DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This action is in response to amendments and remarks filed on 12/8/2021.
Claims 1-17 & 24-26 were previously pending. Claims 3-4, 9, & 14-15 are cancelled. Claims 27-31 are added. Claims 1, 7, 12, 16 & 25-26 are amended. Claims 1-2, 5-8, 10-13, 16-17, & 24-27, & 29-30 have been examined and are rejected. Claims 28 & 31 have been examined and are objected to.


Priority
This application claims priority to foreign application CN 201811002880.0 filed 8/30/2018.


Allowable Subject Matter
Claims 28 & 31 are objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims.


Claim Rejections – 35 USC § 101
The previous rejection of Claims 25-26 under 35 U.S.C. 101 is withdrawn in view of the current amendments. 


Response to Arguments
Applicant’s arguments filed in the communications above have been fully considered but are not persuasive. In the communications filed, applicant argues in substance that:
Argument (a) Zhan is silent on "determining that no fault has occurred in the second vehicle fault handling device according to the heartbeat detecting information for the second vehicle fault handling device" and following up with a verification that determines "whether a fault has occurred in the second vehicle fault handling device according to the environment information for the second vehicle fault handling device". 
Debouk cannot cure the deficiencies of Zhan. Debouk is silent on heartbeat detecting altogether, let alone the above distinguishing features related to heartbeat detecting. 
Hashmi cannot cure the deficiencies of Zhan and Debouk. Hashmi at best discloses: if the health monitoring service determines that the active node has some fault (hence the "fail-over") according to the insufficiency in the heartbeat messages received, the health monitoring service will verify whether the active node has indeed failed. This is diagonally contrary to the above distinguishing features which define: determining...whether a fault has occurred...if the first vehicle fault handling device determines that NO fault has occurred...according to the heartbeat detecting information...

In response to argument (a), examiner respectfully disagrees. 
Zhan teaches determining whether a fault has occurred in a vehicle based on heartbeat detecting information (See [Zhan: 7:38-40; 2:16-33] which provides a gateway host (i.e. first 
Debouk teaches identifying an error in the other controller in response to no communication activity from the other controller, and alternatively identifying an error in the other controller in response to the other controller deviating from an expected behavior [Debouk: 0016-17; Claims 3-4]. In other words, in addition to determining fault from failure to receive a communication, Debouk also teaches that the non-faulty controller may determine whether a fault has occurred in a vehicle controller by monitoring the functionality (i.e. environment information) of the faulty controller such that if the faulty controller functions in a manner that deviates from its required behavior, then a determination of fault may be made by the non-faulty controller monitoring the erratic functionality of the faulty controller [Debouk: 0016-17; Claims 3-4].  
	Zhan and Debouk do not explicitly teach determining whether a fault has occurred according to environment information if the fault handling device determines that no fault has occurred according to heartbeat detecting information. However Hashmi teaches that failure to receive a heartbeat message at periodic intervals is indicative of a failure. Hashmi further teaches that if the heartbeat message is successfully received, it contains status information which may be indicative of internal errors (See Hashmi: 9:32-10:12 reproduced below). The status information of Hashmi is analogous to the claimed environment information. Thus Hashmi teaches determining whether a fault has occurred according to status information (i.e. environment information) if the heartbeat message has been successfully received (i.e. if no fault is determined to have occurred according to heartbeat information). 

The provider network 90 in FIG. 2 also includes a health monitoring service 260 and a health monitoring database 262. The health monitoring service may comprise machine instructions that execute on a server computer and the health monitoring database may each VPN endpoint virtual machine sends a heartbeat message at periodic or near-periodic intervals. Each heartbeat message may encode health and/or status information about the corresponding virtual machine. The fact that a heartbeat message was sent at all indicates something about the operational nature of the virtual machine. Failure to transmit a heartbeat message may be indicative of a failure of the virtual machine or other components within the host computer on which the virtual machine executes. The health and status information contained within the heartbeat messages may include any of a variety of information such as error codes indicative of any errors detected internal to the virtual machine such as memory errors, network port timeouts, etc., processor utilization rates, memory utilization rates, etc. The health and status information may contain no information about any problems and thus include values or metadata indicative of a healthy and fully operational virtual machine. In some examples, the health and status information may include a healthy/unhealthy indicator for each of multiple subsystems within the virtual machine and corresponding virtualization system.

