DETAILED ACTION
	This office action is response to communications for Application No. 16/181,385 filed on 11/06/2018.
	Claims 1-15 are pending and ready for examination.

Notice of Pre-AIA  or AIA  Status
	The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Priority
	Acknowledgment is made of applicant’s claim for priority to European Application No. EP17200871.6 filed on 11/09/2017.

Information Disclosure Statement
	The Information Disclosure Statements (IDS) submitted on 11/12/2018 and 03/13/2020 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the Information Disclosure Statement are being considered by the examiner.

Drawings
The drawings are objected to under 37 CFR 1.83(a) because [Figure 1] is not labeled as prior art and [Figure 3] fails to show the steps of the flowchart as described in the specification. Any structural detail that is essential for a proper understanding of the disclosed invention should be shown in the drawing. MPEP § 608.02(d). Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled 

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
Claims 1-15 are rejected under 35 U.S.C. 101 because the claimed invention is directed to a judicial exception (i.e., a law of nature, a natural phenomenon, or an abstract idea) without significantly more in view of the 2019 Revised Patent Subject Matter Eligibility Guidance (2019 PEG).

Regarding Claim 1, in view of Step 1, the claimed invention is directed to a statutory category of a process.
	In view of Step 2A, Prong One, the claims are directed to a judicial exception as an abstract idea, specifically a mental process. The limitations, wherein a physical system analysis model representing the physical system architecture of said safety-critical system is modified incrementally until calculated failure rates of failure modes of said physical system analysis model are less or equal to failure rates of corresponding failure modes of a functional system analysis model representing a functional system architecture of said safety-critical system, in the context of this claim, encompasses the user manually using a pen and paper to draw a physical system analysis model representing the physical system architecture of said safety-critical system (Instant App. [Fig. 8]) and a functional system analysis model representing a functional system architecture of said safety-critical system (Instant App. [Fig. 8]) and incrementing a failure rates between the models to achieve a value less or equal to each other, using pen and paper. Accordingly, the claim recites an abstract idea. 
	In view of Step 2A, Prong Two, the additional elements, both individually and in combination, merely recite that a physical system analysis model representing the physical system architecture of said safety-critical system is modified incrementally until calculated failure rates of failure modes of said physical system analysis model are less or equal to failure rates of corresponding failure modes of a functional system analysis model representing a functional system architecture of said safety-critical system. Such calculations do not improve the functioning of a computer or of a model, nor does it offer improvements in a technical field.  Rather, these elements merely amount to generally linking the use of a judicial exception to a particular technological environment or field of use by setting failure rates between the models lower or equal to each other, see MPEP 2106.04(d)(I). The additional elements have been considered both individually and as an ordered combination in the significantly more consideration. Accordingly, the claim is directed to the abstract idea.
	In view of Step 2B, as discussed with respect to Step 2A Prong Two, the specification merely recites (Instant app, [0070], “Thereby, it can be checked if the failure rates λ of the top events TE of the physical system analyzing model PSYS-AM are less equal to the failure rates λ defined by the respective output failure modes OFM in the functional system architecture model FSYS-AM. Moreover, if failure rates λ are specified in the input failure modes IFM within the CFT elements on the functional layer, also these values can be compared with the results of a quantitative FTA of the physical system architecture PSYS-A (intermediate results of the analysis of the top events), which again must be less or equal”.) but does not specify why failure rates must be less or equal to each other. Accordingly, the additional elements of the claim merely again amount to generally linking the use of a judicial exception to a MPEP 2106.05(h). Accordingly, these additional elements do not amount to significantly more than the abstract idea, and do not render the abstract idea patent eligible, see MPEP 2106.05(f).
	Independent Claims 13-15 recite similar limitations except for the recitation using generic computer components. Merely adding generic computer components to perform the method is not sufficient. Mere instructions to apply an exception using a generic computer component cannot integrate a judicial exception into a practical application at Step 2A or provide an inventive concept in Step 2B. Thus, the claim must include more than mere instructions to perform the method on a generic component or machinery to qualify as an improvement to an existing technology. See MPEP 2106.05(f). Therefore, the claims are also ineligible. 

