Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 01/05/2022 has been entered.
 	The objective of the accelerated examination program is to complete the examination of an application within twelve months from the filing date of the application. To meet that objective, any reply must be filed electronically via EFS-Web so that the papers will be expeditiously processed and considered. If the reply is not filed electronically via EFS-Web, the final disposition of the application may occur later than twelve months from the filing of the application. 
Drawings
Drawings have been reviewed and accepted.

Specification
The specification filed on 01/13/2020 has been reviewed and accepted. 

Response to Arguments
Applicant's arguments filed 12/15/2021 have been carefully and fully considered. With respect to applicant’s argument of the remarks (numbered as page 7) which recites:


“FIG. 1 in Weiberle shows that the CPU 1 and CPU 2 are each connected to a ROM 180. Weiberle discloses in paragraph 34 that "a certain status of the execution units can, for example, trigger a high priority interrupt, which is then valid for both execution units" and gives an example where a status generated by the first CPU 1 processing the programs in the ROM 180 triggers a high priority interruption request that applies also for the second CPU 2. Thus, Weiberle discloses communication between the CPU 1 and CPU 2. Given the foregoing, Weiberle does not supply what is missing from Forest in view of Koda with respect to the elements of amended claim 1 because Weiberle does not disclose or suggest no communication between a safety processing module and a main processing module, in accordance with the elements of amended claim 1. Therefore, favorable reconsideration of claim 1, and of the claims that depend therefrom, is respectfully requested.”

The examiner respectfully disagrees. While Applicant’s comments are well taken and appreciated, Applicant’s arguments are not found persuasive as [0019] in applicant’s specification states “The safety processing module 116 retrieves from the actuator drive 110 the actual command output value generated by the main processing module 108, and compares the expected command output value with the actual command output value” which suggests the safety processing module and the main processing module indirectly communicate. Applicant suggests that Weiberle shows 

Claim Rejections - 35 USC § 112
Claims 1, 7, and 12 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. The support for the limitation “wherein there is no communication between the safety processing module and the main processing module” is not found to have sufficient structure. Examiner notes [0019] in applicant’s specification states “The safety processing module 116 retrieves from the actuator drive 110 the actual command output value generated by the main processing module 108, and compares the expected command output value with the actual command output value” which suggests the safety processing 
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1, 4, 6, 7, and 10-15 are rejected under 35 U.S.C. 103 as being unpatentable over Forest et al. (US20060126256, herein Forest), in view of Koda et al. (JP2005291173A, herein Koda, note a .