Each of the VPN endpoint virtual machines 232a, 232b sends the heartbeat messages to the health monitoring database 262 for storage therein. The health monitoring database 262 thus may store health and status messages and information for multiple VPN endpoint virtual machines. Each such virtual machine has an ID and the heartbeat messages may include the ID of the respective virtual machine. The health monitoring service 260 can access the health monitoring database 262 and determine the health and status of a given VPN endpoint virtual machine. As such, the health monitoring service 260 can determine whether an active mode VPN endpoint virtual machine has failed and, as explained below, if the active mode VPN endpoint virtual machine is determined to be experiencing a failure, initiate a fail-over process to the standby VPN endpoint virtual machine.


Argument (b) Applicant respectfully traverses the citation of Zhan purported to teach “the first vehicle fault handling device is further configured to monitor a main system of a vehicle in real-time” of claim 1. Zhan is silent on a "main system" of the train, let alone that the gateway host monitors the main system of the train in real-time. Besides, a network gateway is not commonly known as a controller or administrator, nor does the network gateway commonly known to monitor the entire train, hence there is no obvious motivation for a skilled person to arrange the network gateway of Zhan to monitor the main system (if any) of the train. 
 Debouk merely discloses that the controller 12 comprises microprocessors, and provides instructions to a vehicle device 18 for actuating the vehicle (Debouk: P[0009]). Debouk is silent on the "first controller 12" further monitors the "vehicle device 18" in real time, or that the "first controller 12" and the "vehicle device 18" are provided in a first computing device. In fact, Debouk is silent on the whereabouts of the "first controller 12" and the "vehicle device 18".

In response to argument (b), examiner respectfully disagrees. 
Zhan teaches a gateway host that monitors the state of heartbeat packets on active and standby in-vehicle communication networks to determine whether the heartbeat packet is received via the network according to a preset heartbeat period of 500ms (i.e. real-time monitoring of a vehicle system) [Zhan: 7:38-40; 9:6-15]. Zhan further teaches that the active and standby in-vehicle communication networks may be a traction brake network or the like, and a comfort network or the like [Zhan: 8:28-34]. The broadest reasonable interpretation of “a main system of a vehicle” would appear to include a vehicle traction brake network. 
Additionally Debouk teaches a first and second controller wherein each controller may monitor the activity of the other controller for identifying a fault in the other controller [0016-17; Claim 3-4]. Either of the first or second controller may be designated as a primary controller for generating control signals intended to control actuation devices on a vehicle under non-fault operating conditions [Debouk: 0006]. The broadest reasonable interpretation of “a main system of a vehicle” would appear to include a controller for generating control signals intended to control actuation devices on a vehicle. 
Finally, Debouk teaches a first controller with microprocessors for monitoring activity of another controller to identify faults, and for generating control signals for actuating a vehicle operation [Debouk: 0009-10; 0016; Fig. 1]. The first controller performs both monitoring activity of another controller (i.e. fault handling) as well as vehicle operation controls (i.e. main system), 

For at least these reasons, applicant’s arguments are considered not persuasive. 


Claim Rejections – 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

Claims 1-2, 7, 10-13, 24-27, & 29-30 are rejected under 35 U.S.C. 103 as being unpatentable over Zhan et al. (WO 2018/233644 A1) in view of Debouk et al. (US 2014/0277608 A1) in view of Hashmi (US 11,025,483 B1).
With regard to Claim 1, Zhan teaches:
A vehicle fault handling method, comprising: 

wherein the first vehicle fault handling device is further configured to monitor a main system of a vehicle in real-time; (the gateway host receives data via an in-vehicle communication network such as a traction brake network or the like [Zhan: 8:28-34]);
the second vehicle fault handling device is configured to monitor a first computing device; (the host and backup devices monitor the state of the heartbeat packet with each other such that the backup gateway can determine whether the heartbeat packet of the host machine is received [Zhan: 2:16-33]);
determining, by the first vehicle fault handling device, whether a fault has occurred in the second vehicle fault handling device according to the status information of the second vehicle fault handling device; and performing, by the first vehicle fault handling device, fault handling if a fault has occurred in the second vehicle fault handling device; (if the heartbeat packet of the backup machine is not detected in the preset heartbeat period, and the heartbeat packet of the host is successfully sent on the communication network of the master and backup machine, the host remains online, and the backup machine is recorded as being dropped [Zhan: 8:14-16]);
wherein the status information of the second vehicle fault handling device comprises heartbeat detecting information for the second vehicle fault handling device, and the determining, by the first vehicle fault handling device, whether a fault has occurred in the second vehicle fault handling device according to the status information of the second vehicle fault handling device comprises: determining that a fault has occurred in the second vehicle fault handling device if the first vehicle fault handling device fails to acquire the heartbeat detecting information for the second vehicle fault handling device within a first preset time period; (if the heartbeat packet of the backup machine is not detected in the preset heartbeat period, and the 

