DETAILED ACTION
Claims 1-20 (filed 03/28/2022) have been considered in this action.  Claims 1, 8 and 15 have been amended.  Claims 2-7, 9-14 and 16-20 have been presented in the same format as previously presented.

Response to Arguments
Applicant's arguments, see page 7 paragraph 7, filed 03/28/2022, in regards to rejection of claims 1-20 under 35 U.S.C. 103 in view of Ong (US 20190056719) and Hefeeda (US 20150378356) have been fully considered but they are not persuasive.
Applicant has argued that “The Applicant notes that Ong merely describes generation of the redundancy module for each control module and the controllers executing the redundancy module to receive same inputs, outputs, and setpoints being received and provided by the controllers.  Ong, however, in its entirety, does not teach or suggest that a back-up to the at least one primary controller exists on any node among the plurality of nodes”.
The examiner does not find these arguments convincing because Ong describes that all modules are downloaded or “backed up” to each node to allow transition of primary control functions to a secondary/redundancy controller.  Ong describes that “[0035] The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails”.  Ong further describes that “[0034] each controller 150a-n includes control routines or modules that correspond to a subset of the field devices 15-22, 40-46 to control at least a portion of the process”.  Thus the redundancy modules on controller 150b contains a back-up of the controller 150a because in order for the secondary to execute the control module, it must have a copy of the control module.  This is further supported by Ong when stating that “[0054] each of the control modules 208, big data modules, and redundancy modules are downloaded to each of the controllers 150a-n prior to execution (e.g., when the modules are generated) and stored in their respective memories 212a-n. When the control executive 200 selects a controller 150a to execute a particular module, the control manager 152 provides an indication of the particular module to the selected controller 150a and the selected controller 150a retrieves the particular module from memory 212a and executes the particular module”.  Ong is thus describing that all modules including redundancy modules are “backed up” on any of the a-n controllers, because it is downloaded to the a-n controllers at the time of execution, and in particular the control module exists on the controller 150b to take over the functions being synchronized via the control module on controller 150a.  In other words controller 150b contains a copy, and thus a back-up, of the modules executed by controller 150a in order to take over upon failure.  As is well-known in redundancy systems, in order for a secondary controller to operate as a real-time secondary, it must at any moment in time be in the same state in terms of its execution of the control program (i.e. control module) and in order to do this it must receive the same inputs to trigger the same sequence of inputs and outputs in the memory while executing the control program.  This is the idea of a primary controller and a secondary controller remaining “synchronized” and is described as a redundancy module by Ong.  They are synchronized because at any moment the primary could fail, thus in order for there to be a “bump-less” transition, the state of all variables and program execution must be identical, else when the primary controller fails the secondary would be in a different state and thus make different control decisions based on that different state.  
In addition, the examiner does not find this argument convincing because the scope of what a ‘back-up’ entails is not claimed nor is described by the applicant.  A back-up of an automation controller can be broadly encompassed by a copy of the active memory of the controller, a copy of the programs stored on the controller, a copy of the operating system of the controller, or at least any combination of these examples.  Generally, the examiner interprets “back-up” to mean a copy of data that exists in a second location.  A person having ordinary skill in the art would recognize that inherent to a secondary controller that is able to take over from a primary controller (i.e. “maintain the at least one secondary controller as an alternative”) is that the secondary must have the same programs and control software as the primary controller in order for it to execute those same functions and take over upon failure.  The applicant is seemingly arguing that Ong never explicitly states “back-up”, however the scope of what a back-up entails is not defined or described the applicant, nor claimed, and the examiner believes a person having ordinary skill in the art would recognize that the execution of redundancy modules and having copies of control modules that allows a secondary controller to take over when a primary controller fails so that it executes the same control modules inherently contains a ‘back-up’ of the primary controller because it is able to execute identical functions of the control modules through the use of redundancy modules, especially in an instance where all modules are already downloaded to all nodes/controllers, including control modules and redundancy modules.  The fact that Ong explicitly states in paragraph [0052] that during different time intervals, the determined modules (including control, redundancy and big data modules) are downloaded before their actual execution would imply to one having ordinary skill in the art that they are ‘backed up’ by having the data copied and replicated.  
According to the applicant’s own claim language the backing up is performed “to allow the at least one primary controller to maintain the at least one secondary controller as an alternate to the at least one primary controller”.  Through the use of downloading all modules, including control modules and redundancy modules to all controllers of Ong, and by teaching that the redundancy modules are “[0035] so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails”, it satisfies all requirements of the claim, including what is encompassed by a primary controller being “backed-up” based upon the broadest reasonable interpretation of that phrase.  All modules are downloaded to the respective controller nodes in accordance to a load balancing algorithm based on different time intervals, and thus are backed up.

