DETAILED ACTION

Status of Claims

This action is in reply to the communication filed on 03/04/2022.
Claims 1 and 16 have been amended.
Claims 2-4 and 14 have been canceled.
Claims 1, 5-13, 15, and 16 are currently pending and have been examined.

	Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments filed 03/04/2022 regarding the rejections under 35 USC § 103 with respect to claim 1 have been considered but are not persuasive; Applicant’s arguments regarding claim 16 have been considered but are moot in view of the new grounds of rejection.

On pg. 7-8 of the Remarks, Applicant essentially argues:
“The Office contends that Caglar generally teaches the claimed programmable logic controller, that the "sensor and/or actuator" of Caglar teaches the claimed at least one field device, and that Caglar also generally teaches the industrial facility recited in claim 1. See Detailed Action, Page 7. It is respectfully submitted, however, that Caglar does not teach or suggest that its programmable logic controller is configured to communicate with its sensor and/or actuator (i.e., the component of Caglar the Office contends teaches the claimed at least one field device) in an industrial facility via an I/0 interface, as would be required by claim.”

emphasis added):
“In the FIG. 1 a network NW is shown, for example a Profinet, Industrial Ethernet, Profibus network or similar, which is suitable for exchanging data, in particular programs and messages. Programmable automation components N1, N2, N3 ("nodes") are connected to the network NW; In addition, another computer is connected to the network NW as an administrative unit AU ("Administration Unit"). The automation components N1, N2, N3 are microprocessor-controlled controllers (so-called PLC's)…On the automation components N1, N2, N3 are (not shown) input and output interfaces, so-called IO modules, connected to the turn sensors and actuators for the control of an industrial process, an automation task, or the like, can be connected.”

Applicant’s remaining arguments are moot in view of the new grounds of rejection.

	Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

Claim 16 is rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
Claim 16 is indefinite due to a number of antecedent basis issues and because the relationship/correspondence between the “instance of a control software” (CS for brevity), the “first instance of the given version of the CS”, the “second instance of the CS which contains only the additional functionality”, and the execution environments/sandboxes is unclear. 
Claim 16 recites executing, in each execution environment, an instance of a CS containing control logic of the PLC, the control logic comprising functionality of a given version of the CS and additional functionality of new program code to be added to this CS, which is circular as written since it essentially CS contains logic comprising (a version of) the CS. The antecedent basis for what is referenced by “this CS” is unclear, as is what is required by “to be added” because the to-infinitive verb ‘to be’ denotes something intended to happen in the future. The subsequent wherein clause further compounds the  issue (wherein a first instance of the given version of the CS is run in a first sandbox, and a second instance of the CS which contains only the additional functionality is run in a second sandbox) describing the functionalities being run in separate environments/sandboxes whereas the prior limitation appears to describe executing them together. 
In order to advance prosecution, in the rejections below the limitations have been interpreted in view of AppSpec ¶0019-0022 and in view of Applicant’s arguments at pg. 9-10 of the 03/04/2022 Remarks.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


Claims 1, 5-13, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Caglar et al. (EP 2506098 A11) in view of Lappa (Virtualization Applicability to Industrial Automation) in further view of Schmid et al. (US 2012/0030524 A1) and further supported by Paharsingh et al. (An Availability Model of a Virtual TMR System with Applications in Cloud/Cluster Computing) in further view of Vachharajani et al. (US 2013/0185586 A1).