Regarding claim 1, Forest teaches A controller for a vehicle (Fig. 2, element 30), the controller comprising: a main processing module having one or more processors and at least one memory (Fig. 2 primary processor 48 as main processing module [0016] the present invention may employ various integrated circuit components, e.g., memory elements, digital signal processing elements, look-up tables, and the like, to carry out a variety of functions under the control of one or more microprocessors or other control devices, [0025] the control module 30 has independent dual computational/memory control paths 32, 44 within the primary processor 48).
the main processing module being configured to process one or more command inputs to generate one or more main functions for the vehicle ([0019] transfers information, such as the input data received by the primary processor 48, [0023] the primary processor 48 forwards the input data, used by the primary processor 48 in generating the control commands, to the secondary processor 36 as previously mentioned herein. The secondary processor 36 generates command values using the input data, [0020] the primary processor 48 includes a primary control path 32 that computes various command values for actuator control based on various inputs/outputs from different vehicle systems, sub system, sensors, and associated algorithms. The command values are transmitted to the actuator control units 20, 22, 24 along the vehicle communication link 34.);
a safety processing module having one or more processors and at least one memory, (Fig. 2 secondary processor 36 as safety processing module , [0028] the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode, Fig. 2 [0025] the control module 30 has independent dual computational/memory control paths 32, 44),
the safety processing module being configured to process one or more command inputs to generate one or more safety functions ([0019] transfers information, such as the input data received by the primary processor 48, [0023] the primary processor 48 forwards the input data, used by the primary processor 48 in generating the control commands, to the secondary processor 36 as previously mentioned herein. The secondary processor 36 generates command values using the input data); 
wherein the safety processing module is independent of the main processing module (Fig. 2 primary processor 48, secondary processor 36), 
and is configured to perform the one or more safety functions separately and independently of the main processing module ([0023] the primary processor 48 forwards the input data, used by the primary processor 48 in generating the control commands, to the secondary processor 36 as previously mentioned herein. The secondary processor 36 generates command values using the input data and compares such command values with the signature contained in the messages from the actuator control units 20, 22, 24). (I.e the comparing function is performed separately and independently in the second processor), [0026] In an exemplary embodiment incorporating the dual computational/memory control paths 32, 44, the messages generated by the actuator control units 20, 22, 24 are forwarded, without modification, from the primary control path 32 to the redundant control path 44 via the local communication link 46. The redundant control path 44 verifies whether the data contained in the messages from the actuator control units 20, 22, 24 match the corresponding signatures in a manner Substantially similar in operation with the secondary processor 36 as previously mentioned); 
wherein the one or more safety functions comprise generating an expected command output value based on the one or more command inputs ([0028] a safe operation mode, the secondary processor 36 disables or resets the primary processor 48 under one or more of the following conditions: when no data is received by the secondary processor 36 from the primary processor 48 for a pre-determined amount of time; when no data is received by the redundant control path 44 from the , 
and comparing the expected command output value with an actual command output value generated by the main processing module ([0023] The secondary processor 36 generates command values using the input data and compares Such command values with the signature contained in the messages from the actuator control units 20, 22, 24. A matching signature implies that the secondary processor 36 has a substantially unmodified copy of the message originally sent by the actuator control unit 20, 22, 24, [0024] the message from the actuator control unit 20, 22, 24 additionally includes the copy of the data received by the actuator control unit 20, 22, 24 from the primary processor 48. The secondary processor 36 compares the computed command values with the data in the messages from the actuator control unit 20, 22, 24 which, in turn, is the command data actually sent by the primary processor 48).
wherein the one or more safety functions further comprise generating a safety control signal when a difference between the expected command output value and the actual command output value is greater than a predefined tolerance ([0028] When the secondary processor 36 determines that a failed verification has occurred, the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode. In one exemplary embodiment of a safe operation mode, the secondary processor 36 disables or resets the primary processor 48 under one or more of the following conditions:… when the data contained in the message from the actuator control units 20, 22, 24 does not match the corresponding signature; when the data contained in the message from the actuator control units 20, 22, 24 exceeds the range of values, [0024] the secondary processor 36 may compute a 
and wherein the safety control signal activates a safety shutdown switch… ([0028] When the secondary processor 36 determines that a failed verification has occurred, the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode. In one exemplary embodiment of a safe operation mode, [0030] switches operation mode of the vehicle control system 12 (FIG. 1) to the safe mode in response to failed verifications through the reset/disable sub-system 60, [0029] the primary processor 48, that transmits a reset or disable signal to the primary processor 48 for an amount of time sufficient for the actuator control units 20, 22, 24 to take remedial action).
Forest does not teach that returns an electromechanical actuator to a fail-safe state.
Koda teaches that returns an electromechanical actuator to a fail-safe state (page 3 lines 35-36 when the abnormality (1) occurs, execution of fail-safe measures for avoiding danger is a top priority).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety shutdown switch with Koda’s teaching of returning an electromechanical actuator to a fail-safe state. The combined teaching provides an expected result of a safety shutdown switch that returns an electromechanical actuator to a fail-safe state. Therefore, one of ordinary skill in the art would be motivated to allow and ensure safety for the system and user.
The combination of Forest and Koda do not teach wherein there is no communication between the safety processing module and the main processing module;
Weiberle teaches wherein there is no communication between the safety processing module and the main processing module; (Fig. 1 CPU 1 and CPU 2, [0025] shows “Second memory region 180, in 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety processing module and a main processing module with Weiberle’s teaching of the no direct communication between the CPUs. The combined teaching provides an expected result CPUs with modules that are not communicating. Therefore, one of ordinary skill in the art would be motivated to prevent malware or software errors from spreading in order to limit it to one processing module rather than infecting both.  

Regarding claim 4, the combination of Forest, Koda, and Weiberle teach the controller of claim 1, 
Koda further teaches wherein the fail-safe state disables one or more functions of a vehicle (page 3 lines 28-30 strong fail-safe treatment is performed so that the engine operation is immediately stopped or restricted. For example, the first CPU 11 stops the fuel injection or reduces the fuel injection amount, and the second CPU 12 controls the throttle opening to the fully closed side to reduce the intake air amount).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety shutdown switch with Koda’s teaching of the fail-safe state disabling a function of a vehicle. The combined teaching provides an expected result the fail-safe state disabling a function of a vehicle. Therefore, one of ordinary skill in the art would be motivated to allow and ensure safety for the system and user.

