DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Response to Arguments
Applicant's arguments filed on October 8, 2021 with respect to 35 U.S.C. § 101 have been fully considered but they are not persuasive.
Regarding 35 U.S.C. § 101, the Applicant argues:
“For instance, Claim 1 specifically claims a subsystem of a vehicle composed of specialized hardware and software. Claim 1 clearly does not recite a “mental process” or “generic computing components…Applicant asserts that the same is the case in the present Claims. Moreover, the Claims are explicitly directed to a technical solution that arises out of computing systems…Further, even if the present claims were “directed to an abstract idea” (which they clearly are not), Applicant asserts that the claims would nonetheless recite significantly more than an abstract idea. This is evidenced by the fact that the Office has failed to show how the prior art discloses or suggests all of the features recited in the present claims.”

	The Examiner respectfully traverses. As written, the actions of “accessing data” and “determining whether the determination is safe” are merely the abstract idea of determining safe driving tasks applied to generic computing components, such as a first processor, a first memory, one or more interfaces, and a safety monitor. The accessing of data is mere data gathering and is considered to be data gathering necessary to perform the abstract idea. The claims have not been amended and do not reflect improvements over the previous rejection, therefore the Examiner maintains the 35 U.S.C. § 101 rejection. Additionally, the Applicant argues that “this is evidenced by the fact that the Office has failed to show how the prior art discloses or suggests all of the features recited in the present claims,” however, eligibility of the claims under 35 U.S.C. § 101 is based on the integrity of the claims themselves and does not involve teachings of prior art.

on October 8, 2021 with respect to 35 U.S.C. § 102 have been fully considered but they are not persuasive.
Regarding 35 U.S.C. § 102, the Applicant argues:
“Independent Claim 1 recites (inter alia) " a security companion subsystem of an automated driving system of a vehicle [comprising]... a safety monitor, executed by the first processor device, to: access data generated at the compute subsystem, wherein the data indicates a determination by the compute subsystem associated with an automated driving task to be performed by the automated driving system, wherein the determination is made by an automated driving application executed by a different, second processor device on the compute subsystem; and determine whether the determination is safe based on the data, wherein the security companion subsystem is configured to realize a higher safety integrity level than the compute subsystem”. Applicant asserts that the Ditty reference fails to at least teach or suggest these features.”

The Examiner has considered the Applicant’s arguments and respectfully traverses. As previously cited, Ditty [0122] discloses accessing data generated at the compute system, such as steering wheel angle, ground speed, engine RPM, button positions, and vehicle status indicators, thus enabling the system to monitor safety. The collected data is derived from a controller that operates vehicle braking actuators, steering actuators, propulsion units, and accelerator actuators, and is associated with a compute subsystem, which is defined in the instant specifications [0047] as a subsystem for performing automated driving tasks. Also as previously cited, Ditty [0020] discloses using a second processor device, the ACC, to determine safety based on driving data (e.g., detecting a small or decreasing distance between an ego car and a car ahead and actuating the brakes or signal a warning to the driver). Ditty [0122] and [0190] were cited to teach the realizing of ASIL B and ASIL C functional safety levels, wherein ASIL C is a higher safety integrity level than ASIL B. Therefore, Ditty does teach " a security companion subsystem of an automated driving system of a vehicle [comprising]... a safety monitor, executed by the first processor device, to: access data generated at the compute subsystem, wherein the data indicates a determination by the compute subsystem associated with an automated driving task to be performed by the automated driving system, wherein the determination is made by an automated driving application executed by a different, second processor device on the compute subsystem; and determine whether the 

The Applicant further argues:
“The Office Action attempts to support its rejection by juxtaposing Ditty’s discussion of an “Advanced SoC” that is “purpose built for self-driving cars... designed for use in self-driving cars with specific features optimized for L3-5 functionality. The SoC preferably is designed to be meet critical automotive standards, such as the ISO 26262 functional safety specification. In a preferred embodiment, the Advanced SoC has at least an ASIL C functional safety level” (Ditty at ¶ 0190 (emphasis added)) with a “CAN bus interface” with a “functional safety level [that] is typically ASIL B” (Ditty at 40122 (emphasis added)). It is unclear however how the Examiner intends to map these sections to the remaining discussion of Ditty. For instance, the Office Action points to the subsystem in Ditty responsible for computing automated driving tasks (e.g., the Advanced SoC) as having potentially a higher safety level than a “CAN bus interface.” Cf. Ditty at ¶¶00181- 255 (discussing the functionality of features of the Advanced SoC). However, the Office Action can point to no teaching in Ditty of another subsystem, with its own separate hardware processor (e.g., separate from the Advanced SoC), which monitors the determinations of the Advanced SoC and which has a relatively higher safety integrity level than the Advanced SoC of Ditty. Indeed, Applicant asserts that Ditty is silent regarding the provision of a separate safety subsystem in any context, much less one with a higher safety integrity level that the compute subsystem it is to monitor. Accordingly, Ditty fails to anticipate the claims.”