However, Zhan does not explicitly teach: 
the first vehicle fault handling device and the main system are provided in the first computing device;
wherein the status information of the second vehicle fault handling device further comprises environment information for the second vehicle fault handling device, and the determining, by the first vehicle fault handling device, whether a fault has occurred in the second vehicle fault handling device according to the status information of the second vehicle fault handling device comprises: determining, by the first vehicle fault handling device, whether a fault has occurred in the second vehicle fault handling device according to the environment information for the second vehicle fault handling device.
	
In a similar field of endeavor involving redundant controllers for autonomous vehicles, Debouk discloses:
wherein the first vehicle fault handling device is further configured to monitor a main system of a vehicle in real-time; (a first controller (i.e. first vehicle fault handling device) generates control signals intended to control actuation devices on a vehicle under non-fault operating conditions [Debouk: 0006]);
and the first vehicle fault handling device and the main system are provided in the first computing device; (the first controller 12 includes a first microprocessor 20 and a second microprocessor 22 for generating and transmitting control signals via communication bus 16 for actuating a vehicle operation of vehicle device 18 (i.e. main system), in addition to monitoring 
wherein the status information of the second vehicle fault handling device further comprises environment information for the second vehicle fault handling device, and the determining, by the first vehicle fault handling device, whether a fault has occurred in the second vehicle fault handling device according to the status information of the second vehicle fault handling device comprises: determining, by the first vehicle fault handling device, whether a fault has occurred in the second vehicle fault handling device according to the environment information for the second vehicle fault handling device; (the faulty controller may be detected by the non-faulty controller by monitoring the functionality (i.e. environment information) of the faulty controller such that if the faulty controller functions in a manner that deviates from its required behavior, then a determination may be made by the non-faulty controller monitoring the erratic functionality of the faulty controller [Debouk: 0016-17; Claims 3-4]).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Zhan in view of Debouk in order to provide the first vehicle fault handling device and the main system in the first computing device, and to utilize environment information for determining fault in the system of Zhan. 
One of ordinary skill in the art would have been motivated to combine Zhan with Debouk as doing so would provide hardware redundancy through the use of a duplex controller, and would provide an additional technique for detecting controller fault even when communication channels remain functional [Debouk: 0016-17; Claims 3-4].  

However, Zhan-Debouk does not teach (where underlining indicates the portion of each limitation not taught):
if the first vehicle fault handling device determines that no fault has occurred in the second vehicle fault handling device according to the heartbeat detecting information for the second vehicle fault handling device.
	
In a similar field of endeavor involving redundant nodes for providing fault tolerance via heartbeat messages, Hashmi discloses:
determining, by the first fault handling device, whether a fault has occurred in the second fault handling device according to the environment information for the second fault handling device, if the first fault handling device determines that no fault has occurred in the second fault handling device according to the heartbeat detecting information for the second fault handling device; (a fault tolerant active node submits heartbeat messages that include information about the health and status of the respective node for storage and analysis by a health monitoring service, wherein a failure to transmit a heartbeat message is indicative of a failure of a component of the host computer, and wherein upon successful receipt of a heartbeat message containing health and status information, the health monitoring service can determine whether an active node has failed by analyzing the stored health and status information from the heartbeat messages [Hashmi: 2:66-3:55; 9:32-10:12]. In other words, Hashmi teaches determining whether a fault has occurred according to health and status information (i.e. environment information) if the heartbeat message has been successfully received (i.e. if no fault is determined to have occurred according to heartbeat information).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Zhan-Debouk in view of Hashmi in order to determine, by the first fault handling device, whether a fault has occurred in the second fault handling 
One of ordinary skill in the art would have been motivated to combine Zhan-Debouk with Hashmi as doing so would extend the utility of the heartbeat messages by enabling operational failure to be determined by the failure to transmit a heartbeat message as well as the status information provided in the heartbeat message [Hashmi: 9:32-10:12].