Regarding claim 6, the combination of Forest, Koda, and Weiberle teach The controller of claim 1, one or more processors and the at least one memory of the safety processing module… one or more processors and the at least one memory in the main processing module [0016] the present invention may employ various integrated circuit components, e.g., memory elements, digital signal processing elements, look-up tables, and the like, to carry out a variety of functions under the control of one or more microprocessors or other control devices, [0025] the control module 30 has independent dual computational/memory control paths 32, 44 within the primary processor 48).
Weiberle further teaches wherein the one or more processors and the at least one memory of the safety processing module are separate from the one or more processors and the at least one memory in the main processing module (Fig. 1 [0023] memory region is configured to two parts, so that two first memory regions 150 and 151 are present, corresponding to two execution units.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety and main processing module with Weiberle’s teaching of each processor having their own memory. The combined teaching provides an expected result of a safety processing module and main processing module have separate processors and memories. Therefore, one of ordinary skill in the art would be motivated so it’s easier to access to operate their own memory allows for processing the data faster.


Regarding claim 7, Forest teaches A driving system for a vehicle ([0017] The vehicle electrical infrastructure 26 may include various systems and/or Subsystems on the vehicle 10, including by way of example and not of limitation a human vehicle interface, a battery power management system, an engine management System, a transmission management system, a body control module, and vehicle Sub systems such as an Antilock Brake System (ABS) and an All-Wheel Drive (AWD) system,
the system comprising: one or more sensors configured to collect one or more command inputs ([0018] receive a variety of vehicle data from the vehicle electrical infrastructure 26 or from various sensors); 
a controller comprising a main processing module having one or more processors and at least one memory (Fig. 2 primary processor 48 as main processing module [0016] the present invention may employ various integrated circuit components, e.g., memory elements, digital signal processing elements, look-up tables, and the like, to carry out a variety of functions under the control of one or more microprocessors or other control devices, [0025] the control module 30 has independent dual computational/memory control paths 32, 44 within the primary processor 48).
 the main processing module being configured to process the one or more command inputs to generate one or more main functions for the vehicle ([0019] transfers information, such as the input data received by the primary processor 48, [0023] the primary processor 48 forwards the input data, used by the primary processor 48 in generating the control commands, to the secondary processor 36 as previously mentioned herein. The secondary processor 36 generates command values using the input data, [0020] the primary processor 48 includes a primary control path 32 that computes various command values for actuator control based on various inputs/outputs from different vehicle systems, sub system, sensors, and associated algorithms. The command values are transmitted to the actuator control units 20, 22, 24 along the vehicle communication link 34.);
and a safety processing module having one or more processors and at least one memory  (Fig. 2 secondary processor 36 as safety processing module , [0028] the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode, Fig. 2 [0025] the control module 30 has independent dual computational/memory control paths 32, 44)
 the safety processing module being configured to process the one or more command inputs to generate one or more safety functions ([0019] transfers information, such as the input data received ;
one or more electromechanical actuators configured to receive an actual command output value generated by the main processing module ([0021] Each actuator control unit 20, 22, 24 receiving data from the primary processor 48 generates a message that is transmitted to the primary processor 48 for verification of control commands); 
and a safety shutdown switch configured to receive a control signal generated by the safety processing module performing the one or more safety functions ([0028] When the secondary processor 36 determines that a failed verification has occurred, the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode. In one exemplary embodiment of a safe operation mode, [0030] switches operation mode of the vehicle control system 12 (FIG. 1) to the safe mode in response to failed verifications through the reset/disable sub-system 60, [0029] the primary processor 48, that transmits a reset or disable signal to the primary processor 48 for an amount of time sufficient for the actuator control units 20, 22, 24 to take remedial action); 
wherein the safety processing module is independent of the main processing module (Fig. 2 primary processor 48, secondary processor 36), 
and the safety processing module is configured to perform the one or more safety functions separately and independently of the main processing module ([0023] the primary processor 48 forwards the input data, used by the primary processor 48 in generating the control commands, to the secondary processor 36 as previously mentioned herein. The secondary processor 36 generates command values using the input data and compares such command values with the signature contained in the messages from the actuator control units 20, 22, 24). (I.e the comparing function is performed separately and independently in the second processor, [0026] In an exemplary embodiment ;
wherein the one or more safety functions comprise generating an expected command output value based on the one or more command inputs ([0028] a safe operation mode, the secondary processor 36 disables or resets the primary processor 48 under one or more of the following conditions: when no data is received by the secondary processor 36 from the primary processor 48 for a pre-determined amount of time; when no data is received by the redundant control path 44 from the primary control path 32 for a pre-determined amount of time; when the data contained in the message from the actuator control units 20, 22, 24 does not match the corresponding signature; when the data contained in the message from the actuator control units 20, 22, 24 exceeds the range of values; when the signature does not match the command values computed by the secondary processor 36; and, when a request is received from the redundant control path 44),
 comparing the expected command output value with the actual command output value generated by the main processing module ([0023] The secondary processor 36 generates command values using the input data and compares Such command values with the signature contained in the messages from the actuator control units 20, 22, 24. A matching signature implies that the secondary processor 36 has a substantially unmodified copy of the message originally sent by the actuator control unit 20, 22, 24, [0024] the message from the actuator control unit 20, 22, 24 additionally includes the copy of the data received by the actuator control unit 20, 22, 24 from the primary processor 48. The secondary processor 36 compares the computed command values with the data in the messages from 
And generating the safety control signal when a difference between the expected output value and the actual output value is greater than a predefined tolerance ([0028] When the secondary processor 36 determines that a failed verification has occurred, the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode. In one exemplary embodiment of a safe operation mode, the secondary processor 36 disables or resets the primary processor 48 under one or more of the following conditions:… when the data contained in the message from the actuator control units 20, 22, 24 does not match the corresponding signature; when the data contained in the message from the actuator control units 20, 22, 24 exceeds the range of values, [0024] the secondary processor 36 may compute a range of values based on the input data received from the primary processor 48 for comparison with the data in the messages from the actuator control unit 20, 22, 24. A failed verification results when the data in the messages falls outside of the range of values); 
And wherein the safety control signal activates the safety shutdown switch… ([0028] When the secondary processor 36 determines that a failed verification has occurred, the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode. In one exemplary embodiment of a safe operation mode, [0030] switches operation mode of the vehicle control system 12 (FIG. 1) to the safe mode in response to failed verifications through the reset/disable sub-system 60, [0029] the primary processor 48, that transmits a reset or disable signal to the primary processor 48 for an amount of time sufficient for the actuator control units 20, 22, 24 to take remedial action).
Forest does not teach that returns an electromechanical actuator to a fail-safe state.
Koda teaches that returns an electromechanical actuator to a fail-safe state (page 3 lines 35-36 when the abnormality (1) occurs, execution of fail-safe measures for avoiding danger is a top priority).