	Dependent Claims 2-12 merely recite additional aspects of a mental process to analyze and design a physical system architecture of a safety-critical system. For example, 
	Claim 2 recites wherein the physical system architecture comprises hardware components, software components and/or embedded software components represented in said physical system analysis model, which merely represents drawing components associated with the model, using pen and paper (refer to Figs. 6 and 8). 
	Claim 3 recites wherein for each function of the functional system architecture a component fault free, CFT, element is specified having input failure modes and/or output failure modes, which merely represents associating the failure modes with a Component Fault Tree (CFT), using pen and paper (refer to Figs. 2 and 5). 
	Claim 4 recites wherein for each function of the functional system architecture represented by the functional system analysis model associated elements within the physical system architecture represented by the physical system analysis model adapted to implement the respective function are specified, which merely represents associating elements of a physical system analysis model with their respective component functions in a Component Fault Tree (CFT), using pen and paper (refer to Figs. 2 and 5). 
	Claim 5 recites wherein for each associated element of the physical system analysis model a component fault tree, CFT, element is generated automatically based on the specified relationship between the functional system analysis model and the physical system analysis model of said safety-critical system, which merely represents generating elements between models utilizing a Component Fault Tree (CFT), using pen and paper (refer to Figs. 2 and 5).
	Claim 6 recites wherein for each failure model of a component fault tree, CFT, element specified for a function of the functional system analysis model implemented by the associated element in the physical system analysis model a corresponding failure mode is created in the respective component fault tree, CFT, element., which merely represents identifying failure modes with respect to elements of a Component Fault Tree (CFT), using pen and paper (refer to Figs. 2 and 5).
	Claim 7 recites wherein the generated component fault tree, CFT, element of the associated element of the physical system analysis model comprises information available in the component fault tree, CFT, elements of the respective functions within the functional system analysis model implemented by the associated element, which merely associating elements of a Component Fault Tree (CFT) with information from the models, using pen and paper.
	Claim 8 recites wherein a quantitative fault tree analysis, FTA, is performed for each output failure mode of the physical system analysis model consisting of the generated component fault tree, CFT, elements to calculate a failure rate of the respective output failure mode, which merely represents performing a quantitative Fault Tree analysis (Boolean logic) technique, using pen and paper.
	Claim 9 recites wherein all failure rates of the output failure modes of the physical system analysis model are compared pairwise with the failure rates of the corresponding output failure modes of the functional system analysis model consisting of the component fault tree, CFT, elements of the functions within the functional system architecture of said safety-critical system, which merely represents performing a comparing failure rates in pairs between the two models, using pen and paper.
	Claim 10 recites wherein the physical system analysis model representing the physical system architecture of said safety-critical system and the functional system analysis model representing the functional system architecture of said safety-critical system are modeled in an architecture description language and stored in a memory, which merely represents as representing the architecture of the models in a architecture description language, using pen and paper.
	Claim 11 recites wherein the architecture description language is SYSML, which merely representing the models in a SYSML architecture description language, using pen and paper.
	Claim 12 recites wherein the failure rates of output failure modes of the functional system analysis model representing the functional system architecture of said safety-critical system comprise tolerable hazard rate thresholds of the respective failures, which merely representing associating the model with a tolerable hazard rate thresholds, using pen and paper.

	Claims 13-15 are also rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.
	Claim 13 is directed to software per se as demonstrated by “A piece of Software” (Instant app., [0078], “This software tool can be used for designing, analyzing, monitoring, simulating and/or controlling any kind of safety-critical system SYS.”).
	Claim 14 is directed to software per se as demonstrated by “An analyzing system” (Instant app., [0078], “This software tool can be used for designing, analyzing, monitoring, simulating and/or controlling any kind of safety-critical system SYS.”).
Claim 15 is directed to software per se by “A safety-critical system” (Instant app., [0078], “This software tool can be used for designing, analyzing, monitoring, simulating and/or controlling any kind of safety-critical system SYS.”).
	For these reasons, Claims 13-15 do not appear to be directed to patent eligible subject matter.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):


The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 14 and 15 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the enablement requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to enable one skilled in the art to which it pertains, or with which it is most nearly connected, to make and/or use the invention. 	
MPEP 2164.01(a): There are many factors to be considered when determining whether there is sufficient evidence to support a determination that a disclosure does not satisfy the enablement requirement and whether any necessary experimentation is "undue." These factors include, but are not limited to:
(A) The breadth of the claims;
(B) The nature of the invention;
(C) The state of the prior art; 
(D) The level of one of ordinary skill;
(E) The level of predictability in the art;
(F) The amount of direction provided by the inventor;
(G) The existence of working examples; and
(H) The quantity of experimentation needed to make or use the invention based on the content of the disclosure.

Regarding Claim 14, the claim recites, “An analyzing system for analyzing a safety-critical system having a physical system architecture represented by a physical system analysis model and having a functional system architecture represented by a functional system analysis model wherein the analyzing system is adapted to perform the method according to claim 1.” 
The following is an analysis by the Examiner of the factors pertaining to the instant application.
(A) The breadth of the claims;
Under broad reasonable interpretation, the claim language is considered fairly broad, with no specific definitions requiring particular or narrowing interpretation of the claim language above.
(B) The nature of the invention;
The specification merely recites an analyzing system for an embodiment (see [0020-0022]) but does not provide any further detail on what an analyzing system is or any components related to an analyzing system adapted to perform the method of Claim 1.
(D) The level of one of ordinary skill;
The specification merely recites an analyzing system for an embodiment (see [0020-0022]) but does not provide any further detail on what an analyzing system is or any components related to an analyzing system adapted to perform the method of Claim 1. Accordingly, one of ordinary skill in the art would not know how to make and use the invention without a description of elements to perform the function i.e., the analyzing system adapted to perform the method of Claim 1.
 (G) The existence of working examples; 
No working examples are provided. The specification merely recites an analyzing system for an embodiment (see [0022-0022]) but does not provide any further detail on what an analyzing system is or any components related to an analyzing system adapted to perform the method of Claim 1. Accordingly, one of ordinary skill in the art would not know how to make and use the invention without working examples to perform the function i.e., an analyzing system adapted to perform the method of Claim 1.

The factors above indicate the invention has not been enabled for a person of ordinary skill in the art.

