Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-16 are rejected under 35 U.S.C. 103 as being unpatentable over US 20200034262 A1 (Bemanian) in view of “Cybersecurity and functional safety: the case for embedded analytics: An integrated approach to ISO26262 and ISO21434 compliance” by UltraSoC - published July 24 2019 (herein referred to as UltraSoC) and US 8412409 B2 (Fey)
Regarding claim 1, Bemanian teaches
A method comprising:
running a first program(fig 1:130; par 35 “The flow 100 includes firing the agent on each of the two or more redundant processors 130 to commence coincident operation. The firing the  in a first processor device on a chip(par 26 “The processor array redundancy can be implemented on a server, a computing device, a processor device, a reconfigurable computing device, an integrated circuit or chip, and so on.” Fig 4:422,424; par 48 “ One allocation configuration includes two processors. The two processors can implement dual redundancy. The dual redundancy allocations can include a plurality of elements 420 and pluralities of elements configured to implement two redundant processors 422 and 424.”) to create a first output signal(fig 1:140; par 36 “The flow 100 includes comparing an output data result 140 from each of the two or more redundant processors to enable a data validation result.”);
sending the first output signal from the first fault domain to a second fault domain via a digital communication channel that includes data access control logic configured to mediate communication between the first fault domain and the second fault domain without the need for an operating system(fig 3:342; par 45 “One or more monitors, such as monitor 1 340 and monitor 2 342, can be used to compare an output data result from each of the two or more redundant processors to enable a data validation result. In the example, monitor 1 340 can monitor, compare, analyze, etc., the output data result from the master 322 processor and the slave 324 processor. Monitor 2 342 can monitor the output data result from the master 332 processor and the slave 334 processor. The one or more monitors can enable data validation when both of the exactly two processors output the same output data result, or when either of the exactly two processors outputs a valid result.” Bemanian does not mention operating systems in either a positive or negative way.);
processing the first output signal by a second program in the second fault domain to create a second output signal(fig 1:150,152; par 37 “The flow 100 includes propagating the data validation result 150. As discussed throughout, the data validation result can be based on receiving valid output data results, receiving a single valid output data result, receiving a vote, and so on. The vote can include a majority vote. In embodiments, the propagating the data validation result can be based on comparing output data 152.”) necessary for a safety-critical function(par 39 “The validated data can be used for adjusting vehicle operating status such as accelerating, decelerating, applying brakes, performing an emergency maneuver, and so on. The data validation can support failsafe operation of the vehicle.”), the processing by the second program being performed concurrently with and independently from the first program(par 35 “The flow 100 includes firing the agent on each of the two or more redundant processors 130 to commence coincident operation. The firing the agent can be accomplished using a fire signal, loading valid data, initiating an interrupt, scheduling a rotating circular buffer, and so on. The coincident operation can include parallel operation, simultaneous operation, and so on.”);
and including the second output in a safety critical control signal(par 39 “The validated data can be used for adjusting vehicle operating status such as accelerating, decelerating, applying brakes, performing an emergency maneuver, and so on. The data validation can support failsafe operation of the vehicle.”).
However, Bemanian do not specifically teach limitation without the need for an operating system.
On the other hand, UltraSoC teaches 
A method comprising:
running a first program in a first fault domain on a chip to create a first output signal(fig 4:”Master CPU”; pg 6 par 5 - pg 7 par 0 “One example of the UltraSoC IP’s use in safety and security is in supporting lock-step mode for groups of processors. A bus monitor can inspect the transactions performed by each of the protected processor cores to see whether they are consistent.”);
sending the first output signal from the first fault domain to a second fault domain via a digital communication channel that includes data access control logic configured to mediate communication between the first fault domain and the second fault domain(pg 6 par 5 - pg 7 par 0  “A bus monitor can inspect the transactions performed by each of the protected processor cores to see whether they are consistent. If a mismatch is detected, the monitor can flag an error that is then picked up by recovery functionality in the SoC (Figure 4). This mismatch may be due to a failure within the system, or may be due to a malicious intervention, so detecting it quickly is imperative. The Lockstep Monitor can be extended to include processor trace and even register status monitoring, allowing behavior comparisons to be performed at any level of granularity.”) without the need for an operating system(pg 6 par 1 “An UltraSoC monitoring infrastructure is built from small, ‘smart’ hardware blocks incorporated into the SoC to monitor its operation. They operate across the entire SoC, reporting rich real-time information captured via subsystem components, including processors, accelerators, buses and even custom logic.” UltraSoC provides a hardware level service, at the processor or bus level. Hardware level acts before an operating system gets involved, and does not require an operating system.);