	As noted in the previous Office Action, Ditty [0243] discloses that the Advanced SoC is a separate, dedicated processor subsystem to handle safety management for automotive applications, indicating that the SoC is a separate safety subsystem distinct from the aforementioned compute subsystem from Ditty [0122]. Further, Ditty [0275] discloses that the SoC allows for monitoring of actuators (e.g., brake actuation and electronic ignition) and actuator malfunctions, wherein the actuators are controlled by the compute subsystem, therefore the separate SoC safety subsystem monitors the compute subsystem. For these reasons, the Examiner maintains the 35 U.S.C. § 102 rejection.



Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

1, 7, 10, 11, 12, 13, 14 remain rejected under 35 U.S.C. 101 because the claimed invention is directed to an abstract idea without significantly more. The claim(s) recite(s) a mental process.

101 Analysis - Step 1
Claim 1 is directed to an apparatus for monitoring the data of automated driving subsystems based on safety integrity levels.

101 Analysis - Step 2A, Prong I
Claims 1, 7, 10, 11, 12, 13, 14 recite the abstract concept of monitoring the safety status and performance of the automated driving subsystems according to ASIL standards. These steps fall into the mental process grouping of abstract ideas as they encompass physically performing mechanical diagnoses of the automated driving components to determine malfunction. The recited steps further encompass observing surroundings and determining an appropriate driving maneuver that would ensure safety. The limitations, as drafted, as processes that, under their broadest reasonable interpretation, cover performance of the limitations in the mind applied to generic computing components.
With respect to claim 1, besides the recitation of “a first processor device” and “automated driving application,” there is insufficient language to preclude the idea from practically being performed in the human mind. For example, removing the “a first processor device” and “automated driving application” language, the claims encompass physically performing mechanical diagnoses of the automated driving components to determine malfunction. The recited steps further encompass observing surroundings and determining an appropriate driving maneuver that would ensure safety.

101 Analysis - Step 2A, Prong II
The claims recite additional elements to the abstract concepts. However, these additional elements fail to integrate the abstract idea into a practical application. Claim 1 recites “a first processor 

101 Analysis - Step 2B
For the same reasons addressed above with respect to Step 2A, Prong II, the additional elements recited in claim 1 fail to amount to an inventive concept. As such, the additional elements, considered both individually and in combination, do not amount to significantly more than the abstract idea.
Thus, when considering the combination of elements and the claimed invention as a whole, the claims are not patent eligible.

Regarding claims 7, 10, 11, 12, 13, 14:
Dependent claims 7, 10, 11, 12, 13, 14 only recite limitations that further define the mental process and recite further data gathering (i.e. accessing monitoring data). These limitations are considered mental process steps and additional steps that amount to necessary data gathering. These additional elements fail to integrate the abstract idea into a practical application. As such, the additional elements individually and in combination do not amount to significantly more than the abstract idea.
Therefore, when considering the combination of elements and the claimed invention as a whole, dependent claims 7, 10, 11, 12, 13, 14 are not patent eligible.


Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for 
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Ditty et al. (U.S. Patent Application Publication No. 20190258251 and hereinafter, “Ditty”).

Regarding claim 1, Ditty teaches the apparatus comprising: a security companion subsystem of an automated driving system of a vehicle, the security companion subsystem comprising:
a first processor device
Ditty [0024] discloses a processor.
first memory
Ditty [0198] discloses a shared memory unit.
one or more interfaces to couple the security companion subsystem to a compute subsystem of the automated driving system
Ditty [0122] discloses a Controller Area Network (CAN) interface used to control automated driving tasks (e.g., brakes, acceleration, steering, windshield wipers, etc.)
Ditty [243] discloses a system-on-a-chip (SoC) that includes a Safety Cluster Engine (SCE) processor subsystem dedicated to handling safety management for automotive applications.
Ditty Figure 13 (provided below) depicts the SoC architecture for controlling an autonomous vehicle, which illustrates how the SoC is coupled with the network bus (100).