Regarding Claim 15, the claim recites, “A safety-critical system comprising a plurality of internal components, wherein at least one internal component is adapted to perform the method according to claim 1 or forms an interface to at least one external analyzing unit adapted to perform the method.” 
The following is an analysis by the Examiner of the factors pertaining to the instant application.
(A) The breadth of the claims;
Under broad reasonable interpretation, the claim language is considered fairly broad, with no specific definitions requiring particular or narrowing interpretation of the claim language above.
(B) The nature of the invention;
The specification merely recites an internal component and external component (refer to [0024,0078]) but does not further mention what an internal component or external analyzing unit may be. Accordingly, one of ordinary skill in the art would not know how to make and use the invention without a description of elements to perform the function i.e., an internal component or external analyzing unit adapted to perform the method of Claim 1.
 (D) The level of one of ordinary skill;
The specification merely recites an internal component and external component (refer to [0024,0078]) but does not further mention what an internal component or external analyzing unit may be. Accordingly, one of ordinary skill in the art would not know how to make and use the invention without a description of elements to perform the function i.e., an internal component or external analyzing unit adapted to perform the method of Claim 1.
 (G) The existence of working examples; 
No working examples are provided. The specification merely recites an internal component and external component (refer to [0024,0078]) and but does not further mention what an internal component or external analyzing unit may be. Accordingly, one of ordinary skill in the art would not know how to make and use the invention without working examples on how to perform the function i.e., an internal component or external analyzing unit adapted to perform the method of Claim 1.

The factors above indicate the invention has not been enabled for a person of ordinary skill in the art.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.

The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:


Claims 1-15 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

Regarding Claim 1, the claim recites wherein a physical system analysis model representing the physical system architecture of said safety-critical system is modified incrementally until calculated failure rates of failure modes of said physical system analysis model are less or equal to failure rates of corresponding failure modes of a functional system analysis model representing a functional system architecture of said safety-critical system. However, it is unclear how the models are “incrementally modified”. Further, the specification provides a plurality of examples of what a “functional system analysis model” is, such as description of a system, components at a software level, or specification at a functional level without defining the implementation of said functionality, which renders the claim indefinite.

Regarding Claim 3, the claim recites wherein for each function of the functional system architecture a component fault free, CFT, element is specified having input failure modes and/or output failure modes, wherein for each failure mode, a failure rate is specified which represents a corresponding safety or reliability requirement of said safety-critical system. However, it is unclear of the applicant’s intent for the scope of the claim, which renders the claim indefinite. For example, it is unclear what a failure mode of a CFT element is and how a failure rate is being determined with respect to the failure modes for each function of the functional system.

Regarding Claim 4, the claim recites wherein for each function of the functional system architecture represented by the functional system analysis model associated elements within the physical system architecture represented by the physical system analysis model adapted to implement the respective function are specified. However, it is unclear of the applicant’s intent for the scope of the claim, which renders the claim indefinite. For example, the specification merely recites the limitation and it is unclear how the physical system analysis model is being adapted to implement the respective functions. 

Regarding Claim 5, the claim recites wherein for each associated element of the physical system analysis model a component fault tree, CFT, element is generated automatically based on the specified relationship between the functional system analysis model and the physical system analysis model of said safety-critical system. However, it is unclear of the applicant’s intent for the scope of the claim, which renders the claim indefinite. For example, the specification merely recites the limitation and it is unclear what a specified relationship between the models are.  

Regarding Claim 6, the claim recites wherein for each failure model of a component fault tree, CFT, element specified for a function of the functional system analysis model implemented by the associated element in the physical system analysis model a corresponding failure mode is created in the respective component fault tree, CFT, element. However, it is unclear of the applicant’s intent for the scope of the claim, which renders the claim indefinite. For example, it is unclear how failure modes of a component fault tree element being implemented is associated with a corresponding failure mode being created in a respective component fault tree, CFT, element.

Regarding Claim 7, the claim recites wherein the generated component fault tree, CFT, element of the associated element of the physical system analysis model comprises information available in the component fault tree, CFT, elements of the respective functions within the functional system analysis model implemented by the associated element. However, it is unclear of the applicant’s intent for the scope of the claim, which renders the claim indefinite. For example, it is unclear what the available information is and how it is related to respective functions implemented by an associated element. It also appears that Claim 7 should be dependent upon Claim 6. 

Regarding Claim 8, the claim recites wherein a quantitative fault tree analysis, FTA, is performed for each output failure mode of the physical system analysis model consisting of the generated component fault tree, CFT, elements to calculate a failure rate of the respective output failure mode. However, it is unclear of the applicant’s intent for the scope of the claim, which renders the claim indefinite. The phrase "consisting of" renders the claim indefinite because it is unclear whether the limitations following the phrase are part of the claimed invention.  

Regarding Claim 9, the claim recites wherein all failure rates of the output failure modes of the physical system analysis model are compared pairwise with the failure rates of the corresponding output failure modes of the functional system analysis model consisting of the component fault tree, CFT, elements of the functions within the functional system architecture of said safety-critical system. However, it is unclear of the applicant’s intent for the scope of the claim, which renders the claim indefinite. The phrase "consisting of" renders the claim indefinite because it is unclear whether the limitations following the phrase are part of the claimed invention.  