processing the first output signal by a second program in the second fault domain to create a second output signal necessary for a safety-critical function, the processing by the second program being performed concurrently with and independently from the first program(pg 6 par 5 - pg 7 par 0 “A bus monitor can inspect the transactions performed by each of the protected processor cores to see whether they are consistent. If a mismatch is detected, the monitor can flag an error that is then picked up by recovery functionality in the SoC (Figure 4). This mismatch may be due to a failure within the system, or may be due to a malicious intervention, so detecting it quickly is imperative. The Lockstep Monitor can be extended to include processor trace and even register status monitoring, allowing behavior comparisons to be performed at any level of granularity.”);
and including the second output in a safety critical control signal(pg 7 par 0 “If a mismatch is detected, the monitor can flag an error that is then picked up by recovery functionality in the SoC (Figure 4). This mismatch may be due to a failure within the system, or may be due to a malicious intervention, so detecting it quickly is imperative.”).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further modify Bemanian to incorporate the hardware implementation of UltraSoC.  One of ordinary skill in the art would have been motivated to remedy the shortcomings of Bemanian -- a need for a solution for the issue of how to quickly detect issues and respond in a safety critical system(UltraSoC pg 4 par 2-3 “Second, after release and shipping, the system should be monitored and should include safety and security mechanisms that can detect issues and trigger a suitable response. Against this backdrop, developers across multiple industries are recognizing the need for hardware-level 
However, Bemanian and UltraSoC do not specifically teach fault domains on a chip.
On the other hand, Fey teaches 
A method comprising:
running a first program in a first fault domain on a chip to create a first output signal(fig 4:5; col 6 ln 30-34 “Referring to FIG. 4, the area of the chip surface 23 is illustrated on which the monitoring circuits 5 and 5' (FMon for monitoring the operating voltage) mentioned in FIG. 2 are arranged.”);
sending the first output signal from the first fault domain(fig 3a:25,24; col 6 ln 7-17 “two functional groups are isolated from each other by isolation zones 24 such as guard rings or trenches in such a fashion that defective circuit components will not take any influence on neighboring function blocks. Besides, the functional groups are arranged on the chip preferably in such a manner that redundant functions are spaced from each other physically (spatially and/or electrically) on the chip to the greatest extent possible. This circumstance prevents any interaction of the structurally identical groups due to a malfunction, being caused e.g. by thermal overload or ESD intervention.”) to a second fault domain(fig 3a:25’,24; col 6 ln 18-20 “shows in a principle view two electrically interconnected functional groups 25 and 25' which are isolated from each other by isolation zones 24.”) via a digital communication channel that includes data access control logic configured to mediate communication between the first fault domain and the second fault domain without the need for an operating system(fig 3a:30,28’ col 6 ln 20-27 “The electric lines 30 interconnect the function blocks and, for this purpose, extend like bridges over the isolation zones 24. To avoid shortcomings in terms of safety due to a line connection, there is an additional electric separation of the functional groups. Therefore, the lines 30 are designed in such a way that upon the occurrence of a fault of functional group 25, no reaction to the functional group 25' or vice-versa is possible.”);
processing the first output signal by a second program in the second fault domain to create a second output signal necessary for a safety-critical function, the processing by the second program being performed independently from the first program(fig 4:35; col 6 ln 40-45 “If, for example, malfunction occurs in the line connections of the two circuit arrangements 5 and 5', no electric signal is applied to the signal line 36 when the main driver 26 is actuated by the main driver actuation control 35. In this case, a signal prevails at line 36 only if a signal is applied to all inputs of the AND gates.” );
and including the second output in a safety critical control signal (fig 4:5,5’col 6 ln 45-48 “Failure of a monitoring circuit 5 or 5' or any fault detected by this circuit, respectively, will thus cause blocking of the main driver 26 and, hence, disabling of the valve 6.”). 
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further modify Bemanian and UltraSoC to incorporate the fault domain/isolation zones on a single chip of Fey.  One of ordinary skill in the art would have been motivated to remedy the shortcomings of Bemanian and UltraSoC -- a need for a solution for the issue of how to group separate safety-critical microprocessor 

