Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

	Response to Amendment
This action is in response to the amendment filed on 11/02/2021. The claims 1 and 9 have been amended. Claims 2-4, 6, 10-12 and 14 are cancelled. The amendment has been entered. Claims 1, 5, 7-9, 13 and 15-16 are remain pending in the application. 

Response to Arguments
Applicant’s amendments and arguments, see page 6-10 Remarks, filed 11/02/2021, with respect to 35 U.S.C. 101 have been fully considered and are persuasive.  The 35 U.S.C. 101 rejection has been withdrawn. 
Applicant argues on page 12 Remarks filed 11/02/2021 that the Hofig reference is a commonly-owned reference. Further, the inventor of the current application was also a co-inventor of the Hofig reference.
	Examiner made note that Hofig reference (US 2017/010855470 A1) was published on Jun 29, 2017 more than a year before the earliest priority date of the instant application was Oct 18, 2018. 
Applicant argues on page 12-13 Remarks filed 11/02/2021 that the Kaiser did not solve the problems addressed by Applicant's claimed embodiments. For example, Kaiser did not solve the challenge of automatically generating safety contracts for the complete system, still required manual creation, and could only be checked by time-consuming review by an expert. Thus, Kaiser is silent as to automatic generation of 
Examiner respectfully disagreed with the following reasons. First, the instant claim does not recite specific or additional limitations for “automatically generating the safety contract from a model-based safety analysis model” that illustrate the differences between Kaiser and the claimed invention. The instant claim recites “wherein the system is configured for using a safety contract for analysis of the failure data of the two or more components and/or the computing unit, and wherein the system is configured for automatically generating the safety contract from a model-based safety analysis model comprising separate modules are related to the two or more 
In summary, applicant’s arguments are not persuasive. Thus, 35 U.S.C. 103 rejection is maintained.

Examiner Notes
Examiner cites particular columns, paragraphs, figures and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in their entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner. The entire reference is considered to provide disclosure relating to the claimed invention. The claims & only the claims form the metes & bounds of the invention. Office personnel are to give the claims their broadest reasonable interpretation in light of the supporting disclosure. Unclaimed limitations appearing in the 

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 5, 7-9, 13 and 15-16 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1 and 9 recite “A system for safety analysis of failure behavior for a computing unit comprising: two or more components … analysis of the failure data of the two or more components and/or the computing unit … separate modules are related to the two or more components of the computing unit …wherein the safety contract for the two or more components and/or the computing unit is …”
The relationship between the two or more components and the computing unit is unclear. In particular, the requirement of the following limitations such as “analysis of 
Therefore, the independent claims have an indefinite scope. Since dependent claims are dependent on the independent claims and included all the limitations of the independent claims, the dependent claims recite the indefinite scope in the independent claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 5, 7-9, 13 and 15-16 are rejected under 35 U.S.C. 103 as being unpatentable over Hofig et al (US 2017/0185470 A1), hereinafter Hofig, in view of Kaier et al (NPL: Contract-Based design of embedded systems integrating nominal behavior and safety, 2015), hereinafter Kaiser.