Applicant has further argued that Ong and Hefeeda fail to teach moving the at least one secondary controller to another node different than the existing node for load balancing or an equipment update.  The examiner disagrees because Ong teaches that a “control manager 152” acts in accordance to a “load balancer 202” that according to paragraphs [0041]-[0065] describe various ways in which modules are assigned based on a load balancing so that load can be equally distributed amongst the controllers according to the expected amount of load in each time interval.  Specifically in paragraph [0052] of Ong, if a controller in one time interval is executing modules, and then is to be overloaded in the next time interval, it’s module execution will be reassigned to a different controller in order to keep the balancing of load, and thus is “for a load balancing” according to the claim by executing the process shown in Figure 3 for each time interval.  The assignment of modules during different time periods according to a load balancing algorithm that includes downloading of modules to respective controllers based on those determined assignments meets all the elements of this limitation including the act of “moving” the secondary controller from one logical controller to another because the data is being downloaded to the appropriate controller in each time period.  The examiner below provides a more thorough mapping of this newly claimed concept to show that this concept is indeed taught through Ong under the heading of claims rejection under 35 U.S.C. 103.

Based upon the record of art, the examiner believes an interview may be beneficial to the applicant in order to further prosecution in a timely manner.  It is recommended the applicant establish an interview to help clarify the claim language and to achieve the goal of compact prosecution.  

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-7 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. 
Claim 1 contains the limitation “and moving the at least one secondary controller to another node different than the existing node among the plurality of nodes for load balancing or an equipment update to the at least one primary controller to prevent loss during a shut down or a disruption to the synchronization of the at least one primary controller in the automation control system”.  The examiner can find no instance in the provided specification that describes how the update is “to the at least one primary controller to prevent loss during a shut down or a disruption to the synchronization of the at least one primary controller”.  All updates in the specification are generally linked to an undefined controller, and not to the specific update of the primary controller.  No support can be found that explicitly links that the moving is “for...an equipment update to the at least one primary controller” as claimed, and thus is considered new matter.  The applicant must provide a reference from the original specification showing where such support is described.  
It is noted that claims 8-20 have not received this rejection because claims 8 and 15 do not link the moving for “an equipment update to the at least one primary controller” as claims 8 and 15 more broadly claim this as “an equipment update” not specifically tied to a primary or secondary controller.   It is suggested the applicant remove this element from claim 1.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 8 and 15 contain a form of the limitation “and moving the at least one secondary controller to another node different than the existing node among the plurality of nodes for load balancing or an equipment update to the at least one primary controller to prevent loss during a shut down or a disruption to the synchronization of the at least one primary controller in the automation control system”.  This statement is unclear because it is not clearly established that the “existing node” is the node where the back-up to the at least one primary controller exists, as there is no antecedent basis established for what “the existing node” actually is.  In addition, this limitation does not clearly establish what is actually moved during the moving step.  Does the move entail moving all the data from the previous secondary controller to a new secondary controller?  Does it entail merely moving the logical determination of which node is to act as the secondary, in the sense that copies of data may already exist on all secondaries so that when the secondary is “moved” it merely makes that logical node which is the new secondary take over in the event the primary is updated?  No details are claimed as to what entails this claimed “move”, thus under the broadest reasonable interpretation the examiner shall interpret this limitation to mean that a different node from the previous secondary becomes a “new” secondary in the sense that the new secondary will act as the controller which takes over in the event of failure of the primary.  In other words, any technical action which facilitates “prevention of a loss during a shut down or disruption to a synchronization of the at least one primary controller in the automation system” can be considered to read on the “move” limitation, as long as it is for a “load balancing or equipment update”.
Claims 2-7, 9-14 and 16-20 are rejected under 35 U.S.C. 112(b) for being dependent upon claims 1, 8 and 15.

