment and/or the associated control software was developed in ¶0022: ”the software VMM of the automation component N3, which creates a corresponding runtime environment in a free memory area…resources of the automation component N3 are allocated by the software VMM to the runtime environment and thus to the operating system installed there to the required extent so that a specific proprietary hardware can also be emulated.” See also Lappa pg. 46-47, § 5.5.1, full virtualization embodiment: “The advantage of the full virtualization is that the operating system kernels in the VMs can keep using the existing device drivers. These device drivers 

Claim 8:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. Lappa further discloses wherein the abstraction layer contains at least one runtime environment (“Device Model”) configured to implement handling routines for the system calls originating from the execution environment, using the operating system in at least pg. 46-47, § 5.5.1, full virtualization embodiment combined with type 2 hypervisor (pg. 26, para. 2; pg. 53). In other words, pg. 47, Fig. 23 except instead of hypervisor driver: “The type 2 hypervisors can simply use the existing native device drivers provided by the operating system kernel they work with” (pg. 26).

Claim 9:
Regarding the limitations of claim 9, Caglar’s solution employs hardware virtualization to generate a separate VM instance with virtualization functions of the hypervisor for each sandbox, not OS-level virtualization, and accordingly does not disclose generate a separate user space instance with virtualization functions of the OS for each sandbox. 
However, OS-level virtualization where software is isolated by generating a separate user space instance (container) with virtualization functions of the OS for each sandbox old and well-known as evidenced by Lappa (pg. 60-63) who provides a detailed analysis of the various virtualization alternatives, including OS-level virtualization, specifically considering their applicability to industrial automation systems such as that of Caglar and the claims. 
4 to one of ordinary skill in the art at the time the invention was filed to substitute Caglar’s VM-based sandboxing with container-based in, for example, scenarios where performance is more critical than strong isolation “The benefit of OS-level virtualization compared to the hardware virtualization is the better performance. However, it provides less isolation than hardware virtualization” (Lappa pg. 63).

Claims 10 and 11:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. The combination of Caglar/Lappa further discloses wherein the management system contains a hypervisor configured to provide a separate virtual machine for each sandbox wherein at least one version, adapted to the hypervisor, of one of the plurality of execution environments (guest OSs of VMs) is virtualized by paravirtualization by the hypervisor (Caglar ¶0019, 0022; Lappa pg. 24, § 5.1, para. 3; pg. 48; pg. 78, para. 3; pg. 85, last para.).

Claim 12:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. Caglar further discloses wherein the resource manager is configured to reallocate allocations unused in at least one first sandbox for access to the main memory, processor, and/or communication resources to at least one second sandbox (¶0020, 0024).



Claim 13:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. Caglar further discloses wherein the resource manager is configured to completely or partially revoke a respective resource of at least one first sandbox and to reallocate it to at least one second sandbox according to rules in a set of rules when there is a shortage of main memory, processor power, and/or communication resources (¶0023, 0012).

Claim 15:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. Caglar further discloses a computer program product (node hard disk and/or memory) containing machine-readable instructions, which, if executed on a computer and/or a given programmable logic controller (e.g. node N3), configure the computer or given programmable logic controller as the programmable logic controller (e.g. node N1) according to claim 1 in at least ¶0018, 0023, 0027.

Claim 14 is rejected under 35 U.S.C. 103 as being unpatentable over Caglar in view of Lappa in further view of Schmid and further supported by Paharsingh in further view of Vachharajani in further view of Maynard et al. (An Example Real-Time Command, Control and Battle Management Application for Alpha).

Claim 14:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. Caglar further discloses the system supports automation components with real-time requirements and distinguishes between critical and “uncritical” processes (¶0011,  the of the at least one first sandbox is for in accordance with the rules in the set of rules.
However, it is old and well-known in the real-time computing arts to revoke resources from soft and/or non-real-time processes to protect hard real-time processes when faced with resource shortages/overload conditions including in the context control system and industrial automation software as shown by Maynard disclosing the Alpha OS which “provides comprehensive, high-technology support for real-time systems. In particular, it supports supervisory control applications (e.g., industrial automation, combat platform management) which are characterized by predominately aperiodic activities that have critical time constraints (such as deadlines).” (pg. 2, sect. 1). Maynard further discloses Alpha employs a time driven resource manager is configured to completely or partially revoke a respective resource of one or more threads/activities for allocation to others according to scheduler policies and time-value functions (set of rules) in response to resource overload (shortage) to facilitate graceful degradation which includes slowing non-time-critical processes in accordance with the rules in the set of rules to maintain the execution of time critical activities (pg. 8-9, sect. 2; pg. 10, para. 4; pg. 20; pg. 55-56, sect. 8.2, para. 2). Exemplary quotations:
“Large real-time systems often consist of several concurrent activities, each of which may have critical timeliness requirements. In Alpha, these activities are embodied as threads…a technique known as best-effort resource management to satisfy the application time constraints whenever possible, and to facilitate graceful degradation (as defined by the application) when resource demands exceed the available supply. Best-effort policies evaluate the time-value functions of all contending threads collectively. If sufficient resources are available, the threads are scheduled in order of their critical times (the time after which the value of completing the activity diminishes). If the system is overloaded, threads are (temporarily) discarded from the schedule until enough resources are available for the activities that are scheduled to satisfy 
Several policies may be used for deciding which threads to remove. The load reduction policy used for the ADSP attempts to maximize the total value accrued to the system during overloads. The value of completing time-critical tasks is specified by the application designer by means of time-value functions. When resource demands are too great, the best-effort policies ensure that time and effort are spent on activities that are potentially the most valuable” (pg. 9, sect. 2.2.2).