Claim 1. A system for safety analysis of failure behavior for a computing unit comprising: 
Hofig discloses two or more components, wherein each component of the two or more components has at least one inport for receiving failure data and one outport for transmitting failure data, 
Hofig: [0031-0032] “As shown in the embodiment of FIG. 2, the method for generating automatically a component fault tree CFT of an investigated safety-critical system SYS may include several acts. In a first act S1, a continuous function chart CFC for each system component of the investigated safety-critical system SYS may be provided and for each provided continuous function chart a corresponding component fault tree element is automatically generated. The inports and outports of the component fault tree element are generated and interconnected based on unique names of the inputs and outputs of the corresponding continuous function chart CFC of the respective system component. [correspond to two or more components, wherein each component of the two or more components has at least one inport for receiving failure data and one outport for transmitting failure data] The system component C may be a hardware component of the safety-critical system SYS or a software component of the safety-critical system SYS.”
Hofig discloses wherein the system is configured for using a safety contract for analysis of the failure data of the two or more components and/or the computing unit,
Hofig: [0034-0035] “Finally, in act S3, for each generated component fault tree element of the system component C, the input failure modes IFM of the component fault tree  for analysis of the failure data of the two or more components and/or the computing unit] The observed event may for instance include an observed failure of at least one system component C of the investigated safety-critical system SYS. [correspond to the failures data of the two or more components and/or the  computing unit]” 
Examiner considers the safety-critical system SY include a safety contract. 
[0002] “The goal of a safety assessment process is to identify all failures that cause hazardous situations and to demonstrate that the probability of occurrence of such failures is sufficiently low. In the application domains of safety-critical systems, the corresponding safety assurance process may be defined by means of safety standards. [correspond to safety contract] The analysis of a safety-critical system may be performed by using bottom-up safety analysis approaches such as failure mode and effect analysis FMEA, or by using top-down safety analysis approaches such as fault tree analysis FTA. By performing a safety analysis it is possible to identify failure 
Hofig discloses wherein incoming failure data received at the inport are modelled by using an inport failure mode and the outgoing failure data transmitted from the outport are modelled by using an outport failure mode, 
Hofig: [0029] “The apparatus 1 further includes a processing unit 3 adapted to generate for each continuous function chart CFC a corresponding component fault tree, CFT, element. Inports and outports of the component fault tree, CFT, elements are generated and interconnected by the processing unit 3 of the apparatus 1 based on unique names of the inputs and outputs of the corresponding continuous function chart CFC of the respective system component C of the investigated safety-critical system SYS. The processing unit 3 is further adapted to generate input failure modes IFM and output failure modes OFM of each generated component fault tree, CFT, element based on generic mapping between connector types of the continuous function chart CFC and failure types of failure modes of the component fault tree element. [correspond to incoming failure data received at the inport are modelled by using an inport failure mode and the outgoing failure data transmitted from the outport are modelled by using an outport failure mode] In a possible embodiment, the processing unit 3 is adapted to perform the generic mapping on the basis of a generic mapping table MT stored in a database 4 as shown in FIG. 1. The processing unit 3 is further adapted to connect for each generated component fault tree, CFT, element of the respective system 
The safety-critical system correspond to model-based safety analysis model.
Hofig: [0033] “In a further act S2, input failure modes IFM and output failure modes OFM for each generated component fault tree element are generated based on generic mapping between connector types in the continuous function chart CFC and failure types of failure modes of the component fault tree element.”
Hofig discloses wherein the inport failure mode and the outport failure mode are defined by the model-based safety analysis model,
Hofig: [0143] “In a last subact, the failure propagation from the input failure modes IFM of each CFT element cƒt.sub.iεCFT to its output failure modes OFM is generated based on the definition of the corresponding CFC diagram.”
wherein an internal failure behavior is defined for each component and/or the computing unit.
Hofig: [0172] “The generated component fault tree CFT forms a Boolean data model associated to system components C of the investigated system SYS. In a component fault tree, a separate component fault tree element is related to each system component. Failures that are visible at the output of a system component C may be modelled using output failure modes OFM which are related to a specific outport. To model how specific failures propagate from an inport of a component C to an outport, input failure modes IFM are used. The internal failure behavior that also influences the output failure modes OFM may be modeled using Boolean gates such as OR and AND as well as so-called basic events BE. [correspond to an internal failure behavior is defined for each component and/or the computing unit] Every component fault tree CFT may be transformed to a classic fault tree by removing the input and output failure mode elements. In both trees, top events TE or output events may be modelled as well. The component fault tree data model CFT allows additionally to the Boolean formula that are also modelled within the classic fault tree to associate the specific top events TE to the corresponding ports where the failures may appear.”
Hofig discloses wherein the model-based safety analysis model is a component fault tree model
Hofig: [0029] “The apparatus 1 further includes a processing unit 3 adapted to generate for each continuous function chart CFC a corresponding component fault tree, CFT, element. Inports and outports of the component fault tree, CFT, elements are generated and interconnected by the processing unit 3 of the apparatus 1 based on unique names 