With regard to Claim 2, Zhan-Debouk-Hashmi teaches:
`The method according to claim 1, wherein the performing, by the first vehicle fault handling device, fault handling if a fault has occurred in the second vehicle fault handling device comprises: performing, by the first vehicle fault handling device, alert handling if a fault has occurred in the second vehicle fault handling device; (if the heartbeat packet of the backup machine is not detected in the preset heartbeat period, and the heartbeat packet of the host is successfully sent on the communication network of the master and backup machine, the host remains online, and the backup machine is recorded as being dropped [Zhan: 8:14-16]. in response to a failure occurring with respect to operation of the secondary controller, generating a first alert for alerting the driver of the vehicle of the failure condition [Debouk: 0025-26]).

With regard to Claim 7, Zhan teaches:
A vehicle fault handling method, comprising: 
acquiring in real-time, by a second vehicle fault handling device, status information of a first computing device; (a backup machine (i.e. second vehicle fault handling device) is powered and determines whether a gateway host (i.e. first vehicle fault handling device) heartbeat is detected [Zhan: 23:14-29]);

determining, by the second vehicle fault handling device, whether a fault has occurred in the first computing device according to the status information of the first computing device; and controlling, by the second vehicle fault handling device, operations if a fault has occurred in the first computing device; (when the heartbeat message transmission is successful, the backup machine remains online to monitor the status of each network data reception [Zhan: 29:37-30:9; 14:19-25]);
wherein the status information of the first vehicle fault handling device comprises heartbeat detecting information for the first vehicle fault handling device, and the determining, by the second vehicle fault handling device, whether a fault has occurred in the first vehicle fault handling device according to the status information of the first vehicle fault handling device comprises: determining that a fault has occurred in the first vehicle fault handling device if the second vehicle fault handling device fails to acquire the heartbeat detecting information for the first vehicle fault handling device within a second preset time period; (if the heartbeat packet of the host machine is not detected in the preset heartbeat period, and the heartbeat packet of the backup is successfully sent on the communication network of the master and backup machine, the backup machine remains online [Zhan: 8:14-16; 2:28-37]).

However, Zhan does not explicitly teach (where underlining indicates the portion of each limitation not taught): 
wherein the second vehicle fault handling device is provided in the second computing device; 
controlling, by the second vehicle fault handling device, a driving status of the vehicle if a fault has occurred in the first computing device;
wherein the status information of the first vehicle fault handling device further comprises environment information for the first vehicle fault handling device, and the determining, by the second vehicle fault handling device, whether a fault has occurred in the first vehicle fault handling device according to the status information of the first vehicle fault handling device comprises: determining, by the second vehicle fault handling device, whether a fault has occurred in the first vehicle fault handling device according to the environment information for the first vehicle fault handling device.
	
In a similar field of endeavor involving redundant controllers for autonomous vehicles, Debouk discloses:
wherein the second vehicle fault handling device is further configured to monitor a second computing device in real-time, wherein the second vehicle fault handling device is provided in the second computing device; and controlling, by the second vehicle fault handling device, a driving status of the vehicle if a fault has occurred in the first computing device; (the second controller 14 (i.e. second vehicle fault handling device) includes two microprocessors for monitoring activity of another controller for identifying a fault in the other controller (i.e. fault handling device) in addition to generating and transmitting control signals via communication bus 16 for actuating a vehicle operation of vehicle device 18 in the event the first controller is determined faulty [Debouk: 0009-10; 0016; Fig. 1]);
wherein the status information of the first vehicle fault handling device further comprises environment information for the first vehicle fault handling device, and the determining, by the second vehicle fault handling device, whether a fault has occurred in the first vehicle fault handling device according to the status information of the first vehicle fault handling device comprises: determining, by the second vehicle fault handling device, whether a fault has occurred in the first vehicle fault handling device according to the environment information for the first vehicle fault handling device; (the faulty controller may be detected by the non-faulty 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Zhan in view of Debouk in order to provide the second vehicle fault handling device in the second computing device, and to utilize environment information for determining fault in the system of Zhan.
One of ordinary skill in the art would have been motivated to combine Zhan with Debouk as doing so would provide hardware redundancy through the use of a duplex controller, and would provide an additional technique for detecting controller fault even when communication channels remain functional [Debouk: 0016-17; Claims 3-4].    

However, Zhan-Debouk does not teach (where underlining indicates the portion of each limitation not taught):
determining, by the second vehicle fault handling device, whether a fault has occurred in the first vehicle fault handling device according to the environment information for the first vehicle fault handling device if the second vehicle fault handling device determines that no fault has occurred in the first vehicle fault handling device according to the heartbeat detecting information for the first vehicle fault handling device.
	