Claims 1-7 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1 contains the limitation “and moving the at least one secondary controller to another node different than the existing node among the plurality of nodes for load balancing or an equipment update to the at least one primary controller to prevent loss during a shut down or a disruption to the synchronization of the at least one primary controller in the automation control system”.  This limitation does not logically flow from the remainder of what is claimed, nor from the applicant’s own arguments, because a moving of a secondary controller to another node would not inherently achieve “to prevent loss during a shut down or a disruption to the synchronization” for “an equipment update to the at least one primary controller” because by updating the primary controller it would inherently cause that primary controller to disrupt synchronization.  As noted by the applicant’s arguments:
“Furthermore, the Applicant's specification at least at para. [0043], indicates that to realize another key benefit of the hive - load balancing across the computing resources as well as easy addition of new hardware for incremental compute, it may be necessary to have a method to "move" the secondary to another node without any loss of availability (e.g., an interval in which the primary does not have an active, synchronized backup). Conventional redundancy mechanisms would require the SEC to be shutdown, then restarted/re-synchronized in a different node, which can take several minutes to accomplish and exposes a window of vulnerability to the availability of the control mission. Note that the disclosed embodiments can also be applied to a fixed configuration of redundant elements intended to represent a controller where redundant elements can be deleted or added by manual configuration”.
From these arguments, it is logical to conclude that the in order for there to be “an interval in which the primary does not have an active, synchronized backup” the secondary is moved in anticipation of an “update” to the secondary controller because it is by always having at least one secondary controller activate as a redundant during times a current secondary is unavailable that this effect is achieved.  If a primary controller receives an update (as described in the specification as a hardware upgrade or firmware upgrade), it will inherently shut down, thus causing it to no longer be the primary controller because it is no longer executing its control functions when shut down for an update.
As explained by the applicant’s specification “[0040] As such, the primary controller and its backup secondary can exist on any viable hardware nodes, and there may be dynamic cases where there is a need to move the secondary controller to some other hardware in order to balance the load of execution and redundancy. To do this with standard 1:1 redundancy primary/backup, to move the secondary controller would involve a loss of synch and a re-synch, which exposes a window of vulnerability should the primary controller fail while the secondary controller is being moved”.  From this statement it is apparent that the secondary controller is being moved to another different secondary controller in order to maintain redundancy in the event of failure or update of the secondary controller, as no action is claimed upon which the primary controller no longer acts as primary controller.  For the sake of compact prosecution, the examiner shall consider that the equipment update can be for any of the nodes, whether they be primary or secondary controller nodes.  
Claims 2-7 depend upon claim 1 and thus inherit the rejection under 35 U.S.C. 112(b).
It is noted that claims 8-20 have not received this rejection because claims 8 and 15 do not link the moving for “an equipment update to the at least one primary controller” as claims 8 and 15 more broadly claim this as “an equipment update” not specifically tied to a primary or secondary controller.   It is suggested the applicant remove this element from claim 1.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ong et al. (US 20190056719, hereinafter Ong) in view of Hefeeda et al. (US 20150378356, hereinafter Hefeeda).