Hofig does not appear to explicitly discloses  wherein the system is configured for automatically generating the safety contract from a model-based safety analysis model comprising separate modules are related to the two or more components of the computing unit, respectively, and wherein the safety contract for the two or more components and/or the computing unit is an interface contract and/or a component contract

However, Kaiser discloses the system is configured for automatically generating the safety contract from a model-based safety analysis model comprising separate modules are related to the two or more components of the computing unit, respectively, on (page 72 section 2.4) “Moreover, failures can also be transformed into other failure modes (e.g., a too low actual value at the input of a proportional-integral controller will result in a too high actuator command at its output) or even mitigated (no failure mode is observable at the output of a component, although there is a failure present at the input). [correspond to failure data] This observation will be used when we propose our approach for a contract-based safety concept in Section 4.3. A component (e.g., a sensor) that cannot guarantee that a failure mode at its output never occurs, can still be used in a safety-critical system in combination with another component downstream in the signal flow, which is capable of detecting and mitigating the failure (e.g., by model-based diagnostics and the possibility to mark the output value as “invalid”, if this leads to a safe state of the system).”
Kaiser (page 78-79 section 4) “We suggest a modular top-down safety analysis applicable at the functional level, allowing early investigations and passing interfaces for component-based safety analysis down to the supplier, even before the technical solution has been defined. The steps of this proceeding are in essence the ones prescribed by ISO 26262. They involve formulating safety goals, performing safety  [correspond to the system is configured for automatically generating the safety contract from a model-based safety analysis model comprising separate modules are related to the two or more components of the computing unit, respectively] To benefit from the existing contracts for safety activities, we propose the following three-step approach:
1. Derivation of safety goals using contracts (see Section 4.1)
2. Contract-based modular safety analysis (see Section 4.2)
3. Definition of safety mechanisms by reusing the safety contracts (see Section 4.3)”
Kaiser (page 80 section 4.2 Modular safety analysis) “Matching these signal types and their corresponding types of contract patterns with the potential failure modes (cf. Figure 5) propagated at component ports assures type compatibility and restricts the set of potential failures to be considered. ..” correspond to separate modules are related to the two or more components of the computing unit, respectively.
Kaiser discloses wherein the safety contract for the two or more components and/or the computing unit is an interface contract and/or a component contract Kaiser: (page 73-75 section 3) “This section explains how to capture, refine, and allocate requirements using contracts while creating the hierarchical system architecture. Our aim is addressing both the top-down process from requirements towards implementation by step-wise refinement (see Section 3.4) and the bottom-up process where a system is composed of pre-existing and pre-qualified components described by assumptions and guarantees. The term “multi-aspect” contract refers to the possibility to make assertions about different system aspects, as for instance: …

Section 3.1 discloses interface contracts and section 3.2 discloses component contracts. 
Kaiser: (page 78 section 4) ) “We suggest a modular top-down safety analysis applicable at the functional level, allowing early investigations and passing interfaces for component-based safety analysis down to the supplier, even before the technical solution has been defined. The steps of this proceeding are in essence the ones prescribed by ISO 26262. They involve formulating safety goals, performing safety analysis and setting up a safety concept that defines mechanisms to enable the system to deal with failures at runtime. [correspond to the safety contract for the two or more components and/or the computing unit is an interface contract and/or a component contract] To benefit from the existing contracts for safety activities, we propose the following three-step approach:
1. Derivation of safety goals using contracts (see Section 4.1)
2. Contract-based modular safety analysis (see Section 4.2)
3. Definition of safety mechanisms by reusing the safety contracts (see Section 4.3)”
Hofig and Kaiser are analogous art because they are from the “same field of endeavor” safety analysis.
Before the effective filing date of the claimed invention” for AIA ], it would have been obvious to one of ordinary skill in the art, having the teachings of Hofig and Kaiser before him or her, to modify the safety analysis of Hofig to include the contract-based 
The suggestion/motivation for doing so would have been Kaiser (page 90 section 6) Solutions for contract negotiations at the instant of joining a convoy and runtime checking of contracts fulfillment before allowing certain operation modes (e.g., very close following) need to be developed, considering security aspects as well. Furthermore, the operational context is also dynamically variable for vehicles in traffic scenarios (e.g., number and quality of lanes on the highway). Hence, parameterized scenario set definitions are needed to replace today’s situation catalogues used for hazard analysis. Contract-based development seems a promising approach to deal with these new challenges. Our presented formulation of contracts make them suitable for an automated negotiation between partial systems connecting at runtime, and, hence, useful to address the above issues.”
Therefore, it would have been obvious to combine Hofig and Kaiser to obtain the invention as specified in the instant claim(s).