All claims dependent upon a rejected base claim are rejected by virtue of their dependency.

Claim Interpretation
	In view of the 35 U.S.C. 112(a) and 35 U.S.C. 112(b) rejections and for examination purposes, the examiner will provide a claim interpretation section to advance prosecution. 
	Regarding Claim 1, the examiner will interpret a “functional system analysis model” to merely represent functional components on the functional layer of a system architecture. Further, the examiner will interpret the term “incrementally modifying” to merely represent an increasing or a sequence of steps to achieve a safety analysis model between the failure modes/rates of the physical and functional models.
	Regarding Claim 3, the examiner will interpret the scope of the claim to merely represent a function of the functional system architecture with respect to a Component Fault Tree (CFT) element. Further, the Component Fault Tree (CFT) element contains failure modes and failure rates associated with the safety-critical system.
	Regarding Claim 4, the examiner will interpret the limitation a “physical system analysis model adapted to implement the respective function are specified” to merely represent adapting i.e., associating or making use of functions between the two models. 
	Regarding Claim 5, the examiner will interpret the limitation a “specified relationship” to merely represent associated functions or dependencies between the two models.
	Regarding Claim 6, the examiner will interpret the scope of the claim to merely represent creating a failure mode in the respective Component Fault Tree (CFT) element of the physical model with respect to failure modes of the functional model. 
Regarding Claim 7, the examiner will interpret the scope of the claim to merely represent determining information available in the Component Fault Tree (CFT) elements between the two models i.e., dependencies. 

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for 
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The text of those sections of Title 35, U.S. Code not included in this action can be found in a prior Office action.
The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 1-15 are rejected under 35 U.S.C. 103 as being unpatentable over Zeller et al. (Non-Patented Literature, “ALFRED: A Methodology to Enable Component Fault Trees for Layered Architectures”, hereinafter “Zeller”) in view of Rupanov et al. (Non-Patented Literature, “Employing early model-based safety evaluation to iteratively derive E/E architecture design”, hereinafter “Rupanov”).

	Regarding Claim 1, Zeller discloses method for analyzing and designing a physical system architecture (Zeller, [Page 168, 1st col.], “Therefore, we present in this paper a methodology that is able to divide safety analysis models into different vertical layers of a systems architecture.”) of a safety-critical system (Zeller, [Page 167, 2nd col.], “The rapid development and analysis of safety analysis models is important also in early stages during the development of safety critical systems.”), wherein
	a physical system analysis model (Zeller, [Page 170, 1st col.], “The second layer consists of two hardware or physical components. Figure 2 shows the component fault trees for these components…” [Page 170, Fig. 2] hardware layer. [Page 172, 2nd col.], “The components Battery (B) and Microcontroller (M) belong to the physical layer of the architecture.”) representing the physical system architecture (Zeller, [Page 168, 1st col.], “Therefore, we present in this paper a methodology that is able to divide safety analysis models into different vertical layers of a systems architecture.”) of said safety-critical system (Zeller, [Page 167, 2nd col.], “The rapid development and analysis of safety analysis models is important also in early stages during the development of safety critical systems.”) is modified (Zeller, [Page 174, Fig. 7] discloses “false-negative” and “false-positive” conditions and associated Failure-In-Time (FIT) values, which is also known in the art as “failure rates”, refer to instant app. [0062-0069])  and of failure modes of said physical system analysis model (Zeller, [Page 172, 1st col.], “All output failure modes Ofm(c) are now supplemented with the failure modes of the components in A(c) to model the failure dependency in a conservative way…”) are less or equal to failure rates (Zeller, [Page 172], “In this example, two safety analysis from different layers, logical and physical, are combined for a common safety analysis model.” [Page 174], “As can be concluded from this result, the components of the functional layer can be maintained exchangeable from the hardware or physical layer.” [Page 174, Fig. 7] discloses “false-negative” and “false-positive” conditions and associated Failure-In-Time (FIT) values, which is also known in the art as “failure rates”, also refer to instant app. [0062-0069] which discloses “FIT”. Accordingly, Zeller discloses a safety analysis from different layers, i.e., physical and functional to generate a common safety analysis model which is maintained and exchangeable, which under the broadest reasonable interpretation, represents the “physical system analysis model” containing less or equal failure rates to achieve an overall safety-critical system with respect to the functional system analysis model. Further, Fig. 7 discloses equal FIT values for the functional layer, which is associated with the physical layer through the failure dependency relation, which also under the broadest reasonable interpretation, represents calculated less or “equal” failure rates for the safety-critical system.) of corresponding failure modes (Zeller, [Page 172], “All output failure modes Ofm(c) are now supplemented with the failure modes of the components in A(c) to model the failure dependency in a conservative way.”) of a functional system analysis model (Zeller, [Page 168, 1st col.], “Another example is the decomposition into a functional layer and a physical layer.” [Page 170, 1st col.], “These two functions build one layer of the architecture model, e.g. the software or functional layer.”) representing a functional system architecture (Zeller, [Page 170, 1st col.], “These two functions build one layer of the architecture model, e.g. the software or functional layer.”) of said safety-critical system (Zeller, [Page 167, 2nd col.], “The rapid development and analysis of safety analysis models is important also in early stages during the development of safety critical systems.”).