Regarding claim 2, Bemanian, UltraSoC, and Fey teaches,
The method of claim 1, further comprising:
Bemanian further teaches,
sending the safety critical control signal to an actuator for safety critical use. (par 39 “The validated data can be used for adjusting vehicle operating status such as accelerating, decelerating, applying brakes, performing an emergency maneuver, and so on. The data validation can support failsafe operation of the vehicle.”)
Fey also specifically teaches actuators 
sending the safety critical control signal to an actuator for safety critical use.(col4 ln 57-67; “The functional groups being arranged in pairs or existing several times on the joint chip or chip support member, such as monitoring circuits, voltage monitoring arrangements, watchdog, etc., are advantageously connected electrically to each other and/or to an actuator in such a fashion that in each case the failure of one functional group is observed by the other functional group belong to the pair and/or by a component connected to both functional groups belonging to the pair ( e.g. actuator driver). It is this way possible to disable the actuator driver e.g. when there is a malfunction in the line connections of the two circuits.”)
 
Regarding claim 3, Bemanian, UltraSoC, and Fey teaches,
The method of claim 1, 
Bemanian further teaches,
wherein the first program is run independently of and concurrently with the second program.( par 35 “The flow 100 includes firing the agent on each of the two or more redundant processors 130 to commence coincident operation. The firing the agent can be accomplished using a fire signal, loading valid data, initiating an interrupt, scheduling a rotating circular buffer, and so on. The coincident operation can include parallel operation, simultaneous operation, and so on.”)

Regarding claim 4, Bemanian, UltraSoC, and Fey teaches,
The method of claim 1, 
Bemanian further teaches,
wherein the digital communication channel defines a third fault domain(fig 4:436; par 48 “Other allocation techniques can be used. An allocation configuration includes three processors, where the three processors can implement triple-redundancy. Triple-redundancy can be useful for comparing an output data result from the three redundant processors. The triple-redundancy allocations can include a plurality of elements 430 and further pluralities of elements configured to implement three redundant processors 432, 434, and 436.”).

Regarding claim 5, Bemanian, UltraSoC, and Fey teaches,
The method of claim 4, 
Bemanian further teaches,
wherein the first program is run on a first set of programmable logic gates(par 35 “The flow 100 includes firing the agent on each of the two or more redundant processors 130 to commence coincident operation. The firing the agent can be accomplished using a fire signal, loading valid data, initiating an interrupt, scheduling a rotating circular buffer, and so on.”), and wherein the further processing is run on a second set of programmable logic gates(par 40 “In embodiments, the propagating can be accomplished using an interrupt signal 212. The interrupt signal, such as an interrupt request (IRQ), can be processed by an interrupt handler, a processor, a process control manager, and so on. The interrupt signal can be asynchronous. In embodiments, the propagating the data validation result can be based on comparing valid output data 214.”).

Regarding claim 6, Bemanian, UltraSoC, and Fey teaches,
The method of claim 4 
Bemanian further teaches,
wherein the digital communication channel is a first digital communication channel(par 26 “Elements of the reconfigurable fabric can be arranged in quads of elements, where the quads include processing elements, shared storage elements such as first in first out (FIFO) elements or direct memory access (DMA) elements, switching elements, rotating circular , and further comprising:
running an additional program in a fourth fault domain to create an additional output signal(fig 4; par 48 “As discussed throughout, a plurality of processing elements within a reconfigurable fabric can be configured to implement the two or more redundant processors. Two redundant allocation configurations are illustrated. One allocation configuration includes two processors.” par 48 ”Other allocation techniques can be used. An allocation configuration includes three processors, where the three processors can implement triple-redundancy. Triple-redundancy can be useful for comparing an output data result from the three redundant processors. Triple-redundancy can be useful for comparing an output data result from the three redundant processors. The triple-redundancy allocations can include a plurality of elements 430 and further pluralities of elements configured to implement three redundant processors 432, 434, and 436.” Par 46 “Two or more processors can be used for array redundancy within a reconfigurable fabric. A plurality of processing elements within a reconfigurable fabric can be configured to implement two or more redundant processors. The two or more redundant processors can be enabled for coincident operation.” Bemanian teaches that can be many different allocation configurations, and Bemanian provides examples with two and three fault domains, and consistently describes the configuration as “two or more processors”. A person having ordinary skill in the art would extend this to three, four, or any number of fault domains , sending the additional output signal from the fourth fault domain to a second digital communication channel(fig 4; par 47 “The elements of the reconfigurable fabric can include processing elements, storage elements, switching elements, and so on. The elements can be coupled to communications paths, where the communications paths can enable communication with other elements. The inter-element communications can include nearest neighbor communications. Communication with elements beyond nearest neighbor elements may be accomplished using switching elements, inter-element communications paths, and the like.”);
sending, by the second digital communication channel, the additional output signal to the second fault domain for further processing by the second program to create an additional processed signal(fig 1:140; par 36 “The flow 100 includes comparing an output data result 140 from each of the two or more redundant processors to enable a data validation result.”);
including the additional processed signal in a safety critical control signal(fig 1:150; par 37 “The flow 100 includes comparing an output data result 140 from each of the two or more redundant processors to enable a data validation result.”); and
sending the safety critical control signal to an actuator for safety critical use(fig 2; par 39 “The validated data can be used for adjusting vehicle operating status such as accelerating, decelerating, applying brakes, performing an emergency maneuver, and so on. The data validation can support failsafe operation of the vehicle.”).