Claim 1:
Caglar discloses the limitations as shown in the rejections below:
A programmable logic controller (PLC hereafter) for at least one field device  (sensor and/or actuator) in an industrial facility, comprising: a hardware platform on which an operating system runs, the operating system being configured to execute, in at least one process, a plurality of execution environments (guest OSs of VMs) in each of which a control software (automation programs (APRG)) containing control logic of the PLC is runnable…the hardware platform comprising a main memory, a processor, and communication resources (see at least ¶0002-0003, 0011, 0018-0019, FIG. 1). 
a higher-level management system (management device/client software (CS) thereof + VMM/hypervisor) configured to…execute each of the plurality of execution environments in its own sandbox (VM/”encapsulated environment”) (¶0011, 0013, 0019; FIG. 1). 
the management system comprising a resource manager (management device/CS thereof) configured to allocate to each sandbox access to the main memory, the processor, and the communication resources of the hardware platform (¶0012-0013, 0015, 0020-0022).
wherein the PLC is configured to communicate with the at least one field device (sensor and/or actuator) in the industrial facility via an I/O interface (¶0018).
Caglar is silent regarding implementation specifics of the hypervisor (management system) does not specifically disclose if it is a hosted hypervisor configured to run directly on the OS (i.e. a type 2 hypervisor) or if it integrates the OS kernel and runs on bare metal (type 1).
However, the various types of hypervisor and virtualization implementations, including where it is configured to run directly on the OS, are old and well-known as evidenced by Lappa (pg. 25-26, § 5.2) who provides a detailed analysis of the various VM alternatives specifically considering their 
“The hypervisors can be divided into two different types depending on how they are implemented. These types are type 1 and type 2…The main difference between these two types is that the type 1 implements everything by itself and the type 2 uses some functionality of an existing operating system kernel…The type 1 hypervisor can also be called as a bare metal hypervisor [116] and the type 2 hypervisor can be called as a hosted hypervisor…The type 2 hypervisor shares the hardware with an operating system kernel. The sharing is done so that the hypervisor can use the functionality the operating system kernel provides (pg. 25-26, § 5.2)…Ghosh and P. Sampath have also tested real-time virtualization for industrial control in their paper [38]. In their experiment they used VT-x enabled hardware. The hypervisor used was type 2 hypervisor” (pg. 78, para. 2).

It would have been obvious to one of ordinary skill in the art at the time the invention was filed to implement Caglar’s hypervisor as a hosted type 2 hypervisor as “hypervisors can be divided into two different types depending on how they are implemented. These types are type 1 and type 2 and they both have some advantages and disadvantages” (pg. 25-26, § 5.2; pg. 53).
Regarding the redundancy manager, Caglar further discloses (¶0013, 0014, 0018, 0026)  the automation program (control software) instances are additionally controlled via the management device to provide functionality of the PLC to the devices of the industrial environment including a brief description (¶0014) of employing load balancing to facilitate redundancy; and Lappa (pg. 10, 88-89) discloses embodiments “where a redundant copy of a VM is running simultaneously with the primary copy of the VM” (pg. 88) in a standby/backup configuration to facilitate fault tolerance and security. But Caglar/Lappa do not describe employing either N-modular redundancy (NMR) or software design diversity such as N-version programming and do not disclose forward data inputs from the at least one field device to the multiple redundant instances of the control software, and make data outputs subsequently generated by the multiple redundant instances of the control software consistent with one another, wherein each of the multiple redundant instances of the control software is programmed differently.
Schmid, however, discloses (¶0001-0003, 0027, 0030, 0041; FIG. 1) a PLC for at least one field device (controlled devices, actuators) in an industrial facility (plant) which provides NMR via a plurality of execution environments (data processing means 110), in each of which a control software containing (task/channel software) control logic of the PLC is runnable so as to provide multiple redundant instances of the control software and is further configured to: provide a functionality of the PLC in relation to the at least one field device from the multiple redundant instances of the control software (task/channel software) (¶0036-0037, 0056, 0065), forward data inputs from the at least one field device (source device) to the multiple redundant instances of the control software (¶0025, 0040-0041, 0045), and make data outputs subsequently generated by the multiple redundant instances of the control software consistent with one another (¶0035, 0046-0050), wherein each of the multiple redundant instances of the control software is programmed differently (N-version programming/SW diversity) (¶0034, 0053, 0055). Exemplary quotation:
“By using redundant calculations a considerable amount of errors can be detected by comparison of the results of different calculations or devices. In computing, for example by triple modular redundancy (TMR) is understood a fault tolerant form of N-modular redundancy, in which three systems perform a process and that result is processed by a voting system to produce a single output…The TMR concept can be applied to many forms of redundancy, such as software redundancy in the form of N-version programming” (¶0034).