In regards to Claim 1, Ong discloses “A method of synchronizing controllers in an automation control system, the method comprising: arranging a plurality of redundancy elements in the automation control system comprising a plurality of nodes, wherein the plurality of redundancy elements include at least one primary controller and a plurality of concurrent secondary controllers” (Fig. 2 and [0035] for each of the control routines or modules executed by the controllers 150a-n, one of the controllers 150a-n may include a redundancy module. The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails. To stay in sync with the controller 150a executing the control module, the redundancy module may cause the controller 150b executing the redundancy module to receive the same inputs, outputs, setpoints, etc. being received and provided by the controller 150a executing the control module. The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module; [0030] In some scenarios, the controllers are in a centralized controller farm and are located within the same area (e.g., a temperature controlled room). In other scenarios, the controllers are in a distributed controller farm and are located in several areas (e.g., several temperature controlled rooms); [0032] Turning now to FIG. 1B, the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11) “and wherein a back-up to the at least one primary controller exists on any node among the plurality of nodes;” (Fig. 2 and 3 and [0039] the controller farm 160 includes a control manager 152 that assigns control modules, redundancy modules, big data modules, and any other suitable operations to the controllers 150a-n; [0041] the control manager 152 automatically generates a redundancy module upon obtaining a corresponding control module. Referring now to FIG. 2, the control manager 152 communicates with several controllers 150a-n in the controller farm 160. Each of the controllers 150a-n and the control manager 152 may be physical machines (e.g., hardware) or virtual machines (e.g., software); [0043] the redundancy manager 206 generates a redundancy module for each control module 208 obtained by the control manager 152. The redundancy module may cause the controller 150a-n executing the redundancy module to receive the same inputs, outputs, setpoints, etc. being received and provided by the controller 150a-n executing the control module without executing the control loops or functions included in the control module. In some embodiments, the control executive 200 provides each of the obtained control modules 208 to the redundancy manager 206 for the redundancy manager to generate a corresponding redundancy module; [0065] At block 312, the assigned modules are downloaded to the respective controllers 150a-n for execution during the particular time interval. Each controller 150a-n executes its assigned modules by providing control signals and otherwise communicating with the field devices 15-22, 40-46 associated with each assigned module.) “backing-up the at least one primary controller by at least one secondary controller among the plurality of concurrent secondary controllers to allow the at least one primary controller to maintain the at least one secondary controller as an alternate to the at least one primary controller” (Fig. 3 and [0035] The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails. To stay in sync with the controller 150a executing the control module, the redundancy module may cause the controller 150b executing the redundancy module to receive the same inputs, outputs, setpoints, etc.; [0051] the control executive 200 then provides the assigned modules to the corresponding controllers 150a-n, so that each controller 150a-n may execute the assigned modules. In some embodiments, the control executive 200 analyzes the assignments and may adjust some of the assignments to ensure that multiple controllers 150a-n are not providing control signals to the same field device and/or for the same parameter within the same time interval) “and moving the at least one secondary controller to another node different than the existing node among the plurality of nodes for load balancing or an equipment update to the at least one primary controller to prevent loss during a shut down or a disruption to the synchronization of the at least one primary controller in the automation control system” (Fig. 3 and [0045] The control executive 200 may communicate with the load balancer 202 to determine which controller 150a-n should execute which control modules 208, redundancy modules, and big data modules during a particular time interval. In some embodiments, the load balancer 202 receives an availability metric for each of the controllers 150a-n in the controller farm 160 and a list of control modules, redundancy modules, and big data modules to be executed within a particular time interval (e.g., 30 minutes, an hour, two days, a day, etc.) which may include respective priority levels for each of the modules. The load balancer 202 then assigns a controller 150a-n in the controller farm 160 to execute each of the modules. In some scenarios, a single controller 150a-n may execute several modules within the same time interval depending on the parallel processing capabilities and memory density of the controller 150a-n. In another example scenario, the load balancer 202 identifies two different controllers 150a-n to execute a control module and a redundancy module, so that the controller 150a-n executing the redundancy module can take over for the controller 150a-n executing the control module in the event of a failure at the controller; [0052] during a first time interval a controller 150a may be assigned a first set of modules including control modules, big data modules, and redundancy modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the first time interval. Then during a second time interval, the controller 150a may be assigned a second set of modules different from the first set of modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the second time interval; [0062] To balance the load amongst the controllers 150a-n within the controller farm 160, the control manager 152 may distribute the control modules, redundancy modules, and big data modules across each of the controllers 150a-n. In some embodiments, the control manager 152 uses a load balancing algorithm to assign modules to the controllers 150a-n. For example, the load balancing algorithm may be a reversing round robin mechanism, where the control manager 152 assigns the highest ranked module to the highest ranked controller 150a-n, then assigns the second highest ranked module to the second highest ranked controller 150a-n and continues in descending order until each controller 150a-n has been assigned a module. Then the control manager 152 assigns the remaining control modules in ascending order for the controllers 150a-n until each controller 150a-n has been assigned two modules; wherein when a redundancy module is assigned to a first controller in a first time interval, and then is assigned to a different controller in a second time interval due to load balancing, it can be considered a moving for load balancing; [0035] The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails).
Ong fails to teach “...or an equipment update to facilitate prevention of a loss during a shut down or a disruption to a synchronization of the at least one primary controller in the automation control system”.
Hefeeda teaches “backing-up the at least one primary controller by at least one secondary controller among the plurality of concurrent secondary controllers to allow the at least one primary controller to maintain the at least one secondary controller as an alternate to the at least one primary controller; for ... an equipment update to facilitate prevention of a loss during a shut down or a disruption to a synchronization of the at least one primary controller in the automation control system” ([0155] To achieve reliability in the proposed feedback control cloud service, one embodiment of the invention incorporates a distributed fault tolerance algorithm that is run asynchronously by all redundant controllers. The algorithm is known as Reliable Cloud Control (RCC). RCC supports double or higher redundancy and provides the following guarantees: [0156] G1: If the primary controller fails, the secondary controller is automatically hot-swapped in. This guarantee is generalizable to higher redundancy. For example, in the case of triple redundancy, if the primary and secondary controllers fail, the tertiary controller is hot-swapped in; [0160] At any given time, RCC makes a single controller engaged in controlling the process, while it makes the other controllers standby (or backup). A standby controller is still reading the process output and preparing, but withholding, its own next action; [0175] Without loss of generality, we now focus on the triple redundancy case to illustrate the interaction among 3 controllers under RCC... The tertiary controller will get engaged if and only if both the primary and secondary controllers become unavailable. This addresses guarantee G1 If the primary controller recovers from failure, it will gain control over the process since it always operates in the engaged mode, forcing the secondary controller into the standby mode; [0185] Cloud controllers act as backups for physical controllers in systems requiring high reliability. This can achieve substantial cost savings compared to replicating all physical controllers. [0186] Cloud controllers can be used to temporarily manage systems while their physical controllers are being upgraded or replaced due to failures; wherein an upgrade or replacement is considered an equipment update).
It would have been obvious to a person having ordinary skill in the art before the effective file date of the claimed invention to have modified the cloud-based redundant control system that offers a control module (primary) and plurality of redundancy modules (secondaries) of Ong, with the use of a triply redundant cloud-based automation control system wherein a backup of a primary controller is performed by a cloud controller acting as a secondary or tertiary controller such that when upgrades occur a secondary controller takes over as primary and a tertiary controller acts as a backup/secondary because both inventions are in the related field of offering automation control system controllers via a cloud-based platform.  By implementing the features of Hefeeda in Ong, one would expect to gain the same benefits, namely a cost saving noted by Hefeeda “[0185] Cloud controllers act as backups for physical controllers in systems requiring high reliability. This can achieve substantial cost savings compared to replicating all physical controllers.”.  Furthermore, by offering a triply redundant system as opposed to only a double redundant system, a person having ordinary skill would expect the system to achieve improved reliability, as instead of having two points of failure for a complete system failure the triply redundant system would require three points of failure and thus offer an additional component that must fail before complete system failure (“[0156] in the case of triple redundancy, if the primary and secondary controllers fail, the tertiary controller is hot-swapped in”).  