Regarding Claim 9, the same ground of rejection is made as discussed above for substantially similar rationale. 

Claim 5 and 13.
Kaiser discloses wherein the safety contract is defined by assumptions and guarantees, wherein an assumption is related to an inport failure and a guarantee is related to an outport failure.  
  Accordingly, contracts are matching pairs consisting of an assumption (A) or a conjunction of several assumptions, and a guarantee (G) as provided in Figure 1. [correspond to the safety contract is defined by assumptions and guarantees] The assumption specifies how the context of the component, i.e., the environment from the point of view of the component, should behave. Only if the assumption holds, then the component will behave as guaranteed. This kind of specification allows replacing components by other ones with the same purpose and compatible interfaces, if they accept the same or weaker assumptions about the environment and provide the same or stronger guarantees towards the environment.”

    PNG
    media_image1.png
    286
    669
    media_image1.png
    Greyscale

Kaiser (page 84 section 4.4) “The contract specifying the safety mechanism defines the context, in which the safety mechanisms shall operate correctly, and how the 

    PNG
    media_image2.png
    110
    848
    media_image2.png
    Greyscale

From the assumption in our example (which could be derived from some process standard) it follows that it should be considered that, at the same time, the signal is faulty due to some sensor failure and the Sensor Diagnostics Component from Figure 6 is defective.” [correspond to an assumption is related to an inport failure and a guarantee is related to an outport failure]  

Claim 7 and 15.
Kaiser discloses wherein safety requirements and safety-related application conditions, SRAC, are defined for each of the components and/or the unit.  
Kaiser: (page 78-81 section 4) “We suggest a modular top-down safety analysis applicable at the functional level, allowing early investigations and passing interfaces for component-based safety analysis down to the supplier, even before the technical solution has been defined. The steps of this proceeding are in essence the ones prescribed by ISO 26262. They involve formulating safety goals, performing safety analysis and setting up a safety concept that defines mechanisms to enable the system to deal with failures at runtime. To benefit from the existing contracts for safety activities, we propose the following three-step approach:

2. Contract-based modular safety analysis (see Section 4.2)
3. Definition of safety mechanisms by reusing the safety contracts (see Section 4.3)” [correspond to safety requirements and safety-related application conditions]

Claim 8 and 16.
Kaiser discloses wherein an integrity level is defined for the inport.
Kaiser: (page 78-81 section 4) “Safety could, at first glance, be considered as just another qualitative property of the system. For example, the Automotive Safety Integrity Level (ASIL) might be annotated as an attribute of a signal. [correspond to an integrity level is defined for the inport] But even if an ASIL-attribute somehow represents a suitable measure for safety, making a system safe involves much more, in particular, a systematic search for hazards that could arise from using the product, a systematic derivation of safety requirements to counteract these hazards, and their application to a next iteration of the design, in addition to the existing requirements regarding nominal behavior. While systematic faults in system design and software implementation might be reducible to a large extent by sound processes, failures of hardware parts will remain unavoidable. This forces us to change our focus to consider also failures in the system. A failure is defined as “a transition from correct service to incorrect service, i.e., to not implementing the system function” or the “termination of the ability of an element to perform a function as required” [1]. The system function is thereby defined as “what the system is intended to do and is described by the functional specification in terms of functionality and performance” [33]. This suggests .

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 

Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rehana Perveen can be reached on 571-272-3676. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHUEN-MEEI GAN/Primary Examiner, Art Unit 2148