Regarding claim 7, Bemanian teaches,
An integrated circuit comprising:
a first fault domain(fig 3:320; par 44 “Redundancy for agent loading is shown 300. Agents can be loaded onto machines, such as agent 1 310 loaded onto machine 1 320, and agent 2 312 loaded onto machine 2 330.”) including a first set of programmable logic gates configured to run a first program to create a first output(fig 1:130; par 35 “The flow 100 includes firing the agent on each of the two or more redundant processors 130 to commence coincident operation. The firing the agent can be accomplished using a fire signal, loading valid data, initiating an interrupt, scheduling a rotating circular buffer, and so on.”);
a second fault domain(fig 3:320; par 44 “Redundancy for agent loading is shown 300. Agents can be loaded onto machines, such as agent 1 310 loaded onto machine 1 320, and agent 2 312 loaded onto machine 2 330.”) including a second set of programmable logic gates configured to run a second program to create a second output(fig 1:130; par 35 “The flow 100 includes firing the agent on each of the two or more redundant processors 130 to commence coincident operation. The firing the agent can be accomplished using a fire signal, loading valid data, initiating an interrupt, scheduling a rotating circular buffer, and so on.”); and
a digital communication channel in communication with the first set of programmable logic gates and a second set of programmable logic gate, the digital communication channel including data access control logic configured to mediate communication between the first fault domain and the second fault domain without the need for an operating system(fig 3:342; par 45 “One or more monitors, such as monitor 1 340 and monitor 2 342, can be used to compare an output data result from each of the two or more redundant processors to enable a data validation result. In the example, monitor 1 340 can monitor, compare, analyze, etc., the output data result from the master 322 processor and the slave 324 processor. Monitor 2 342 .
However, Bemanian do not specifically teach limitation without the need for an operating system.
On the other hand, UltraSoC teaches 
An integrated circuit comprising:
a first fault domain including a first set of programmable logic gates configured to run a first program to create a first output(fig 4:”Master CPU”; pg 6 par 5 - pg 7 par 0 “One example of the UltraSoC IP’s use in safety and security is in supporting lock-step mode for groups of processors. A bus monitor can inspect the transactions performed by each of the protected processor cores to see whether they are consistent.”);
a second fault domain including a second set of programmable logic gates configured to run a second program to create a second output(fig 4:”Master CPU”; pg 6 par 5 - pg 7 par 0 “One example of the UltraSoC IP’s use in safety and security is in supporting lock-step mode for groups of processors. A bus monitor can inspect the transactions performed by each of the protected processor cores to see whether they are consistent.”); and
a digital communication channel in communication with the first set of programmable logic gates and a second set of programmable logic gate(pg 6 par 5 - pg 7 par 0  “A bus monitor can inspect the transactions performed by each of the protected processor cores to see , the digital communication channel including data access control logic configured to mediate communication between the first fault domain and the second fault domain without the need for an operating system(pg 6 par 1 “An UltraSoC monitoring infrastructure is built from small, ‘smart’ hardware blocks incorporated into the SoC to monitor its operation. They operate across the entire SoC, reporting rich real-time information captured via subsystem components, including processors, accelerators, buses and even custom logic.” UltraSoC provides a hardware level service, at the processor or bus level. Hardware level acts before an operating system gets involved, and does not require an operating system.).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further modify Bemanian to incorporate the hardware implementation of UltraSoC.  One of ordinary skill in the art would have been motivated to remedy the shortcomings of Bemanian -- a need for a solution for the issue of how to quickly detect issues and respond in a safety critical system(UltraSoC pg 4 par 2-3 “Second, after release and shipping, the system should be monitored and should include safety and security mechanisms that can detect issues and trigger a suitable response. Against this backdrop, developers across multiple industries are recognizing the need for hardware-level monitoring and analysis of system behavior.”) -- with UltraSoC providing a known method to 
However, Bemanian and UltraSoC do not specifically teach fault domains on an integrated circuit/chip.
On the other hand, Fey teaches 
An integrated circuit(col 1 ln 12-19 “The present invention relates to an integrated circuit arrangement and its use in electronic brake systems for motor vehicles or in electronic control systems for governing the driving dynamics of motor vehicles or for controlling electronically controlled parking brakes or for controlling vehicle restraint systems such as airbag controls.”) comprising:
a first fault domain including a first set of programmable logic gates configured to run a first program to create a first output(fig 4:5; col 6 ln 30-34 “Referring to FIG. 4, the area of the chip surface 23 is illustrated on which the monitoring circuits 5 and 5' (FMon for monitoring the operating voltage) mentioned in FIG. 2 are arranged.”);
a second fault domain(fig 3a:25’,24; col 6 ln 18-20 “shows in a principle view two electrically interconnected functional groups 25 and 25' which are isolated from each other by isolation zones 24.”) including a second set of programmable logic gates configured to run a second program to create a second output(fig 4:5; col 6 ln 30-34 “Referring to FIG. 4, the area of the chip surface 23 is illustrated on which the monitoring circuits 5 and 5' (FMon for monitoring the operating voltage) mentioned in FIG. 2 are arranged.”); and
a digital communication channel in communication with the first set of programmable logic gates and a second set of programmable logic gate, the digital communication channel including data access control logic configured to mediate communication between the first fault domain and the second fault domain without the need for an operating system(fig 3a:30,28’ col 6 ln 20-27 “The electric lines 30 interconnect the function blocks and, for this purpose, extend like bridges over the isolation zones 24. To avoid shortcomings in terms of safety due to a line connection, there is an additional electric separation of the functional groups. Therefore, the lines 30 are designed in such a way that upon the occurrence of a fault of functional group 25, no reaction to the functional group 25' or vice-versa is possible.”).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further modify Bemanian and UltraSoC to incorporate the fault domain/isolation zones on a single chip of Fey.  One of ordinary skill in the art would have been motivated to remedy the shortcomings of Bemanian and UltraSoC -- a need for a solution for the issue of how to group separate safety-critical microprocessor systems on a single chip(fey col 3 ln 10-19) -- with Fey providing a known method to solve a similar problem. Fey provides “an integrated circuit arrangement which groups the previously separated circuits on one joint chip or chip support member, on the one hand, and is additionally able to reliably detect an individual fault practically whenever this fault appears.”( Fey col 3 ln 30-35)