In regards to Claim 2, Ong and Hefeeda teach the method of operating an automation control system as incorporated by claim 1 above.  Ong further teaches “The method of claim 1, wherein the redundancy elements comprise compute nodes that support a workload of the at least one primary controller or the at least one secondary controller” ([0032] the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11;  [0062] To balance the load amongst the controllers 150a-n within the controller farm 160, the control manager 152 may distribute the control modules, redundancy modules, and big data modules across each of the controllers 150a-n; wherein balancing a load across controllers/blades is considered supporting a workload).

In regards to Claim 3, Ong and Hefeeda teach the method of operating an automation control system as incorporated by claim 1 above.  Ong further teaches “The method of claim 1, wherein the automation control system comprises an automation control hive” ([0008] A process control system within one or several process plants includes a centralized or distributed controller farm having several controllers similar to a server farm. The controller farm may include blade servers or rack servers, where each of the controllers in the controller farm is configured to control each of the field devices in a process plant or in several process plants to control the operation of the process plants... A single controller within the controller farm may simultaneously control field devices in several portions of the process plant or in different process plants. Additionally, the same controller may control one set of field devices during a first time interval and another set of field devices in another portion of the process plant during a second time interval. This allows for increased flexibility in the process control system, such that any of the controllers in the controller farm may be utilized to execute control modules or other operations corresponding to any of the field devices in one or several process plants. Control modules or other operations may be allocated amongst the controllers so that one controller is not performing several operations while others are inactive; wherein a controller farm is considered an automation control hive).

In regards to Claim 4, Ong and Hefeeda teach the method of operating an automation control system as incorporated by claim 3 above.  Ong further teaches “The method of claim 3, wherein the automation control hive comprises control applications and an environment not bound to dedicated hardware, but which float across any hardware within the automation control hive” ([0002] The process controllers, which are also typically located within the plant environment, receive signals indicative of process measurements made by the field devices and/or other information pertaining to the field devices and execute a controller application that runs, for example, different control modules which make process control decisions, generate control signals based on the received information and coordinate with the control modules or blocks being performed in the field devices; [0008] the same controller may control one set of field devices during a first time interval and another set of field devices in another portion of the process plant during a second time interval. This allows for increased flexibility in the process control system, such that any of the controllers in the controller farm may be utilized to execute control modules or other operations corresponding to any of the field devices in one or several process plants.  Control modules or other operations may be allocated amongst the controllers so that one controller is not performing several operations while others are inactive; [0018] a processor within a controller 150a-n of the controller farm 160 may be selected to implement or oversee one or more process control routines (stored in a memory), which may include control loops. The selected processor may communicate with the field devices 15-22 and 40-46 and with other nodes that are communicatively connected to the backbone 105; [0032] the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11; [0035] The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module. Similar to the control modules, the redundancy modules may be software, firmware, hardware, etc. Redundancy modules may be implemented in any desired software format, such as using object oriented programming, ladder logic, sequential function charts, function block diagrams, or using any other software programming language or design paradigm).