The combination of Forest, and Koda do not teach wherein there is no communication between the safety processing module and the main processing module;
Weiberle teaches wherein there is no communication between the safety processing module and the main processing module; (Fig. 1 CPU 1 and CPU 2, [0025] shows “Second memory region 180, in which the non-safety-critical programs or tasks are located, is present in single form. It is used by both execution units 101 and 102, or rather, it is accessed by both).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety processing module and a main processing module with Weiberle’s teaching of the no direct communication between the CPUs. The combined teaching provides an expected result CPUs with modules that are not communicating. Therefore, one of ordinary skill in the art would be motivated to prevent malware or software errors from spreading in order to limit it to one processing module rather than infecting both.  

Regarding claim 10, the combination of Forest, Koda, and Weiberle teach the system of claim 7, wherein the fail-safe state disables one or more functions of a vehicle.
Koda further teaches wherein the fail-safe state disables one or more functions of a vehicle. (page 3 lines 28-30 strong fail-safe treatment is performed so that the engine operation is immediately stopped or restricted. For example, the first CPU 11 stops the fuel injection or reduces the fuel injection 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety shutdown switch with Koda’s teaching of the fail-safe state disabling a function of a vehicle. The combined teaching provides an expected result the fail-safe state disabling a function of a vehicle. Therefore, one of ordinary skill in the art would be motivated to allow and ensure safety for the system and user.

Regarding claim 11, the combination of Forest, Koda, and Weiberle teach The system of claim 7, wherein one or more processors and at least one memory of the safety processing module …  one or more processors and at least one memory in the main processing module ([0016] the present invention may employ various integrated circuit components, e.g., memory elements, digital signal processing elements, look-up tables, and the like, to carry out a variety of functions under the control of one or more microprocessors or other control devices, [0025] the control module 30 has independent dual computational/memory control paths 32, 44 within the primary processor 48).
Weiberle further teaches wherein one or more processors and at least one memory of the safety processing module are separate from the one or more processors and at least one memory in the main processing module (Fig. 1 [0023] memory region is configured to two parts, so that two first memory regions 150 and 151 are present, corresponding to two execution units.)
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety and main processing module with Weiberle’s teaching of each processor having their own memory. The combined teaching provides an expected result of a safety processing module and main processing module have separate processors 