Regarding claim 8, Bemanian, UltraSoC, and Fey teaches,
The integrated circuit of claim 7, 

wherein the second program is configured to process the first output signal by running the second program concurrently with and independently from the first program to create the second output signal(par 35 “The flow 100 includes firing the agent on each of the two or more redundant processors 130 to commence coincident operation. The firing the agent can be accomplished using a fire signal, loading valid data, initiating an interrupt, scheduling a rotating circular buffer, and so on. The coincident operation can include parallel operation, simultaneous operation, and so on.”).

Regarding claim 9, Bemanian, UltraSoC, and Fey teaches,
The integrated circuit of claim 8, 
UltraSoC further teaches,
wherein the data access control logic is configured to determine whether the first output signal satisfies a predetermined policy, and if not, then refrain from sending at least a portion of the first output signal from the first fault domain to the second fault domain(pg 6 par 2 “The UltraSoC architecture fully supports standards such as SAE J3061 that link security to safe operation and call for the monitoring and control of security though the entire product lifecycle from development and into usage in the field. Systems need to be able to monitor incidents and attempts to penetrate the system and report them.”).

Regarding claim 10, Bemanian, UltraSoC, and Fey teaches,
The integrated circuit of claim 8, 

wherein the digital communication channel is a third fault domain.(fig 4:420; par 48 “The plurality of elements 420 can be used for loading an agent onto the processors 422 and 424, firing the agent, comparing an output data result from each of the redundant processors, propagating a data validation result, and so on. The plurality of elements 420 can implement an allocation manager, a control manager, and the like. In embodiments, the plurality of elements 420 can operate the processors 422 and 424 as dual-cores.”)


Regarding claim 11, Bemanian, UltraSoC, and Fey teaches,
The integrated circuit of claim 8, 
Bemanian further teaches,
wherein the second output signal is a safety critical control signal(par 39 “The validated data can be used for adjusting vehicle operating status such as accelerating, decelerating, applying brakes, performing an emergency maneuver, and so on. The data validation can support failsafe operation of the vehicle.”).