In regards to Claim 5, Ong and Hefeeda teach the method of operating an automation control system as incorporated by claim 1 above.  Ong further teaches “The method of claim 1 wherein the at least one primary controller and each concurrent secondary controller among the plurality of concurrent secondary controllers comprise a process controller” ([0030] Also as used herein, a "controller farm" or a "centralized or distributed controller farm" may include several controllers each communicatively connected to each of the field devices 15-22, 40-46 in the process plant 10 and/or field devices in other process plants within the process control system 100. [0028] Although FIG. 1A illustrates a controller farm 160 having a particular number of controllers 150a-n, any number of controllers 150a-n may be included in the controller farm 160 including tens of controllers, hundreds of controllers, thousands of controllers, etc. [0001] The present disclosure relates generally to process plants and process control systems, and more particularly, to a centralized or distributed controller farm that controls several field devices distributed across one or several process plants).

In regards to Claim 6, Ong and Hefeeda teach the method of operating an automation control system as incorporated by claim 1 above.  Ong further teaches “The method of claim 1 wherein the equipment update comprises at least one of: a controller firmware or a software migration” ([0018] It should be noted that any control routines or modules (including quality prediction and fault detection modules or function blocks) described herein may have parts thereof implemented or executed by different controllers or other devices if so desired. Likewise, the control routines or modules described herein which are to be implemented within the process control system 100 may take any form, including software, firmware, hardware, etc. ;[0052] during a first time interval a controller 150a may be assigned a first set of modules including control modules, big data modules, and redundancy modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the first time interval. Then during a second time interval, the controller 150a may be assigned a second set of modules different from the first set of modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the second time interval; wherein because the modules executed during a second time interval are different for the same controller, it can be considered that the modules (software) has migrated).  In addition, Hefeeda teaches this limitation ([0133] An embodiment of the invention moves some or preferably the entire computing and communication infrastructure required by an automation system into the cloud. This makes it easier and less costly for users to deploy, maintain, and upgrade their automation systems. Moreover, an embodiment of the invention supports switching to different cloud automation providers since all virtual machines can be group-migrated to a different provider.).

In regards to Claim 7, Ong and Hefeeda teach the method of operating an automation control system as incorporated by claim 1 above.  Ong further teaches “The method of claim 1 wherein the equipment update comprises a controller hardware migration” ([0035] for each of the control routines or modules executed by the controllers 150a-n, one of the controllers 150a-n may include a redundancy module. The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails...The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module; wherein the changing from primary controller 150a to redundant controller 150b is considered a hardware migration because the hardware executing the control module has changed and been implemented by different hardware).  In addition, Hefeeda teaches this limitation ([0133] An embodiment of the invention moves some or preferably the entire computing and communication infrastructure required by an automation system into the cloud. This makes it easier and less costly for users to deploy, maintain, and upgrade their automation systems. Moreover, an embodiment of the invention supports switching to different cloud automation providers since all virtual machines can be group-migrated to a different provider.)