It would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Caglar/Lappa to employ NMR and N-version programming as taught by Schmid because it increases the reliability and safety of the control system (¶0034, 0053, 0055, 0062) as further evidenced/supported by Paharsingh (pg. 261-262, § I; pg. 262, § II, para. 1, 6-10; pg. 263, Fig. 2) disclosing that it was known in the art “to combine the advantages of the virtual system with the 
Regarding the monitoring/restarting functionality, Caglar further discloses (¶0012, 0025-0026, 0008) continuously monitor a functioning of the multiple redundant instances of the control software and, when an instance fails, to restart this instance and/or its execution environment. See also Paharsingh, pg. 261, col. 2; pg. 264, col. 1, para. 1; pg. 265, col. 2 disclosing exploiting the fast restart capabilities offered by virtual systems. See also Lappa pg. 80, para. 3: “The ability to create new virtual machines and containers quickly can be used as disaster recovery method”. Although the two recovery techniquest are taught individually the combination of Caglar/Lappa/Schmid/Paharsingh does not specifically disclose both performing a restart and also activate at least one additional instance in an additional execution environment in a further sandbox as a recovery technique.
However, it was known alternative in the high-availability/fault management arts to both restart a failed redundant instance and start an additional instance as shown by Vachharajani disclosing (¶148-0150, 0157-0159,0040, 0114-0115, 0146) a redundancy manager (health monitor) is configured to continuously monitor a functioning of the multiple redundant instances of the control software and, when an instance fails, to restart this instance and/or its execution environment, and to activate at least one additional instance in an additional execution environment in a further sandbox (virtual machine): “The health monitor application 1310 may monitor the state information for each of the application instances stored in the share system database 1105-g to dynamically detect and remedy problems arising with the application instances (¶0148)…If one instance of the load balancing application 215 crashes, the health monitor application 1310 may detect the crash…Upon detecting the crash, the health monitor application 1310 may…cause the controller application 205-e to attempt restart the crashed instance of the load balancing application 215 and/or create a new instance of the load balancing application” (¶0149, emphasis added).
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Caglar/Lappa/Schmid/Paharsingh’s fault response method with the fault remediation disclosed by Vachharajani to increase the flexibility of the of the fault handling and ensure the best remedy is applied for the particular fault detected (Vachharajani ¶0148-0150, 0157-0159).

Claim 5:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. Caglar further discloses (¶0014, 0027) the redundancy manager is configured to control a communication of multiple redundant instances of the control software with the at least one field device (sensor, actuator) according to a round robin method (evenly/proportionally distributed). See also Lappa pg. 84, para. 2.

Claim 6:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. Caglar further discloses wherein the functionality of the PLC is provided by the plurality of execution environments, the plurality of execution environments comprising two execution environments having different contents, and/or by two instances of the control software (¶0022, 0009, 0002-0003). See also Paharsingh pg. 263, Fig. 2.




Claim 7:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. The combination of Caglar/Lappa further discloses wherein at least one sandbox contains an abstraction layer (Caglar: “runtime environment” providing emulation; Lappa VMM2/“Device Model”) configured to react to system calls originating from an execution environment of the plurality of execution environments in a same way as…the hardware of a control unit (proprietary hardware) for which the execution environment and/or the associated control software was developed in ¶0022: ”the software VMM of the automation component N3, which creates a corresponding runtime environment in a free memory area…resources of the automation component N3 are allocated by the software VMM to the runtime environment and thus to the operating system installed there to the required extent so that a specific proprietary hardware can also be emulated.” See also Lappa pg. 46-47, § 5.5.1, full virtualization embodiment: “The advantage of the full virtualization is that the OS kernels in the VMs can keep using the existing device drivers. These device drivers see an emulated version of the hardware so they can use it the way they would use the actual hardware.”

Claim 8:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. Lappa further discloses wherein the abstraction layer contains at least one runtime environment (“Device Model”) configured to implement handling routines for the system calls originating from the execution environment, using the operating system in at least pg. 46-47, § 5.5.1, full virtualization embodiment combined with type 2 hypervisor (pg. 26, para. 2; pg. 53). In other words, pg. 47, Fig. 23 except instead of hypervisor driver: “The type 2 hypervisors can simply use the existing native device drivers provided by the operating system kernel they work with” (pg. 26).