    PNG
    media_image1.png
    473
    860
    media_image1.png
    Greyscale

a safety monitor, executed by the first processor device, to: access data generated at the compute subsystem
Ditty [0122] discloses reading, and thereby accessing, the CAN bus data to find steering wheel angle, ground speed, engine RPM, button positions, and other vehicle status indicators generated by the compute subsystem. 
Ditty [0243] discloses a Safety Cluster Engine, a processor dedicated to handling safety management for automotive applications.
wherein the data indicates a determination by the compute subsystem associated with an automated driving task to be performed by the automated driving system
Ditty [0123] discloses an actuation controller that allows the control of throttle, brake, steering, and shifting.
Ditty [0124] discloses the controller that provides autonomous driving outputs in response to an array of sensor data.
wherein the determination is made by an automated driving application executed by a different, second processor device on the compute subsystem
Ditty [0020] discloses an advanced driver assistance system (ADAS) that may include rule-based autonomous cruise control (ACC), which may be executed on any processor.
determine whether the determination is safe based on the data
Ditty [0012]-[0013] disclose that interpreting sensor data to determine if the autonomous vehicle functionality meets safety standards is known in the art. The system for the autonomous safety standards is defined by the Automotive Safety Integrity Level (ASIL), addressing four levels of varying risk.
wherein the security companion subsystem is configured to realize a higher safety integrity level than the compute subsystem.  
Ditty [0122] discloses that the controller responsible for sending command signals to operate vehicle components has a functional safety level of ASIL B.
Ditty [0190] discloses that an advanced SoC has at least an ASIL C functional safety level.
The Examiner notes that ASIL C is a higher level of functional safety as defined in Ditty [0266].

Regarding claim 2, Ditty teaches the apparatus of Claim 1, wherein:
the safety monitor is further to trigger an action to control the automated driving task based on a safety determination that the determination is unsafe.  
Ditty [0025] discloses that it is known in current ADAS systems that automatic emergency braking (AEB) may detect an impending forward collision with another vehicle or other object and may automatically apply the brakes if the driver does not take corrective action within a specified time or distance parameter.

Regarding claim 3
the action replaces the automated driving task with a different automated driving task, and the security companion subsystem is to send a signal to one or more actuators of the vehicle to cause the different automated driving task to be performed based on the safety determination.  
Ditty [0491] and [0531] describes an embodiment of the disclosed invention in which the autonomous ego-vehicle may be required to stop (e.g., at a red light) until it receives a signal indicating that a certain conditions becomes true (e.g., the red light turns green) in order to continue forward.

Regarding claim 4, Ditty teaches the apparatus of Claim 2, wherein:
the action comprises passing control of automated driving tasks from the compute subsystem to different automated driving functionality on the automated driving system
Ditty [0009] further discloses that different automated driving functionalities in automated driving systems (e.g., ranging from driver-only to full automation) is known in the art.
wherein the different automated driving functionality is to be executed to bring the vehicle to a safe physical state.  
Ditty [0014] discloses that the driver may take over and assert control over the vehicle in the event of a dangerous condition and recover the vehicle to a safe state.
The Examiner notes that the driver-only autonomous driving level is a different automated driving functionality compared to fully-autonomous.

Regarding claim 5, Ditty teaches the apparatus of Claim 4, wherein:
the safety companion subsystem comprises the different automated driving functionality and the different automated driving functionality is executed by the first processor device.  
Ditty [0012] discloses that processing visual data to execute Level 1 and 2 automated driving functionalities is known in the art.

Regarding claim 6, Ditty teaches the apparatus of Claim 4, wherein:
the different automated driving functionality is provided on a failover automated driving subsystem separate from the security companion subsystem and compute subsystem of the automated driving system.  
Ditty [0009] and [0011] disclose that ADAS systems relying on a human driver to take control of the vehicle in the event of a significant mechanical failure is known in the art.

Regarding claim 7, Ditty teaches the apparatus of Claim 1, wherein:
the determination comprises at least one of an object detection determination, an object classification determination, a path planning determination, a vehicle state determination, a localization determination, or a motion planning determination made by the automated driving application
Ditty [0025] discloses that the ADAS system may detect an impending forward collision with another vehicle or other object.
wherein the automated driving task is based on the determination.  
Ditty [0011] discloses that when operating in Level 4, if the system determines that the car can no longer drive automatically and the driver does not take over, the automated driving system is tasked with pulling over safely.