In regards to Claim 8, Ong discloses “A system for synchronizing controllers for automation control, the system comprising: a plurality of redundancy elements in the automation control system comprising a plurality of nodes, wherein the plurality of redundancy elements include at least one primary controller and a plurality of concurrent secondary controllers” (Fig. 2 and [0035] for each of the control routines or modules executed by the controllers 150a-n, one of the controllers 150a-n may include a redundancy module. The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails. To stay in sync with the controller 150a executing the control module, the redundancy module may cause the controller 150b executing the redundancy module to receive the same inputs, outputs, setpoints, etc. being received and provided by the controller 150a executing the control module. The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module; [0030] In some scenarios, the controllers are in a centralized controller farm and are located within the same area (e.g., a temperature controlled room). In other scenarios, the controllers are in a distributed controller farm and are located in several areas (e.g., several temperature controlled rooms); [0032] Turning now to FIG. 1B, the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11) “and wherein a back-up to the at least one primary controller exists on any node among the plurality of nodes;” (Fig. 2 and 3 and [0039] the controller farm 160 includes a control manager 152 that assigns control modules, redundancy modules, big data modules, and any other suitable operations to the controllers 150a-n; [0041] the control manager 152 automatically generates a redundancy module upon obtaining a corresponding control module. Referring now to FIG. 2, the control manager 152 communicates with several controllers 150a-n in the controller farm 160. Each of the controllers 150a-n and the control manager 152 may be physical machines (e.g., hardware) or virtual machines (e.g., software); [0043] the redundancy manager 206 generates a redundancy module for each control module 208 obtained by the control manager 152. The redundancy module may cause the controller 150a-n executing the redundancy module to receive the same inputs, outputs, setpoints, etc. being received and provided by the controller 150a-n executing the control module without executing the control loops or functions included in the control module. In some embodiments, the control executive 200 provides each of the obtained control modules 208 to the redundancy manager 206 for the redundancy manager to generate a corresponding redundancy module; [0065] At block 312, the assigned modules are downloaded to the respective controllers 150a-n for execution during the particular time interval. Each controller 150a-n executes its assigned modules by providing control signals and otherwise communicating with the field devices 15-22, 40-46 associated with each assigned module.) “a back-up of the at least one primary controller by at least one secondary controller among the plurality of concurrent secondary controllers to allow the at least one primary controller to maintain the at least one secondary controller as an alternate to the at least one primary controller” (Fig. 3 and [0035] The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails. To stay in sync with the controller 150a executing the control module, the redundancy module may cause the controller 150b executing the redundancy module to receive the same inputs, outputs, setpoints, etc.; [0051] the control executive 200 then provides the assigned modules to the corresponding controllers 150a-n, so that each controller 150a-n may execute the assigned modules. In some embodiments, the control executive 200 analyzes the assignments and may adjust some of the assignments to ensure that multiple controllers 150a-n are not providing control signals to the same field device and/or for the same parameter within the same time interval) “wherein the system is configured to move the at least one secondary controller to another node different than the existing node among the plurality of nodes for load balancing or an equipment update to facilitate prevention of a loss during a shut down or a disruption to the synchronization of the at least one primary controller in the automation control system” (Fig. 3 and [0045] The control executive 200 may communicate with the load balancer 202 to determine which controller 150a-n should execute which control modules 208, redundancy modules, and big data modules during a particular time interval. In some embodiments, the load balancer 202 receives an availability metric for each of the controllers 150a-n in the controller farm 160 and a list of control modules, redundancy modules, and big data modules to be executed within a particular time interval (e.g., 30 minutes, an hour, two days, a day, etc.) which may include respective priority levels for each of the modules. The load balancer 202 then assigns a controller 150a-n in the controller farm 160 to execute each of the modules. In some scenarios, a single controller 150a-n may execute several modules within the same time interval depending on the parallel processing capabilities and memory density of the controller 150a-n. In another example scenario, the load balancer 202 identifies two different controllers 150a-n to execute a control module and a redundancy module, so that the controller 150a-n executing the redundancy module can take over for the controller 150a-n executing the control module in the event of a failure at the controller; [0052] during a first time interval a controller 150a may be assigned a first set of modules including control modules, big data modules, and redundancy modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the first time interval. Then during a second time interval, the controller 150a may be assigned a second set of modules different from the first set of modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the second time interval; [0062] To balance the load amongst the controllers 150a-n within the controller farm 160, the control manager 152 may distribute the control modules, redundancy modules, and big data modules across each of the controllers 150a-n. In some embodiments, the control manager 152 uses a load balancing algorithm to assign modules to the controllers 150a-n. For example, the load balancing algorithm may be a reversing round robin mechanism, where the control manager 152 assigns the highest ranked module to the highest ranked controller 150a-n, then assigns the second highest ranked module to the second highest ranked controller 150a-n and continues in descending order until each controller 150a-n has been assigned a module. Then the control manager 152 assigns the remaining control modules in ascending order for the controllers 150a-n until each controller 150a-n has been assigned two modules; wherein when a redundancy module is assigned to a first controller in a first time interval, and then is assigned to a different controller in a second time interval due to load balancing, it can be considered a moving for load balancing; [0035] The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails).
Ong fails to teach “...or an equipment update to facilitate prevention of a loss during a shut down or a disruption to a synchronization of the at least one primary controller in the automation control system”.
Hefeeda teaches “backing-up the at least one primary controller by at least one secondary controller among the plurality of concurrent secondary controllers to allow the at least one primary controller to maintain the at least one secondary controller as an alternate to the at least one primary controller; for ... an equipment update to facilitate prevention of a loss during a shut down or a disruption to a synchronization of the at least one primary controller in the automation control system” ([0155] To achieve reliability in the proposed feedback control cloud service, one embodiment of the invention incorporates a distributed fault tolerance algorithm that is run asynchronously by all redundant controllers. The algorithm is known as Reliable Cloud Control (RCC). RCC supports double or higher redundancy and provides the following guarantees: [0156] G1: If the primary controller fails, the secondary controller is automatically hot-swapped in. This guarantee is generalizable to higher redundancy. For example, in the case of triple redundancy, if the primary and secondary controllers fail, the tertiary controller is hot-swapped in; [0160] At any given time, RCC makes a single controller engaged in controlling the process, while it makes the other controllers standby (or backup). A standby controller is still reading the process output and preparing, but withholding, its own next action; [0175] Without loss of generality, we now focus on the triple redundancy case to illustrate the interaction among 3 controllers under RCC... The tertiary controller will get engaged if and only if both the primary and secondary controllers become unavailable. This addresses guarantee G1 If the primary controller recovers from failure, it will gain control over the process since it always operates in the engaged mode, forcing the secondary controller into the standby mode; [0185] Cloud controllers act as backups for physical controllers in systems requiring high reliability. This can achieve substantial cost savings compared to replicating all physical controllers. [0186] Cloud controllers can be used to temporarily manage systems while their physical controllers are being upgraded or replaced due to failures; wherein an upgrade or replacement is considered an equipment update).
It would have been obvious to a person having ordinary skill in the art before the effective file date of the claimed invention to have modified the cloud-based redundant control system that offers a control module (primary) and plurality of redundancy modules (secondaries) of Ong, with the use of a triply redundant cloud-based automation control system wherein a backup of a primary controller is performed by a cloud controller acting as a secondary or tertiary controller such that when upgrades occur a secondary controller takes over as primary and a tertiary controller acts as a backup/secondary because both inventions are in the related field of offering automation control system controllers via a cloud-based platform.  By implementing the features of Hefeeda in Ong, one would expect to gain the same benefits, namely a cost saving noted by Hefeeda “[0185] Cloud controllers act as backups for physical controllers in systems requiring high reliability. This can achieve substantial cost savings compared to replicating all physical controllers.”.  Furthermore, by offering a triply redundant system as opposed to only a double redundant system, a person having ordinary skill would expect the system to achieve improved reliability, as instead of having two points of failure for a complete system failure the triply redundant system would require three points of failure and thus offer an additional component that must fail before complete system failure (“[0156] in the case of triple redundancy, if the primary and secondary controllers fail, the tertiary controller is hot-swapped in”).  