Regarding claim 12, Bemanian, UltraSoC, and Fey teaches,
The integrated circuit of claim 8, 
However, although Bemanian and UltraSoC suggest using their results for safety control signals, they do not specifically teach an output circuit configured to output the safety control signal.

A safety-critical vehicle breaking circuit and system(fig 2; col 3 ln 35-40 “According to the invention, this object is achieved by the integrated circuit arrangement for safety-critical applications, for regulating and controlling tasks in an electronic brake system for motor vehicles.”);
the integrated circuit further comprising an output circuit configured to output the safety control signal.(col 6 ln 40-48 “If, for example, malfunction occurs in the line connections of the two circuit arrangements 5 and 5', no electric signal is applied to the signal line 36 when the main driver 26 is actuated by the main driver actuation control 35. In this case, a signal prevails at line 36 only if a signal is applied to all inputs of the AND gates. Failure of a monitoring circuit 5 or 5' or any fault detected by this circuit, respectively, will thus cause blocking of the main driver 26 and, hence, disabling of the valve 6.”)
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further modify Bemanian and UltraSoC to incorporate the fault domain/isolation zones on a single chip of Fey.  One of ordinary skill in the art would have been motivated to remedy the shortcomings of Bemanian and UltraSoC -- a need for a solution for the issue of how to group separate safety-critical microprocessor systems on a single chip(fey col 3 ln 10-19) -- with Fey providing a known method to solve a similar problem. Fey provides “an integrated circuit arrangement which groups the previously separated circuits on one joint chip or chip support member, on the one hand, and is additionally able to reliably detect an individual fault practically whenever this fault appears.”( Fey col 3 ln 30-35)

Regarding claim 13, Bemanian, UltraSoC, and Fey teaches,
The integrated circuit of claim 10, 
Bemanian further teaches,
further comprising an additional fault domain including a set of additional programmable logic gates configured to run an additional program to create an additional output signal(fig 4:436; par 48 “Other allocation techniques can be used. An allocation configuration includes three processors, where the three processors can implement triple-redundancy. Triple-redundancy can be useful for comparing an output data result from the three redundant processors. The triple-redundancy allocations can include a plurality of elements 430 and further pluralities of elements configured to implement three redundant processors 432, 434, and 436.”);
and wherein the digital communication channel is in communication with the additional fault domain(par 26 “Elements of the reconfigurable fabric can be arranged in quads of elements, where the quads include processing elements, shared storage elements such as first in first out (FIFO) elements or direct memory access (DMA) elements, switching elements, rotating circular buffers for control of the elements, communications paths, registers, buffers, and the like. An element or subset of elements within the reconfigurable fabric, such as a quad of elements, can be controlled by providing a "schedule", such as code or instructions, to one or more circular buffers. The code can be executed by enabling----or configuring-the circular buffers to rotate.”) and is further configured to:
receive the additional output signal(fig 3:342; par 45 “One or more monitors, such as monitor 1 340 and monitor 2 342, can be used to compare an output data result from each of the two or more redundant processors to enable a data validation result.”); 
send the additional output signal to the second fault domain; (fig 3:342; par 45 “One or more monitors, such as monitor 1 340 and monitor 2 342, can be used to compare an output data result from each of the two or more redundant processors to enable a data validation result.”; fig 1:150,152; par 37 “The flow 100 includes propagating the data validation result 150. As discussed throughout, the data validation result can be based on receiving valid output data results, receiving a single valid output data result, receiving a vote, and so on. The vote can include a majority vote. In embodiments, the propagating the data validation result can be based on comparing output data 152.”)
and wherein the second program is configured to process the additional output independently from and concurrently with the first program, and is further configured to output a second output signal(par 35 “The flow 100 includes firing the agent on each of the two or more redundant processors 130 to commence coincident operation. The firing the agent can be accomplished using a fire signal, loading valid data, initiating an interrupt, scheduling a rotating circular buffer, and so on. The coincident operation can include parallel operation, simultaneous operation, and so on.”).