Claim 9:
Regarding the limitations of claim 9, Caglar’s solution employs hardware virtualization to generate a separate VM instance with virtualization functions of the hypervisor for each sandbox, not OS-level virtualization, and accordingly does not disclose generate a separate user space instance with virtualization functions of the OS for each sandbox. 
However, OS-level virtualization where software is isolated by generating a separate user space instance (container) with virtualization functions of the OS for each sandbox old and well-known as evidenced by Lappa (pg. 60-63) who provides a detailed analysis of the various virtualization alternatives, including OS-level virtualization, specifically considering their applicability to industrial automation systems such as that of Caglar and the claims. 
It would have been obvious3 to one of ordinary skill in the art at the time the invention was filed to substitute Caglar’s VM-based sandboxing with container-based in, for example, scenarios where performance is more critical than strong isolation “The benefit of OS-level virtualization compared to the hardware virtualization is the better performance. However, it provides less isolation than hardware virtualization” (Lappa pg. 63).

Claims 10 and 11:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. The combination of Caglar/Lappa further discloses wherein the management system contains a hypervisor configured to provide a separate virtual machine for each sandbox wherein at least one version, adapted to the hypervisor, of one of the plurality of execution environments (guest OSs of VMs) is virtualized by paravirtualization by the hypervisor (Caglar ¶0019, 0022; Lappa pg. 24, § 5.1, para. 3; pg. 48; pg. 78, para. 3; pg. 85, last para.).

Claim 12:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. Caglar further discloses wherein the resource manager is configured to reallocate allocations unused in at least one first sandbox for access to the main memory, processor, and/or communication resources to at least one second sandbox (¶0020, 0024).

Claim 13:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. Caglar further discloses wherein the resource manager is configured to completely or partially revoke a respective resource of at least one first sandbox and to reallocate it to at least one second sandbox according to rules in a set of rules when there is a shortage of main memory, processor power, and/or communication resources (¶0023, 0012).

Claim 15:
The combination of Caglar/Lappa/Schmid/Paharsingh/Vachharajani discloses the limitations as shown in the rejections above. Caglar further discloses a computer program product (node hard disk and/or memory) containing machine-readable instructions, which, if executed on a computer and/or a given PLC (e.g. node N3), configure the computer or given PLC as the PLC (e.g. node N1) according to claim 1 in at least ¶0018, 0023, 0027.


Claim 16 is rejected under 35 U.S.C. 103 as being unpatentable over Caglar in view of Lappa in further view of (TenAsys Real-time Hypervisor), hereafter “TenAsys”).