While Zeller discloses a safety evaluation technique including failure rates to meet the functionality safety requirements between the dependencies of the physical and functional layers of the system, which may properly imply to one of ordinary skill in the art as “incrementally” modifying (i.e., modifying the models in small increases, stages, or additions) to determine an less or equal failure rate between of the models, Zeller does not expressly disclose wherein a physical system analysis model representing the physical system architecture of said safety-critical system is modified incrementally until calculated failure rates of failure modes of said physical system analysis model are less or equal to failure rates of corresponding failure modes of a functional system analysis model.
	However, ---Rupanov discloses wherein a physical system analysis model representing the physical system architecture (Rupanov, [Page 163, Last Section], “In context of systems with integrated architecture, EEA represents the functional structure of the system (functional concept), physical structure of the system (hardware components), and mapping between them.”) of said safety-critical system (Rupanov, [Page 162], “In this section background information on model-driven development and safety-critical systems is provided, and an overview of state of the art in automotive industry is done.”) is modified incrementally until calculated failure rates of failure modes of said physical system analysis model (Rupanov, [Page 171], “At the beginning of the analysis process all the input models are defined. In the Functional Component Model the sink-Connectors of the systems root component, are initialized with associated SwFailureEffects and corresponding failure rates.” [Page 172], “A sum of partial failure rates over all relevant failure modes through all HwComponents results in λ residual(SwCi, FECk), which is the failure rate for the SwComponent deployed to a specific node.” – Examiner’s Note: Zeller discloses initializing failure rates and calculating sums of partial failure rates, which under the broadest reasonable interpretation, represents “incrementally” modifying the failure rates between the software and hardware components i.e., functional and physical layers.) are less or equal to failure rates (Rupanov, [Page 161, Abstract], “This process simplifies identification of the most sensitive parts of the architecture, selection of the best suitable safety mechanisms to reduce thereby failure rate on the system level and improve the metrics defined by the standard.” [Page 168], “A HwNode consists of HwComponents. HwComponents provide Resources to SwComponents, and through this relation failure rates for corresponding FailureModes are computed … Models of safety mechanisms are defining software components or hardware functions that can be embedded into the system design as a factor to limit the excessive failure rate that potentially violates the safety goal.” [Page 172], “Failure rate calculation. First, the software dependencies are analyzed. During the deployment transformation each LogicComponent is extended to AppSwComponent, for which required services need to be defined. It is then possible to select SwComponents which implement the service for the specific software stack (defined for a HwNode), and SwComponents, on which these depend. In this way platform models simplify deployment specification. After full lists of SwComponents (SwC) for each node are determined, for each pair {SwCi, FECk} hardware failure effects {HwFailureEffect}i,k, which can cause failure effects of class FailureEffectClass (FEC), are chosen to determine the set of relevant failure modes” – Examiner’s Note: Rupanov discloses reducing the failure rate on the system level, associating the relations of failure rates/failure modes of the SW and HW components, and limiting the failure rate for software and hardware functions, which under the broadest reasonable interpretations, represents a failure rate less or equal between the models to achieve an overall safety-critical system. Further, Rupanov discloses failure rate calculations with respect to the software dependencies of the HW and SW components to determine a relevant set of failure modes, which also under the broadest reasonable interpretation, represents less or equal failure rate to achieve an overall safety-critical system.) of corresponding failure modes of a functional system analysis model (Rupanov, [Page 163, Last Section], “In context of systems with integrated architecture, EEA represents the functional structure of the system (functional concept), physical structure of the system (hardware components), and mapping between them.” [Page 172], “…After full lists of SwComponents (SwC) for each node are determined, for each pair {SwCi, FECk} hardware failure effects {HwFailureEffect}i,k, which can cause failure effects of class FailureEffectClass (FEC), are chosen to determine the set of relevant failure modes”).
	Zeller and Rupanov are each and respectively analogous to the instant application because they are from the same field of endeavor of safety-critical systems. It would have been obvious to one of the ordinary skill in the art before the effective filing date of the instant application to integrate Rupanov’s design to reduce failure rates on the system level and improve the metrics defined by the standard (Rupanov, [Abstract], “This process simplifies identification of the most sensitive parts of the architecture, selection of the best suitable safety mechanisms to reduce thereby failure rate on the system level and improve the metrics defined by the standard.”). 

	Regarding Claim 2, Zeller discloses the method according to claim 1, wherein the physical system architecture comprises hardware components (Zeller, [Page 170, 1st col.], “The second layer consists of two hardware or physical components.” [Page 170, Fig. 2]), software components (Zeller, [Page 170, Fig. 2] [Page 172], “The functionality of the emergency braking software component is basically to transmit the steering and throttle.”) and/or embedded software components (Zeller, [Page 168], “Cyberphysical systems consist of more or less loosely coupled embedded systems.” [Page 170, Fig. 2]) represented in said physical system analysis model (Zeller, [Page 170, Fig. 2]).