Regarding claim 12, Forest teaches A method for controlling a vehicle ([0017] The vehicle electrical infrastructure 26 may include various systems and/or Subsystems on the vehicle 10, including by way of example and not of limitation a human vehicle interface, a battery power management system, an engine management System, a transmission management system, a body control module, and vehicle Sub systems such as an Antilock Brake System (ABS) and an All-Wheel Drive (AWD) system), 
the method comprising: collecting input commands ([0018] receive a variety of vehicle data from the vehicle electrical infrastructure 26 or from various sensors); 
generating an actual command output value by a main processing module [0023] the primary processor 48 forwards the input data, used by the primary processor 48 in generating the control commands, to the secondary processor 36 as previously mentioned herein. The secondary processor 36 generates command values using the input data)…; 
generating an expected command output value by a safety processing module for determining whether the vehicle is operating properly ([0028] a safe operation mode, the secondary processor 36 disables or resets the primary processor 48 under one or more of the following conditions: when no data is received by the secondary processor 36 from the primary processor 48 for a pre-determined amount of time; when no data is received by the redundant control path 44 from the primary control path 32 for a pre-determined amount of time; when the data contained in the message from the actuator control units 20, 22, 24 does not match the corresponding signature; when the data contained in the message from the actuator control units 20, 22, 24 exceeds the range of values; when the signature does not match the command values computed by the secondary processor 36; and, when a request is received from the redundant control path 44);9WO 2019/014475PCT/US2018/041870 
wherein the expected command output value is generated by the safety processing module separately and independently of the actual command output value generated by the main processing module ([0026] In an exemplary embodiment incorporating the dual computational/memory control paths 32, 44, the messages generated by the actuator control units 20, 22, 24 are forwarded, without modification, from the primary control path 32 to the redundant control path 44 via the local communication link 46. The redundant control path 44 verifies whether the data contained in the messages from the actuator control units 20, 22, 24 match the corresponding signatures in a manner Substantially similar in operation with the secondary processor 36 as previously mentioned).
comparing the actual command output value with the expected command output value ([0023] The secondary processor 36 generates command values using the input data and compares Such command values with the signature contained in the messages from the actuator control units 20, 22, 24. A matching signature implies that the secondary processor 36 has a substantially unmodified copy of the message originally sent by the actuator control unit 20, 22, 24, [0024] the message from the actuator control unit 20, 22, 24 additionally includes the copy of the data received by the actuator control unit 20, 22, 24 from the primary processor 48. The secondary processor 36 compares the computed command values with the data in the messages from the actuator control unit 20, 22, 24 which, in turn, is the command data actually sent by the primary processor 48), 
returning … to a state if the actual command output value is outside a predefined range of the expected command output value ([0028] When the secondary processor 36 determines that a failed verification has occurred, the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode. In one exemplary embodiment of a safe operation mode, the secondary processor 36 disables or resets the primary processor 48 under one or more of the following conditions:… when the data contained in the message from the actuator control units 20, 22, 24 does not match the corresponding signature; when the data contained in the message from the actuator control units 20, 
Forest does not teach for changing a driving condition of a vehicle and returning an electromechanical actuator to a fail-safe state.
Koda teaches for changing a driving condition of a vehicle and returning an electromechanical actuator to a fail-safe state (page 3 lines 35-36 when the abnormality (1) occurs, execution of fail-safe measures for avoiding danger is a top priority, page 3 lines 50-53 fail-safe measure such as stopping fuel injection or reducing the fuel injection amount is executed in step S104. When the actual acceleration is equal to or less than the required acceleration, a strong fail-safe measure such as stopping fuel injection or reducing the fuel injection amount is not executed).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety shutdown switch with Koda’s teaching of returning an electromechanical actuator to a fail-safe state. The combined teaching provides an expected result of a safety shutdown switch that returns an electromechanical actuator to a fail-safe state. Therefore, one of ordinary skill in the art would be motivated to allow and ensure safety for the system and user.
The combination of Forest and Koda do not teach wherein there is no communication between the safety processing module and the main processing module;
Weiberle teaches wherein there is no communication between the safety processing module and the main processing module; (Fig. 1 CPU 1 and CPU 2, [0025] shows “Second memory region 180, in which the non-safety-critical programs or tasks are located, is present in single form. It is used by both execution units 101 and 102, or rather, it is accessed by both).