Regarding claim 8
the safety monitor is further to: receive hardware monitoring data, wherein the hardware monitoring data identifies events detected on hardware of the compute subsystem associated with automated driving tasks to be determined by the compute subsystem
Ditty [0009] discloses detecting brake malfunctions.
The Examiner notes that the brakes are a hardware component of the compute subsystem associated with automated driving tasks.
detect a failure in the hardware of the compute subsystem based on the hardware monitoring data
Ditty [0298] discloses that in the case of a detected failure, the microcontroller units may be used for fault monitoring to provide a fallback.
perform an action to control effects associated with the failure.  
Ditty [0025] discloses that if the AEB system detects an impending forward collision with another vehicle or other object, it will first alert the driver to take corrective action, and if the driver fails to do so, the AEB system may automatically apply the brakes.
The Examiner notes that detection of other vehicles or objects encompasses hardware monitoring data.

Regarding claim 9, Ditty teaches the apparatus of Claim 8, wherein:
the safety companion subsystem further comprises a safety companion hardware monitor to monitor operation of hardware of the safety companion subsystem comprising the first processor device
Ditty [0420] discloses a safety framework that collects information on how the driving control functions are operating and can run diagnostic processes to ensure system components are operating properly, reporting exceptions to separate safety dedicated hardware (e.g., one or more safety microcontrollers).
wherein the safety companion hardware monitor is to generate second hardware monitoring data to describe attributes of the hardware of the safety companion subsystem
Ditty [0293]-[0295] and [0298] discloses that the SoC produces data to describe the hardware of the SoC for the purposes of fault monitoring and communication.
the safety monitor is further to: detect failures of the hardware of the safety companion subsystem based on the second hardware monitoring data
Ditty [0421] discloses multiple hardware-independent levels of watching/monitoring, where some safety framework components of the multilevel/multilayered safety framework structure watch and monitor other safety framework components, such that if a failure is detected in some part(s) of the safety framework, the overall safety framework is not disabled.
The Examiner notes that multilevel safety monitoring involves at least two levels of safety monitoring.
disable at least a portion of the automated driving system based on a detected failure of the hardware of the safety companion subsystem.  
Ditty [0421] discloses that the multiple layers and multiple hardware processors distribute monitoring functions such that the failure of a portion of the safety framework only disables a portion of the overall safety framework. The safety framework is defined in [0420] as separate safety dedicated hardware (e.g., one or more safety microcontroller(s) that may take corrective action such as automatically operating processes as needed).

Regarding claim 10, Ditty teaches the apparatus of Claim 1, wherein:
the safety monitor is further to detect failures associated with interfaces used to communicate signals associated with automated driving tasks determined by the compute subsystem.  
Ditty [0452] discloses a safety supervisor process responsible for detecting failures associated with communicating 

Regarding claim 11, Ditty teaches the apparatus of Claim 1, wherein:
the compute subsystem is responsible for consuming sensor data from the vehicle to determine automated driving tasks for the vehicle and the safety companion subsystem is responsible for maintaining safety of the automated driving system by detecting malfunctions of the compute subsystem.  
Ditty [0025] discloses that the AEB may use sensor data to determine an impending forward collision and may automatically apply the brakes if the driver does not take corrective action within a specified time or distance parameter.
Ditty [0673] discloses that the controller in the SoC monitors sensors to identify potential malfunctions.

Regarding claim 12, Ditty teaches the apparatus of Claim 1, wherein:
the higher safety integrity level comprises an automotive safety integrity level (ASIL).  
Ditty [0013] discloses that ASIL “D” means that the equipment provides the highest level of safety to address hazards that pose the highest risk.

Regarding claim 13, Ditty teaches the apparatus of Claim 1, wherein:
the safety companion subsystem further comprises a safety proxy to: receive safety event data from the compute subsystem, wherein the data comprises safety event data
Ditty [0127] discloses that the vehicle collects data that is used to help train and refine the neural networks used for self-driving.
Ditty [0327] discloses processing the incoming sensor data to determine if braking should be applied and the respective amount of braking that should be applied.
determine integrity of the safety event data
Ditty [0139] discloses determining the safety integrity of a typical camera’s data capture, accounting for reflections from the dashboard reflected in the windshield mirrors.
provide a subset of the safety event data on demand to the safety monitor in association with consumption of the subset of the safety event data by the safety monitor to determine malfunctions of the compute subsystem.  
Ditty [0421] discloses distributing the safety monitoring functions (e.g., monitoring driving controls to determine malfunction of hardware/software) throughout multiple layers and multiple hardware processors so no part of the safety framework is overloaded by the demand of watching high performance processes in real-time.