	Regarding Claim 3, Zeller discloses the method according to claim 1, 
	wherein for each function of the functional system architecture a component fault free (Zeller, [Page 169, Fig.1] [Page 170, Fig. 2]), CFT, element (Zeller, [Page 171, 1st col.], “Using these sets and relationships, a fault tree model can be generated from the component fault tree elements and the failure dependencies that reflects the failure behavior of both architecture layers in a conservative way. For every failure dependency relation, all basic events that are included in the component fault tree of the dependency element are added to all failure modes of the dependent component.”) is specified having input failure modes and/or output failure modes  (Zeller, [Page 171, 1st col.], “Using these sets and relationships, a fault tree model can be generated from the component fault tree elements and the failure dependencies that reflects the failure behavior of both architecture layers in a conservative way. For every failure dependency relation, all basic events that are included in the component fault tree of the dependency element are added to all failure modes of the dependent component.” [Page 173, 1st col.], “The comparatively simple functionality of the emergency braking functionality results in 22 different failure modes modeled within component fault trees as so-called output failure modes as introduced in section 3.”).

	Zeller does not expressly disclose wherein for each failure mode, a failure rate is specified which represents a corresponding safety or reliability requirement of said safety-critical system.
	However, Rupanov discloses wherein for each failure mode (Rupanov, [Page 166], “1. Models of safety mechanisms have to be kept separate from component models, as a single safety mechanism can cover numerous failure modes of different components causing the same failure effect on the node level.”), a failure rate is specified (Rupanov, [Page 168], “Models of safety mechanisms are defining software components or hardware functions that can be embedded into the system design as a factor to limit the excessive failure rate that potentially violates the safety goal.”) which represents a corresponding safety or reliability requirement (Rupanov, [Page 168], “Models of safety mechanisms are defining software components or hardware functions that can be embedded into the system design as a factor to limit the excessive failure rate that potentially violates the safety goal.” [Page 171], “Goal of analysis (safety goal) is defined as a set of safety requirements and an ASIL assignment.”)  of said safety-critical system (Rupanov, [Page 162], “In this section background information on model-driven development and safety-critical systems is provided, and an overview of state of the art in automotive industry is done.”).
	Refer to the analysis of Claim 1 for the motivation to combine references.

	Regarding Claim 4, Zeller discloses the method according to claim 1, wherein for each function of the functional system architecture represented by the functional system analysis model (Zeller, [Page 170, 1st col.], “Figure 2 shows an example system with failure dependency relations between different layers of the system model. On the top, the component fault trees (CFT) of two functions f1 and f2 are depicted… These two functions build one layer of the architecture model, e.g. the software or functional layer.”), associated elements within the physical system architecture represented by the physical system analysis model adapted to implement the respective function are specified. (Zeller, [Page 170, 2nd col.], “Since the functional failure behavior is also dependent from failures that occur in the hardware layer, failure dependency relations are used here to model this dependency.” [Page 170, Fig. 2] – Examiner’s Note: Zeller discloses functional dependencies between the two layers, i.e. functional and physical, which under the broadest reasonable interpretation, represents the physical system analysis model adapting to the respective functions of the functional system analysis model.) .

	Regarding Claim 5, Zeller discloses the method according to claim 1, wherein for each associated element of the physical system analysis model a component fault tree (Zeller, [Page 169, Fig.1] [Page 170, Fig. 2]), CFT, element (Zeller, [Page 171, 1st col.], “Using these sets and relationships, a fault tree model can be generated from the component fault tree elements and the failure dependencies that reflects the failure behavior of both architecture layers in a conservative way. For every failure dependency relation, all basic events that are included in the component fault tree of the dependency element are added to all failure modes of the dependent component.”) is generated automatically (Zeller, [Page 168, 1st col.], “For a safety critical function of such systems it might be necessary to be certified automatically at runtime to assure a safe operation.” [Page 169, 1st col.], “From the reused failure propagation models via the HiP-HOPS [15] methodology complete fault trees can be automatically constructed.”) based on the specified relationship between the functional system analysis model and the physical system analysis model of said safety-critical system (Zeller, [Page 170, 2nd col.], “Since the functional failure behavior is also dependent from failures that occur in the hardware layer, failure dependency relations are used here to model this dependency.” [Page 171, 1st col.], “Using these sets and relationships, a fault tree model can be generated from the component fault tree elements and the failure dependencies that reflects the failure behavior of both architecture layers in a conservative way. For every failure dependency relation, all basic events that are included in the component fault tree of the dependency element are added to all failure modes of the dependent component.” – Examiner’s Note: In view of the 112(b) and claim interpretation, Zeller discloses relations and relationships associated between the different layers, which under the broadest reasonable interpretation, represents a specified relationship.).

	Regarding Claim 6, Zeller discloses the method according to claim 1, wherein for each failure model of a component fault tree (Zeller, [Page 169, Fig.1] [Page 170, Fig. 2]), CFT, element specified for a function of the functional system analysis model implemented by the associated element in the physical system analysis model a corresponding failure mode is created in the respective component fault tree, CFT, element  (Zeller, [Page 171, 1st col.], “Using these sets and relationships, a fault tree model can be generated from the component fault tree elements and the failure dependencies that reflects the failure behavior of both architecture layers in a conservative way. For every failure dependency relation, all basic events that are included in the component fault tree of the dependency element are added to all failure modes of the dependent component.” [Page 173, 1st col.], “The comparatively simple functionality of the emergency braking functionality results in 22 different failure modes modeled within component fault trees as so-called output failure modes as introduced in section 3.” - Examiner’s Note: In view of the 112(b) and claim interpretation, Zeller discloses determining all failure modes and failure dependencies from both the layers, which under the broadest reasonable interpretation, represents associating respecting failure modes between the CFT elements of the two models.).