In a similar field of endeavor involving redundant nodes for providing fault tolerance via heartbeat messages, Hashmi discloses:
determining, by the second vehicle fault handling device, whether a fault has occurred in the first vehicle fault handling device according to the environment information for the first 

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Zhan-Debouk in view of Hashmi in order to determine, by the second fault handling device, whether a fault has occurred in the first fault handling device according to environment information if the second fault handling device determines that no fault has occurred in the first fault handling device according to the heartbeat in the system of Zhan-Debouk. 
One of ordinary skill in the art would have been motivated to combine Zhan-Debouk with Hashmi as doing so would extend the utility of the heartbeat messages by enabling operational failure to be determined by the failure to transmit a heartbeat message as well as the status information provided in the heartbeat message [Hashmi: 9:32-10:12].

With regard to Claim 10, Zhan-Debouk-Hashmi teaches:


With regard to Claim 11, Zhan-Debouk-Hashmi teaches:
The method according to claim 7, wherein the second vehicle fault handling device second computing device monitors a second computing device in real-time comprises: 
acquiring in real-time, by the second vehicle fault handling device, heartbeat detecting information and environment information for the second computing device; transmitting, by the second vehicle fault handling device, the heartbeat detecting information and the environment information for the second computing device to a first vehicle fault handling device, and determining whether a fault has occurred in the second computing device according to the heartbeat detecting information and the environment information for the second computing device; (heartbeat packets are transmitted from a backup machine (i.e. second vehicle fault handling device) to a gateway host (i.e. first vehicle fault handling device) which determines whether the heartbeat packets of the backup machine are detected within a preset heartbeat period (i.e. whether a fault has occurred) [Zhan: 7:38-40; 8:14-16]. Debouk teaches that the faulty controller may be detected by the non-faulty controller by monitoring the activity (i.e. environment information) of the faulty controller such that if no activity is being generated for a controller when control signals are being generated for the other controller, then a determination is made that the non-responsive controller is faulty [Debouk: 0016]);


With regard to Claims 12-13 & 24-26, they appear substantially similar to the limitations recited by claims 1-2 & 7 and consequently do not appear to teach or further define over the citations provided for said claims. Accordingly, claims 12-13 & 24-26 are rejected for the same reasons as set forth in claims 1-2 & 7.

With regard to Claim 27, Zhan-Debouk-Hashmi teaches:
The method according to claim 1, wherein the environment information for the second vehicle fault handling device comprises information about at least one of CPU usage and memory usage of the second vehicle fault handling device; (the health monitoring service can determine whether an active node has failed by analyzing the stored health and status information from the heartbeat messages, wherein the health and status information may include any of a variety of information such as error codes indicative of any errors detected internal to the virtual machine such as memory errors, network port timeouts, etc., processor utilization rates, memory utilization rates, etc. [Hashmi: 2:66-3:55; 9:32-10:12]).

With regard to Claims 29-30, they appear substantially similar to the limitations recited by claim 27 and consequently do not appear to teach or further define over the citations .


Claims 5-6, 8, & 16-17 are rejected under 35 U.S.C. 103 as being unpatentable over Zhan et al. (WO 2018/233644 A1) in view of Debouk et al. (US 2014/0277608 A1) in view of Hashmi (US 11,025,483 B1) as applied to claims 1, 7, & 12 above, and further in view of Tiwari et al. (US 2020/0010061 A1).
With regard to Claim 5, Zhan-Debouk-Hashmi teaches:
The method according to claim 1, wherein the first vehicle fault handling device monitors the main system of a vehicle in real-time comprises: acquiring in real-time, by the first vehicle fault handling device, first data information of the main system; (the gateway host receives data via an in-vehicle communication network such as a traction brake network or the like [Zhan: 8:28-34]);
determining, by the first vehicle fault handling device, whether a fault has occurred in the main system according to the first data information; (if the host heartbeat packet of the active/standby communication network is unsuccessful, the host requests the backup machine to go online through the traction brake network, wherein if the backup brake network does not receive the backup machine response request, the host will stop requesting the backup of the traction brake network, and the backup machine is requested to go online through the comfort network [Zhan: 9:6-15]).