Claim 16:
Caglar discloses the limitations as shown in the rejections below:
A method for controlling at least one field device (sensor and/or actuator) in an industrial facility by a PLC (PLC/automation component) the method comprising: executing, by a higher-level management system (management device/client software (CS) thereof + VMM/hypervisor)…running on a hardware platform of the PLC, a plurality of execution environments (guest OSs of VMs), each in a sandbox  (VM/”encapsulated environment”) of its own (see at least ¶0002-0003, 0011, 0013 0018-0019, FIG. 1).
the hardware platform comprising a main memory, a processor, and communication resources, the management system comprising a resource manager (management device/CS thereof) configured to allocate to each sandbox access to the main memory, processor power, and the communication resources of the hardware platform  (¶0012-0013, 0015, 0020-0022; FIG. 1).
executing, in each execution environment (VM OS), an instance of a control software (automation programs (APRG)) containing control logic of the PLC  (¶0009-0012, 0018-0019, 0021), “each of the virtual machines is adapted to execute an operating system and at least one automation program” (¶0009).
communicating the outcome of the instances of the control software to the at least one field device via an I/O interface (¶0018).
Caglar is silent regarding implementation specifics of the hypervisor (management system) does not specifically disclose if it is a hosted hypervisor running directly on an OS (i.e. a type 2 hypervisor) or if it integrates the OS kernel and runs on bare metal (type 1).
configured to run directly on the OS, are old and well-known as evidenced by Lappa (pg. 25-26, § 5.2; pg. 78, para. 2) who provides a detailed analysis of the various VM alternatives specifically considering their applicability to industrial automation systems (pg. 78, para. 2; pg. 92-93, pg. 98) such as that of Caglar and the claims. 
It would have been obvious to one of ordinary skill in the art at the time the invention was filed to implement Caglar’s hypervisor as a hosted type 2 hypervisor as “hypervisors can be divided into two different types depending on how they are implemented. These types are type 1 and type 2 and they both have some advantages and disadvantages” (pg. 25-26, § 5.2; pg. 53).
Regarding the limitations reciting executing, in each execution environment, an instance of a control software containing control logic of the PLC, the control logic comprising functionality of a given version of the control software and additional functionality of new program code to be added to this control software…wherein a first instance of the given version of the control software is run in a first sandbox, and a second instance of the control software which contains only the additional functionality is run in a second sandbox, Caglar at least suggests the subject matter (¶0009-0012) disclosing a single automation component/PLC executing multiple APRGs that provide respective functionality to implement the control logic of the PLC, including embodiments where each of the APRGs can be encapsulated in separate VMs (first instance…run in a first sandbox…second instance…run in a second sandbox). However, due to ambiguity issues (See rejections under 112(b) above) the combination of Caglar/Lappa does not clearly teach the limitation.
TenAsys, however, discloses an analogous virtualized system (pg. 6) to execute real-time workloads including specifically PLC control software in industrial environments (pg. 4, para. 1-3; pg. 10, “Industrial Control”) and further discloses (pg. 8, sect. “Legacy RTOS support”; pg. 10) the limitations: executing, in each execution environment (General Purpose OS (GPOS)/RTOS), an instance of a control software containing control logic of the PLC, the control logic comprising functionality of a given version of the control software (legacy applications) and additional functionality of new program code (“new feature code”) to be added to this control software…wherein a first instance of the given version of the control software is run in a first sandbox (VM), and a second instance of the control software which contains only the additional functionality is run in a second sandbox. Exemplary quotations (emphasis added):
“The TenAsys real-time hypervisor can directly host legacy real-time applications or host a legacy RTOS and its application(s). With minimal modification to existing code, new features can be added to the legacy application by simultaneously hosting a GPOS, thereby enabling developers to maximize code preservation and maintain performance. Interprocess communication, facilitated by the real-time hypervisor, is used to augment the legacy application by adding new features via processes running in parallel virtual machines” (pg. 8)… Take, for example, a Windows-based industrial control application where the real-time tasks run on a PLC engine that must operate continuously, and with very precise timing…Because Windows and the PLC engine reside in separate virtual machines, the PLC engine is assured of its need for continuous operation, regardless of the state of Windows…Legacy real-time systems are a prime application for the TenAsys real-time hypervisor. Proven real-time applications can be hosted in a guest real-time virtual machine with little or no modification—enabling developers to maximize code preservation and maintain performance while using the real-time hypervisor to add new features via a parallel general purpose operating system.”

It would have been obvious to one of ordinary skill in the art at the time the invention was filed to modify Caglar/Lappa to employ TenAsys’s methods for supporting and augmenting legacy control software to “enable[e] developers to maximize code preservation and maintain performance while using the real-time hypervisor to add new features” (pg. 10).


Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
The prior art made of record and not relied upon is considered pertinent to applicant’s disclosure:
US 2009/0076628 A1 discloses intelligent configuration for restarting failed application server instances.
Any inquiry of a general nature or relating to the status of this application or concerning this communication or earlier communications from the Examiner should be directed to Paul Mills whose telephone number is 571-270-5482.  The Examiner can normally be reached on Monday-Friday 11:00am-8:00pm.  If attempts to reach the examiner by telephone are unsuccessful, the Examiner’s supervisor, Emerson Puente can be reached at 571-272-3652.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see  http://portal.uspto.gov/external/portal/pair .  Should you have questions on access to the Private 866.217.9197 (toll-free). Any response to this action should be mailed to:
Commissioner of Patents and Trademarks
Washington, D.C.  20231
or faxed to 571-273-8300.
Hand delivered responses should be brought to the United States Patent and Trademark Office Customer Service Window:
Randolph Building
401 Dulany Street
Alexandria, VA 22314.
/P. M./
Paul Mills
03/24/2022                                                                                                                                                                                         
/EMERSON C PUENTE/               Supervisory Patent Examiner, Art Unit 2196                                                                                                                                                                                         


    
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
        
            
    

    
        1 Cited in 11/15/2019 IDS, machine translation included with 10/21/2020 Office Action.
        2 Examiner notes Lappa does not use the terms hypervisor and VMM interchangeably see pg. 22, para. 3)
        3 This combination effectively replaces, in the scope of claim 9, the prior subject matter relied upon from/ combination with Lappa described for claim 1.