	Regarding Claim 7, Zeller discloses the method according to claim 1, wherein the generated component fault tree (Zeller, [Page 169, Fig.1] [Page 170, Fig. 2]), CFT, element of the associated element of the physical system analysis model comprises information available in the component fault tree, CFT, elements of the respective functions within the functional system analysis model implemented by the associated element (Zeller, [Page 171, 1st col.], “Using these sets and relationships, a fault tree model can be generated from the component fault tree elements and the failure dependencies that reflects the failure behavior of both architecture layers in a conservative way. For every failure dependency relation, all basic events that are included in the component fault tree of the dependency element are added to all failure modes of the dependent component.” [Page 173, 1st col.], “The comparatively simple functionality of the emergency braking functionality results in 22 different failure modes modeled within component fault trees as so-called output failure modes as introduced in section 3.” – Examiner’s Note: Zeller discloses failure dependencies and all basic events between the CFT elements of both the layers, which under the broadest reasonable interpretation, represents “information available” in the CFT elements.).

	Regarding Claim 8, Zeller discloses the method according to claim 1, but does not explicitly disclose the further limitations.
	However, Rupanov discloses wherein a quantitative fault tree analysis, FTA, is performed (Rupanov, [Page 172] “Quantitative metrics. To perform ISO 26262 assessment we need to perform analysis of the same fault tree with different failure rate inputs.” “The following failure rates are calculated from the fault tree analysis results…”) for each output failure mode of the physical system analysis model (Rupanov, [Page 171] ,” In the Functional Component Model the sink-Connectors of the systems root component, are initialized with associated SwFailureEffects and corresponding failure rates. These effects will propagate through the system and reach its outputs.”  [Page 172], “A sum of partial failure rates over all relevant failure modes through all HwComponents…”). ) consisting of the generated component fault tree, CFT, elements (Rupanov, [Page 171], “Therefore we define a specialized analysis framework that is inspired by component fault trees (CFT) [18] and fault propagation and transformation analysis (FPTA) [19].” [Page 177], “Other related approaches to failure logic analysis build on component fault trees (CFT, [18]), which wrap the failure behavior into graph-based modularized fault trees, and on Fault Propagation and Transformation Calculus (FPTC, [29]), where a clear notation is used to describe the local failure logic of the components.”) to calculate a failure rate of the respective output failure mode (Rupanov, [Page 171] ,” In the Functional Component Model the sink-Connectors of the systems root component, are initialized with associated SwFailureEffects and corresponding failure rates. These effects will propagate through the system and reach its outputs.” [Page 172], “A sum of partial failure rates over all relevant failure modes through all HwComponents…”).
	Refer to the analysis of Claim 1 for the motivation to combine references.

	Regarding Claim 9, Zeller discloses the method according to claim 1, wherein all failure rates of the output failure modes of the physical system analysis model (Zeller, [Page 174, Fig. 7] discloses “false-negative” and “false-positive” conditions and associated Failure-In-Time (FIT) values, which is also known in the art as “failure rates”, refer to instant app. [0062-0069]) are compared pairwise with the failure rates of the corresponding output failure modes of the functional system analysis model (Zeller, [Page 171], “Using these sets and relationships, a fault tree model can be generated from the component fault tree elements and the failure dependencies that reflects the failure behavior of both architecture layers in a conservative way.” [Page 173], “The comparatively simple functionality of the emergency braking functionality results in 22 different failure modes modeled within component fault trees as so-called output failure modes as introduced in section 3.” [Page 174, Fig. 7] – Examiner’s Note: As noted above, discloses “false-negative” and “false-positive” conditions and associated Failure-In-Time (FIT) values, which is also known in the art as “failure rates”, refer to instant app. [0062-0069]. Further, Zeller discloses a comparative functionality technique associated with the output failure modes of the component fault trees, which includes sets, relationships, and positive/negative conditions, which under the broadest reasonable interpretation, may represent a “pairwise” comparison. The specification merely recites this limitation but does not further detail how failure rates are compared “pairwise”.) consisting of the component fault tree, CFT, elements of the functions (Zeller, [Page 171, 1st col.], “Using these sets and relationships, a fault tree model can be generated from the component fault tree elements and the failure dependencies that reflects the failure behavior of both architecture layers in a conservative way. For every failure dependency relation, all basic events that are included in the component fault tree of the dependency element are added to all failure modes of the dependent component.” [Page 173, 1st col.], “The comparatively simple functionality of the emergency braking functionality results in 22 different failure modes modeled within component fault trees as so-called output failure modes as introduced in section 3.”) within the functional system architecture (Zeller, [Page 170, 1st col.], “These two functions build one layer of the architecture model, e.g. the software or functional layer.”) of said safety-critical system (Zeller, [Page 167, 2nd col.], “The rapid development and analysis of safety analysis models is important also in early stages during the development of safety critical systems.”).