Regarding claim 14, Bemanian, UltraSoC, and Fey teaches,
The integrated circuit of claim 10, 
Bemanian further teaches,
further comprising an additional fault domain including a set of additional programmable logic gates configured to run an additional program to create an additional output signal(fig 4:436; par 48 “Other allocation techniques can be used. An allocation configuration includes three processors, where the three processors can implement triple-redundancy. Triple-redundancy can be useful for comparing an output data result from the three redundant processors. The triple-redundancy allocations can include a plurality of elements 430 and further pluralities of elements configured to implement three redundant processors 432, 434, and 436.”);
a second digital communication channel in communication with the additional fault domain(par 47 “The two or more redundant processors can be allocated within a reconfigurable array 400. A reconfigurable array 410 or reconfigurable fabric can include a plurality of elements such as element 412. The elements of the reconfigurable fabric can include processing elements, storage elements, switching elements, and so on. The elements can be coupled to communications paths, where the communications paths can enable communication with other elements. The inter-element communications can include nearest neighbor communications. Communication with elements beyond nearest neighbor elements may be accomplished using switching elements, inter-element communications paths, and the like.”) and configured to:
receive the additional output signal(fig 3:342; par 45 “One or more monitors, such as monitor 1 340 and monitor 2 342, can be used to compare an output data result from each of the two or more redundant processors to enable a data validation result.”);
send the additional output signal to the second fault domain(fig 3:342; par 45 “One or more monitors, such as monitor 1 340 and monitor 2 342, can be used to compare an output data result from each of the two or more redundant processors to enable a data validation result.”; fig 1:150,152; par 37 “The flow 100 includes propagating the data validation result 150. As discussed throughout, the data validation result can be based on receiving valid output data results, receiving a single valid output data result, receiving a vote, and so on. The vote can include a majority vote. In embodiments, the propagating the data validation result can be based on comparing output data 152.”);
and wherein the second program is configured to process the additional output independently from and concurrently with the first program, and further configured to output a second output signal(par 35 “The flow 100 includes firing the agent on each of the two or more redundant processors 130 to commence coincident operation. The firing the agent can be accomplished using a fire signal, loading valid data, initiating an interrupt, scheduling a rotating circular buffer, and so on. The coincident operation can include parallel operation, simultaneous operation, and so on.”).