Regarding claim 14, Ditty teaches the apparatus of Claim 1, wherein:
the first processor device comprises a first automotive microcontroller and the second processor device comprises a separate, second automotive microcontroller.  
Ditty [0298] discloses that there may be plural microcontroller units, and that each MCU may comprise processors and associated memories.
The Examiner notes that plural microcontrollers indicates at least a first and second microcontroller, with their associated processors.

Regarding claim 15, Ditty teaches the at least one non-transitory, machine readable storage medium with instructions stored thereon wherein:
the instructions are executable by a machine to cause the machine to: access event data at a safety companion subsystem of an automated driving system
Ditty [0285] discloses that the SoC may receive or have access to the RADAR, LIDAR, or stereo camera input data.
wherein the event data is generated at a compute subsystem of the automated driving system, and the event data indicates a determination by the compute subsystem associated with an automated driving task
Ditty [0025] discloses that the automatic emergency braking (“AEB”) ADAS system may determine if there is an impending forward collision with another vehicle or other object and automatically apply the brakes.
access, at the safety companion subsystem, first hardware monitoring data captured at the compute subsystem to indicate attributes of hardware of the compute subsystem
Ditty [0122] discloses reading, and thereby accessing, the CAN bus data to find steering wheel angle, ground speed, engine RPM, button positions, and other vehicle status indicators generated by the compute subsystem. 
Ditty [0285] discloses that the SoC may be in communication with the CAN bus.
access second hardware monitoring data captured at the safety companion subsystem to indicate attributes of hardware of the safety companion subsystem, wherein the hardware of the safety companion subsystem is distinct from the hardware of the compute subsystem
Ditty [0190] discloses that the SoC is an AI supercomputer designed for use in self-driving cars.
Ditty [0243] discloses the hardware of the SoC, including a Safety Cluster Engine (“SCE”) and a processor subsystem dedicated to accessing and handling real-time monitoring data.
Ditty [0245] discloses that the SoC may include a High-Dynamic Range Image Signal Processor (“HDR ISP”) and an Image Signal Processor.
The Examiner notes that the hardware of the SoC is distinct from the hardware of the vehicle compute system (e.g., brakes, acceleration, steering, wipers, etc.) disclosed in Ditty [0122].
determine, at the safety companion subsystem, malfunctions capable of affecting safety of automated driving tasks of the automated driving system based on one or more of the event data, first hardware monitoring data, or second hardware monitoring data
Ditty [0190] discloses that the SoC has at least an ASIL C functional safety level.
Ditty [0275] discloses that in a system with an SoC, a monitor/actuator architecture would be able to monitor an actuator with an independent monitoring module, and providing a fail-safe mode if that actuator malfunctions.
trigger an action to control a malfunction determined by the safety companion subsystem.  
Ditty [0275] discloses that the independent monitoring module in an SoC system would control the actuator in the case that the actuator malfunctions.

Regarding claim 16, Ditty teaches the storage medium of Claim 15, wherein:
the compute subsystem determines the automated driving tasks
Ditty [0121] discloses onboard controllers used to control automated driving functions.
the action to control the malfunction comprises handing control of automated driving tasks to another computing system of the automated driving system.  
Ditty [0275] discloses that if an actuator (e.g., brake actuation, electronic ignition, climate control, RADAR and LIDAR processing, etc.) malfunctions, the control is handed to a monitor module that enter s a fail-safe mode.

Regarding claim 17, Ditty teaches the system comprising: a compute subsystem comprising:
a first microcontroller
Ditty [0281] discloses a microcontroller used as a master controller for the system.
first memory
Ditty [0198] discloses a shared memory unit.
an automation engine executable by the first microcontroller to: receive sensor data
Ditty [0241] discloses that the SoC includes an Always-On Sensor Processing Engine
Ditty [0280] discloses that the SoCs are each connected to a microcontroller.
determine an automated task to be performed by a machine based on the sensor data
Ditty [0011] discloses that when operating in Level 4, if the system determines that the car can no longer drive automatically and the driver does not take over, the automated driving system is tasked with pulling over safely.
Ditty [0025] discloses that it is known in current ADAS systems that automatic emergency braking (AEB) may detect an impending forward collision with another vehicle or other object and may automatically apply the brakes if the driver does not take corrective action within a specified time or distance parameter.
a safety companion subsystem comprising: a second microcontroller
Ditty [0298] discloses that there may be plural microcontroller units, and that each MCU may comprise processors and associated memories.
The Examiner notes that plural microcontrollers indicates at least a first and second microcontroller, with their associated processors.
second memory
Ditty [0229] discloses two memories, elements 500 and 600 shown in Figure 8 (provided below).