	Regarding Claim 10, Zeller discloses the method according to claim 1, wherein the physical system analysis model (Zeller, [Page 170, 1st col.], “The second layer consists of two hardware or physical components. Figure 2 shows the component fault trees for these components…” [Page 170, Fig. 2] hardware layer. [Page 172, 2nd col.], “The components Battery (B) and Microcontroller (M) belong to the physical layer of the architecture.”) representing the physical system architecture(Zeller, [Page 168, 1st col.], “Therefore, we present in this paper a methodology that is able to divide safety analysis models into different vertical layers of a systems architecture.”) of said safety-critical system (Zeller, [Page 167, 2nd col.], “The rapid development and analysis of safety analysis models is important also in early stages during the development of safety critical systems.”) and the functional system analysis model (Zeller, [Page 168, 1st col.], “Another example is the decomposition into a functional layer and a physical layer.” [Page 170, 1st col.], “These two functions build one layer of the architecture model, e.g. the software or functional layer.”) representing the functional system architecture (Zeller, [Page 170, 1st col.], “These two functions build one layer of the architecture model, e.g. the software or functional layer.”) of said safety-critical system (Zeller, [Page 167, 2nd col.], “The rapid development and analysis of safety analysis models is important also in early stages during the development of safety critical systems.”) are modeled in an architecture description language (Zeller, [Page 172], 2nd col.], “Figure 5 shows the architecture of a system as a SysML internal block diagram that uses two ultra sonic sensors to enable an emergency braking functionality in a radio controlled car.”) and stored in a memory (Zeller, [Page 170], “These components represent the memory (RAM) and computational resource (CPU) of the system.”).

	Regarding Claim 11, Zeller discloses the method according to claim 10, wherein the architecture description language is SYSML (Zeller, [Page 172], 2nd col.], “Figure 5 shows the architecture of a system as a SysML internal block diagram that uses two ultra sonic sensors to enable an emergency braking functionality in a radio controlled car.”).

	Regarding Claim 12, Zeller discloses the method according to claim 1, but does not expressly disclose the further limitations.
	However, Rupanov discloses wherein the failure rates of output failure modes (Rupanov, [Page 171] ,” In the Functional Component Model the sink-Connectors of the systems root component, are initialized with associated SwFailureEffects and corresponding failure rates. These effects will propagate through the system and reach its outputs.” [Page 172], “A sum of partial failure rates over all relevant failure modes through all HwComponents…”) of the functional system analysis model (Rupanov, [Page 163, Last Section], “In context of systems with integrated architecture, EEA represents the functional structure of the system (functional concept), physical structure of the system (hardware components), and mapping between them.”) representing the functional system architecture (Rupanov, [Page 167], “For example, in AADL4 the corresponding concepts are modeled in “functional architecture” models (finer details on correspondence of our metamodel to existing languages can be found in Section 5.1).”) of said safety-critical system (Rupanov, [Page 162], “In this section background information on model-driven development and safety-critical systems is provided, and an overview of state of the art in automotive industry is done.”) comprise tolerable hazard rate thresholds of the respective failures (Rupanov, [Page 165], “Requirements include safety goal (SG) definitions, target values for probability of safety goal violation target and architectural metric… Metric target values are directly derived from hazard and risk analysis of the functionality to be deployed on the EEA.”).
	Refer to the analysis of Claim 1 for the motivation to combine references.

	Regarding Claim 13, Zeller and Rupanov discloses a software tool used for designing, analyzing, monitoring, simulating and/or controlling a safety-critical system (Rupanov, [Page 173], “We have developed a modeling tool prototype that allows definition of platform models, safety mechanisms and application models, refinement and analysis of these models in accordance to the methodology.”). Refer to Claim 1 which contains similar limitations and subject matter. 

	Regarding Claim 14, Zeller and Rupanov discloses an analyzing system for analyzing a safety-critical system  (Rupanov, [Page 173], “We have developed a modeling tool prototype that allows definition of platform models, safety mechanisms and application models, refinement and analysis of these models in accordance to the methodology.”). Refer to Claim 1 which contains similar limitations and subject matter.

	Regarding Claim 15, Zeller and Rupanov discloses a safety-critical system (Rupanov, [Page 166], “We try to define concerns separately and merge partial aspect-centered models to perform ongoing analysis and development of safety-critical systems.”). Refer to Claim 1 which contains similar limitations and subject matter.

Conclusion
	Claims 1-15 are rejected.

	The prior arts made of record and not relied upon is considered pertinent to applicant's disclosure:
	Muller et al. (Non-Patented Literature, “The Hazard Analysis Profile: Linking Safety Analysis and SysML”) discloses an approach to link methods of safety analysis and modeling (SysML).
	Sundaram et al. (U.S. Patent Publication No. 2012/0330501 A1) discloses quantitative fault tree analysis techniques including failure rates. 
	Zeller et al. (U.S. Patent Publication No. 2016/0266952 A1) discloses a method for automated qualification of a safety critical system including a plurality of components is provided.


If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kamini Shah, can be reached on (571)272-2279. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://portal.uspto.gov/external/portal. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.


/P.T.P./Examiner, Art Unit 2146                                                                                                                                                                                                        03/26/2022

/JUSTIN C MIKOWSKI/Primary Examiner, Art Unit 2148