Regarding claim 13, the combination Forest, Koda, and Weiberle teach the method of claim 12, 
Forest does not teach wherein the fail-safe state disables one or more driving functions of a vehicle.
Koda teaches wherein the fail-safe state disables one or more driving functions of a vehicle (page 3 lines 28-30 strong fail-safe treatment is performed so that the engine operation is immediately stopped or restricted. For example, the first CPU 11 stops the fuel injection or reduces the fuel injection amount, and the second CPU 12 controls the throttle opening to the fully closed side to reduce the intake air amount).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a safety shutdown switch with Koda’s teaching of the fail-safe state disabling a function of a vehicle. The combined teaching provides an expected result the fail-safe state disabling a function of a vehicle. Therefore, one of ordinary skill in the art would be motivated to allow and ensure safety for the system and user.

Regarding claim 14, the combination of Forest, Koda, and Weiberle teach The method of claim 12, further comprising storing algorithms … in a memory of the safety processing module (Forest [0018] the control module 14 transmits commands to the actuators 20, 22, 24. The control module 14 
Weiberle further teaches storing…expected performance data in a memory ([0027] The new commands and/or data are then correspondingly loaded from the respectively assigned first memory region 150 or 151, and are processed.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of storing algorithms with Weiberle’s teaching of storing data in the memory. The combined teaching provides an expected result storing algorithms and data in the memory. Therefore, one of ordinary skill in the art would be motivated to store the data to maintain the integrity of the data.

Regarding claim 15, the combination of Forest, Koda, and Weiberle teach the method of claim 12, further comprising retrieving the expected command output value from an actuator drive (Forest, actuator control unit as actuator drive [0021] Each actuator control unit 20, 22, 24 receiving data from the primary processor 48 generates a message that is transmitted to the primary processor 48 for verification of control commands.)

Claim 5 is rejected under 35 U.S.C. 103 as being unpatentable over Forest et al. (US20060126256, herein Forest), in view of Koda et al. (JP2005291173A, herein Koda, note a translation is being used), in further view of Weiberle et al. (US20070277023A1, herein Weiberle), and in further view of Oono et al. (US20170002763A1, herein Oono). 

, the combination of Forest, Koda, and Weiberle teach the controller of claim 1, further comprising a main processing circuit (Fig. 2 primary processor 48) 
and a safety processing circuit (Fig. 2 secondary processor 36 as safety processing module , [0028] the secondary processor switches the vehicle control system 12 (FIG. 1) to a safe operation mode), 
wherein the safety processing circuit is independent of the main processing circuit (Fig. 2 primary processor 48, secondary processor 36, [0016] the present invention may employ various integrated circuit components, e.g., memory elements, digital signal processing elements, look-up tables, and the like, to carry out a variety of functions under the control of one or more microprocessors or other control devices.), 
The combination of Forest, Koda, and Weiberle do not teach is configured to convert sensor data for compatibility with the one or more processors in the safety processing module.
Oono teaches is configured to convert sensor data for compatibility with the one or more processors in the safety processing module ([0041] An I/O unit 302, which converts the electrical signal of each sensor disposed in the engine 201 into a signal for digital calculation processing and converts the control signal for digital calculation into a drive signal of an actual actuator, is set in a CPU 301. The water temperature sensor 210, the cam angle sensor 208, the air-fuel ratio sensor 211, the intake air volume sensor (thermal air flow meter) 202, the throttle opening degree sensor 215, a vehicle speed sensor 220, the ignition SW 216, the intake pipe pressure sensor 206, an atmospheric pressure sensor 221, an intake air temperature sensor 222, a load SW (air conditioning SW) 223, the accelerator opening degree sensor 218, and the crank angle sensor 219 are input into the I/O unit 302).
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify Forest’s teaching of a processing circuit with Oono’s teaching of converting sensor data for compatibility with one or more processors. The combined teaching provides .
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure.
Yoshimura (US20150100207) discloses a vehicle control system that switches over control in accordance with a failure detection notification to safely continue vehicle use. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to YVONNE T FOLLANSBEE whose telephone number is (571)272-0634.  The examiner can normally be reached on Monday - Friday 9:30am - 5:30pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rocio Del-Mar, Perez-Velez can be reached on (571) 270-5935.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 

/YTF/
Examiner, Art Unit 2117

/ROCIO DEL MAR PEREZ-VELEZ/Supervisory Patent Examiner, Art Unit 2117