    PNG
    media_image2.png
    686
    950
    media_image2.png
    Greyscale

a safety monitor executable by the second microcontroller to: access event data to identify attributes of the compute subsystem associated with determination of the automated task
Ditty [0122] discloses reading, and thereby accessing, the CAN bus data to find steering wheel angle, ground speed, engine RPM, button positions, and other vehicle status indicators of the compute subsystem. 
The Examiner notes that steering wheel angle, ground speed, and other vehicle status indicators are associated with automated tasks.
determine a malfunction of the compute subsystem based on the event data
Ditty [0009] discloses determination of a malfunction of the compute subsystem (e.g., brake malfunction) is known in the art.
cause an action to be performed to control safety of the machine based on the determined malfunction
Ditty [0011] discloses that if the vehicle can no longer drive automatically, the car will pull over safely.
The Examiner notes that the vehicle may no longer drive automatically if there is a malfunction.
wherein the security companion subsystem implements a higher safety integrity level than the compute subsystem.  
Ditty [0122] discloses that the controller responsible for sending command signals to operate vehicle components has a functional safety level of ASIL B.
Ditty [0190] discloses that an advanced SoC has at least an ASIL C functional safety level.

Regarding claim 18, Ditty teaches the system of Claim 17, wherein:
the compute subsystem further comprises a first hardware monitor to monitor hardware of the compute subsystem to detect malfunctions of the hardware of the compute subsystem and generate first status data based on monitoring of the hardware of the compute subsystem
Ditty [0275] discloses a monitor/actuator architecture that performs the primary function of an actuator (e.g., brake actuation, electronic ignition, RADAR and LIDAR processing, etc.) in the case that an actuator malfunction is detected.
wherein the safety monitor is further to: access the first status data
Ditty [0122] discloses reading, and thereby accessing, the CAN bus data to find steering wheel angle, ground speed, engine RPM, button positions, and other vehicle status indicators generated by the compute subsystem. 
determine that a hardware malfunction of the hardware of the compute subsystem affects safety of the machine based on the first status data.  
Ditty [0013] discloses addressing possible hazards caused by the malfunctioning of electronic and electrical system in passenger vehicles is known in the art.
The Examiner notes that a possible hazard affects safety.

Regarding claim 19
the safety companion subsystem further comprises a second hardware monitor to monitor hardware of the safety companion subsystem to detect malfunctions of the hardware of the safety companion subsystem and generate second status data based on monitoring of the hardware of the safety companion subsystem
Ditty [0293]-[0295] and [0298] discloses that the SoC generates second status data to describe the hardware of the SoC for the purposes of fault monitoring and communication.
Ditty [0421] discloses multiple hardware-independent levels of watching/monitoring, where some safety framework components of the multilevel/multilayered safety framework structure watch and monitor other safety framework components, such that if a failure is detected in some part(s) of the safety framework, the overall safety framework is not disabled.
The Examiner notes that multilevel safety monitoring involves at least two levels of safety monitoring.
wherein the safety monitor is further to: access the second status data
Ditty [0294] discloses that the SoC accesses a respective memory system. Ditty discloses that the memory systems store data to be processed by the associated SoC and data produced by the SoC.
determine that a hardware malfunction of the hardware of the safety companion subsystem affects safety of the machine based on the second status data.  
Ditty [0421] discloses a safety framework that monitors the hardware of the SoC such that hardware malfunction does not cause the safety framework to fail. The safety framework is defined in [0420] as separate safety dedicated hardware (e.g., one or more safety microcontroller(s) that may take corrective action such as automatically operating processes as needed).

20, Ditty teaches the system of Claim 17, further comprising the machine, wherein:
the machine comprises one of a vehicle or a robot. 
Ditty [0120] discloses self-driving vehicles. 

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHANIE T SU whose telephone number is (571)272-5326.  The examiner can normally be reached on Monday to Friday, 8:30AM - 5:00PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ANISS CHAD can be reached on (571)270-3832.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained 






/S.T.S./Patent Examiner, Art Unit 3662         


/ANISS CHAD/Supervisory Patent Examiner, Art Unit 3662