It would have been obvious to one of ordinary skill in the art prior to the time the application was filed for Caglar/Lappa/Schmid/Paharsingh/Vachharajani to reallocate resources to protect time critical processes at the expense of non-time critical processes when resources are overloaded as taught by Maynard to ensure the most valuable components continue to satisfy their timeliness requirements and continue functioning.

Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Caglar in view of Lappa in further view of Schmid and further supported by Paharsingh.

Claim 16:
Caglar discloses the limitations as shown in the rejections below:
A programmable logic controller for at least one field device  (sensor and/or actuator) in an industrial facility, comprising: a hardware platform on which an operating system runs, the operating system being configured to execute, in at least one process, a plurality of execution environments (guest OSs of VMs) in each of which a control software (automation programs (APRG)) containing control logic of the programmable logic controller is runnable…the hardware platform comprising a main memory, a processor, and communication resources (see at least ¶0002-0003, 0011, 0018-0019, FIG. 1). 
a higher-level management system (management device/client software (CS) thereof + VMM/hypervisor) configured to…execute each of the plurality of execution environments in its own sandbox (VM/”encapsulated environment”) (¶0011, 0013, 0019; FIG. 1). 
the management system comprising a resource manager (management device/CS thereof) configured to allocate to each sandbox access to the main memory, the processor, and the communication resources of the hardware platform (¶0012-0013, 0015, 0020-0022).
wherein functionality of the control software is expanded by executing one instance of the control software together with a further instance (“further automation program”, “uncritical processes”, and/or “new software”) that contains only additional added functions (¶0011-0012, 0021).
Caglar is silent regarding implementation specifics of the hypervisor (management system) does not specifically disclose if it is a hosted hypervisor configured to run directly on the OS (i.e. a type 2 hypervisor) or if it integrates the OS kernel and runs on bare metal (type 1).
However, the various types of hypervisor and virtualization implementations, including where it is configured to run directly on the OS, are old and well-known as evidenced by Lappa (pg. 25-26, § 5.2) who provides a detailed analysis of the various VM alternatives specifically considering their applicability to industrial automation systems such as that of Caglar and the claims. 
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to implement Caglar’s hypervisor as a hosted type 2 hypervisor as “hypervisors can be divided into two different types depending on how they are implemented. These types are type 1 and type 2 and they both have some advantages and disadvantages” (pg. 25-26, § 5.2; pg. 53).
Regarding the redundancy manager, Caglar further discloses (¶0013, 0014, 0018, 0026)  the automation program (control software) instances are additionally controlled via the management device to provide functionality of the programmable logic controller to the devices of the industrial environment including a brief description (¶0014) of employing load balancing to facilitate forward data inputs from the at least one field device to the multiple redundant instances of the control software, and make data outputs subsequently generated by the multiple redundant instances of the control software consistent with one another
Schmid, however, discloses (¶0001-0003, 0027, 0030, 0041; FIG. 1) a programmable logic controller for at least one field device (controlled devices, actuators) in an industrial facility (plant) which provides NMR via a plurality of execution environments (data processing means 110), in each of which a control software containing (task/channel software) control logic of the programmable logic controller is runnable so as to provide multiple redundant instances of the control software and is further configured to: provide a functionality of the programmable logic controller in relation to the at least one field device from the multiple redundant instances of the control software (task/channel software) (¶0036-0037, 0056, 0065), forward data inputs from the at least one field device (source device) to the multiple redundant instances of the control software (¶0025, 0040-0041, 0045), and make data outputs subsequently generated by the multiple redundant instances of the control software consistent with one another (¶0034-0035, 0046-0050).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Caglar/Lappa to employ NMR and N-version programming as taught by Schmid because it increases the reliability and safety of the control system (¶0034, 0053, 0055, 0062) as further evidenced/supported by Paharsingh (pg. 261-262, § I; pg. 262, § II, para. 1, 6-10; pg. 263, Fig. 2) disclosing that it was known in the art “to combine the advantages of the virtual system with the advantageous properties of the Triple Modular Redundancy (TMR), Dual Modular Redundancy (DMR) .

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure:
US 20080301488 A1 discloses intelligent configuration for restarting failed application server instances.
WO 2012/047654 A1 Methods and apparatus to virtualize a process control system.
Any inquiry of a general nature or relating to the status of this application or concerning this communication or earlier communications from the Examiner should be directed to Paul Mills whose telephone number is 571-270-5482.  The Examiner can normally be reached on Monday-Friday 11:00am-8:00pm.  If attempts to reach the examiner by telephone are unsuccessful, the Examiner’s supervisor, Emerson Puente can be reached at 571-272-3652.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see  http://portal.uspto.gov/external/portal/pair .  Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866.217.9197 (toll-free). Any response to this action should be mailed to:
Commissioner of Patents and Trademarks
Washington, D.C.  20231
or faxed to 571-273-8300.
Hand delivered responses should be brought to the United States Patent and Trademark Office Customer Service Window:

401 Dulany Street
Alexandria, VA 22314.
/P. M./
Paul Mills
11/06/2021                                                                                                                                                                                 

/EMERSON C PUENTE/               Supervisory Patent Examiner, Art Unit 2196                                                                                                                                                                                         


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 “For example, a complete standstill of the system may possibly be avoided by slowing non-time-critical processes. The regulation of these processes then requires less computing time, which can, instead, additionally be made available for the regulation of time-critical processes.”
        2 Cited in 11/15/2019 IDS, machine translation included with 10/21/2020 Office Action.
        3 Examiner notes Lappa does not use the terms hypervisor and VMM interchangeably see pg. 22, para. 3)
        4 This combination effectively replaces, in the scope of claim 9, the prior subject matter relied upon from/ combination with Lappa described for claim 1.