However, Zhan-Debouk-Hashmi does not teach (where underlining indicates the portion of each limitation not taught):
determining, by the first vehicle fault handling device, whether a fault has occurred in the main system according to the first data information; and controlling, by the first vehicle fault handling device, the vehicle to decelerate or stop if a fault has occurred in the main system.	
In a similar field of endeavor involving braking system redundancies in autonomous automotive vehicles, Tiwari discloses:
determining, by the first vehicle fault handling device, whether a fault has occurred in the main system according to the first data information; and controlling, by the first vehicle fault handling device, the vehicle to decelerate or stop if a fault has occurred in the main system; (a system which enables robustness of a vehicle against control failure (e.g., failure-resistant redundancy) in which the vehicle braking system can be configured to automatically and actively apply the brakes in the event of communication failure (e.g., a detected lost data packet having a control signal, a received incomplete data packet, a time of no detected communication exceeding a predetermined threshold, etc.) between the vehicle and a remote operator, a failure of an autonomous vehicle control system (e.g., data link severance, computational error, sensor failure, etc.), and any other failure in vehicle control or operation during driving of the vehicle [Tiwari: 0048]).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Zhan-Debouk-Hashmi in view of Tiwari in order to control the vehicle to decelerate or stop if a fault has occurred in the main system in the system of Zhan-Debouk-Hashmi. 
One of ordinary skill in the art would have been motivated to combine Zhan-Debouk-Hashmi with Tiwari as doing so would provide a second set of control signals in a failure mode that function to bring the vehicle to a complete stop, thereby enhancing the safety of occupants in an autonomous vehicle [Tiwari: 0050].

With regard to Claim 6, Zhan-Debouk-Hashmi-Tiwari teaches:


With regard to Claim 8, Zhan-Debouk-Hashmi teaches the method according to claim 7, but does not teach (where underlining indicates the portion of each limitation not taught):
wherein the controlling, by the second vehicle fault handling device, a driving status of the vehicle if a fault has occurred in the first computing device comprises: controlling, by the the vehicle to decelerate, stop or emergency brake if a fault has occurred in the first computing device.

In a similar field of endeavor involving braking system redundancies in autonomous automotive vehicles, Tiwari discloses:
controlling, by the second vehicle fault handling device, the vehicle to decelerate, stop or emergency brake if a fault has occurred in the first computing device; (a system which enables robustness of a vehicle against control failure (e.g., failure-resistant redundancy) in which the vehicle braking system can be configured to automatically and actively apply the brakes in the event of communication failure (e.g., a detected lost data packet having a control signal, a received incomplete data packet, a time of no detected communication exceeding a predetermined threshold, etc.) between the vehicle and a remote operator, a failure of an autonomous vehicle control system (e.g., data link severance, computational error, sensor failure, etc.), and any other failure in vehicle control or operation during driving of the vehicle [Tiwari: 0048]).

It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Zhan-Debouk-Hashmi in view of Tiwari in order to control the vehicle to decelerate or stop if a fault has occurred in the second computing device in the system of Zhan-Debouk-Hashmi. 
One of ordinary skill in the art would have been motivated to combine Zhan-Debouk-Hashmi with Tiwari as doing so would provide a second set of control signals in a failure mode that function to bring the vehicle to a complete stop, thereby enhancing the safety of occupants in an autonomous vehicle [Tiwari: 0050].

With regard to Claims 16-17, they appear substantially similar to the limitations recited by claims 5-6 and consequently do not appear to teach or further define over the citations provided for said claims. Accordingly, claims 16-17 are rejected for the same reasons as set forth in claims 5-6.


Conclusion
Applicant’s amendment necessitated any new grounds of rejection presented in this office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action.
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: 
Zhang et al. (CN 107908186 B) which teaches a standby driving system 408 that receives some sensing and control information from the main driving system 406 and takes over vehicle control when the main driving system 406 fails, wherein the reliability of the standby driving system 406 is higher because it relies on less sensors, simpler, more reliable computing devices, simpler algorithm logic, and can also be more fully tested. 
Wu (US 2020/0331493 A1) which teaches an autonomous driving system provided with two decision units, a primary decision unit and an alternative decision unit, wherein the alternative decision unit monitors the state of the primary decision unit, and upon detecting that the primary decision unit is abnormal, takes over and calculates decision information based on the environment information, so as to guarantee normal operation of the autonomous driving system, such that the entire autonomous driving system will not crash due to failure of the primary decision unit.

In the case of amendments, Applicant is respectfully requested to indicate the portion(s) of the specification which dictate(s) the structure relied on for proper interpretation and support, for ascertaining the metes and bounds of the claimed invention.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AUSTIN MOREAU whose telephone number is (571) 272-5179.  The examiner can normally be reached on Monday to Thursday and alternate Fridays.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Brian Gillis can be reached at (571) 272-7952.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call (800) 786-9199 (IN USA OR CANADA) or (571) 272-1000.