Regarding claim 15, Bemanian teaches,
An integrated circuit(par 26 “The processor array redundancy can be implemented on a server, a computing device, a processor device, a reconfigurable computing device, an integrated circuit or chip, and so on.” Fig 4:422,424; par 48 “ One allocation configuration includes two processors. The two processors can implement dual redundancy. The dual  comprising:
a first fault domain including a first set of programmable logic gates configured to run a first program(fig 1:130; par 35 “The flow 100 includes firing the agent on each of the two or more redundant processors 130 to commence coincident operation. The firing the agent can be accomplished using a fire signal, loading valid data, initiating an interrupt, scheduling a rotating circular buffer, and so on.”) to create a first output signal(fig 1:140; par 36 “The flow 100 includes comparing an output data result 140 from each of the two or more redundant processors to enable a data validation result.”);
a second fault domain including a second set of programmable logic gates configured to run a second program concurrently with and independently from the first program to create a second output signal(par 35 “The flow 100 includes firing the agent on each of the two or more redundant processors 130 to commence coincident operation. The firing the agent can be accomplished using a fire signal, loading valid data, initiating an interrupt, scheduling a rotating circular buffer, and so on. The coincident operation can include parallel operation, simultaneous operation, and so on.”); and
a digital communication channel in communication with the first programmable logic gate and a second programmable logic gate, the communication being without the use of an operating system(fig 3:342; par 45 “One or more monitors, such as monitor 1 340 and monitor 2 342, can be used to compare an output data result from each of the two or more redundant processors to enable a data validation result. In the example, monitor 1 340 can monitor, compare, analyze, etc., the output data result from the master 322 processor and the slave 324 .
However, Bemanian do not specifically teach limitation without the need for an operating system.
On the other hand, UltraSoC teaches 
 An integrated circuit comprising:
a first fault domain including a first set of programmable logic gates configured to run a first program to create a first output signal(fig 4:”Master CPU”; pg 6 par 5 - pg 7 par 0 “One example of the UltraSoC IP’s use in safety and security is in supporting lock-step mode for groups of processors. A bus monitor can inspect the transactions performed by each of the protected processor cores to see whether they are consistent.”);
a second fault domain including a second set of programmable logic gates configured to run a second program concurrently with and independently from the first program to create a second output signal(fig 4:”Master CPU”; pg 6 par 5 - pg 7 par 0 “One example of the UltraSoC IP’s use in safety and security is in supporting lock-step mode for groups of processors. A bus monitor can inspect the transactions performed by each of the protected processor cores to see whether they are consistent.”); and
a digital communication channel in communication with the first programmable logic gate and a second programmable logic gate(pg 6 par 5 - pg 7 par 0  “A bus monitor can inspect , the communication being without the use of an operating system(pg 6 par 1 “An UltraSoC monitoring infrastructure is built from small, ‘smart’ hardware blocks incorporated into the SoC to monitor its operation. They operate across the entire SoC, reporting rich real-time information captured via subsystem components, including processors, accelerators, buses and even custom logic.” UltraSoC provides a hardware level service, at the processor or bus level. Hardware level acts before an operating system gets involved, and does not require an operating system.).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further modify Bemanian to incorporate the hardware implementation of UltraSoC.  One of ordinary skill in the art would have been motivated to remedy the shortcomings of Bemanian -- a need for a solution for the issue of how to quickly detect issues and respond in a safety critical system(UltraSoC pg 4 par 2-3 “Second, after release and shipping, the system should be monitored and should include safety and security mechanisms that can detect issues and trigger a suitable response. Against this backdrop, developers across multiple industries are recognizing the need for hardware-level monitoring and analysis of system behavior.”) -- with UltraSoC providing a known method to 
However, Bemanian and UltraSoC do not specifically teach fault domains on an integrated circuit/chip.
On the other hand, Fey teaches 
An integrated circuit(col 1 ln 12-19 “The present invention relates to an integrated circuit arrangement and its use in electronic brake systems for motor vehicles or in electronic control systems for governing the driving dynamics of motor vehicles or for controlling electronically controlled parking brakes or for controlling vehicle restraint systems such as airbag controls.”) comprising:
a first fault domain including a first set of programmable logic gates configured to run a first program to create a first output signal(fig 4:5; col 6 ln 30-34 “Referring to FIG. 4, the area of the chip surface 23 is illustrated on which the monitoring circuits 5 and 5' (FMon for monitoring the operating voltage) mentioned in FIG. 2 are arranged.”);
a second fault domain(fig 3a:25’,24; col 6 ln 18-20 “shows in a principle view two electrically interconnected functional groups 25 and 25' which are isolated from each other by isolation zones 24.”) including a second set of programmable logic gates configured to run a second program concurrently with and independently from the first program to create a second output signal(fig 4:5; col 6 ln 30-34 “Referring to FIG. 4, the area of the chip surface 23 ; and
a digital communication channel in communication with the first programmable logic gate and a second programmable logic gate, the communication being without the use of an operating system(fig 3a:30,28’ col 6 ln 20-27 “The electric lines 30 interconnect the function blocks and, for this purpose, extend like bridges over the isolation zones 24. To avoid shortcomings in terms of safety due to a line connection, there is an additional electric separation of the functional groups. Therefore, the lines 30 are designed in such a way that upon the occurrence of a fault of functional group 25, no reaction to the functional group 25' or vice-versa is possible.”).
Therefore, it would have been obvious to a person of ordinary skill in the art before the effective filing date of the claimed invention to further modify Bemanian and UltraSoC to incorporate the fault domain/isolation zones on a single chip of Fey.  One of ordinary skill in the art would have been motivated to remedy the shortcomings of Bemanian and UltraSoC -- a need for a solution for the issue of how to group separate safety-critical microprocessor systems on a single chip(fey col 3 ln 10-19) -- with Fey providing a known method to solve a similar problem. Fey provides “an integrated circuit arrangement which groups the previously separated circuits on one joint chip or chip support member, on the one hand, and is additionally able to reliably detect an individual fault practically whenever this fault appears.”( Fey col 3 ln 30-35)

Regarding claim 16, Bemanian, UltraSoC, and Fey teaches,
The integrated circuit of claim 15, 
UltraSoC further teaches,
wherein the digital communication channel includes mediation circuitry to determine whether the first output signal satisfies a predetermined policy, and to refrain from sending at least a portion of the first output signal to the second fault domain if the first output signal does not satisfy the predetermined policy(pg 6 par 2 “The UltraSoC architecture fully supports standards such as SAE J3061 that link security to safe operation and call for the monitoring and control of security though the entire product lifecycle from development and into usage in the field. Systems need to be able to monitor incidents and attempts to penetrate the system and report them.”).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
US 20190138406 A1 - Egger - has two different microcontrollers for a safety critical vehicle. 
US 20210157667 A1 - Panesar - UltraSoC technologies's lockstep monitor is similar to applicant's communication mediator which also doesn't use an operating system. This reference was filled a few days after this application though and can not be used as prior art.


Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Bryce Bonzo can be reached on (571) 272-3655. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/M.X./Examiner, Art Unit 2113                                                                                                                                                                                                        /BRYCE P BONZO/Supervisory Patent Examiner, Art Unit 2113