In regards to Claim 9, Ong and Hefeeda teach the system for operating an automation control synchronization as incorporated by claim 8 above.  Ong further teaches “The system of claim 8, wherein the redundancy elements comprise compute nodes that support a workload of the at least one primary controller or the at least one secondary controller” ([0032] the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11;  [0062] To balance the load amongst the controllers 150a-n within the controller farm 160, the control manager 152 may distribute the control modules, redundancy modules, and big data modules across each of the controllers 150a-n; wherein balancing a load across controllers/blades is considered supporting a workload).

In regards to Claim 10, Ong and Hefeeda teach the system for operating an automation control synchronization as incorporated by claim 8 above.  Ong further teaches “The system of claim 8, wherein the automation control system comprises an automation control hive” ([0008] A process control system within one or several process plants includes a centralized or distributed controller farm having several controllers similar to a server farm. The controller farm may include blade servers or rack servers, where each of the controllers in the controller farm is configured to control each of the field devices in a process plant or in several process plants to control the operation of the process plants... A single controller within the controller farm may simultaneously control field devices in several portions of the process plant or in different process plants. Additionally, the same controller may control one set of field devices during a first time interval and another set of field devices in another portion of the process plant during a second time interval. This allows for increased flexibility in the process control system, such that any of the controllers in the controller farm may be utilized to execute control modules or other operations corresponding to any of the field devices in one or several process plants. Control modules or other operations may be allocated amongst the controllers so that one controller is not performing several operations while others are inactive; wherein a controller farm is considered an automation control hive).

In regards to Claim 11, Ong and Hefeeda teach the system for operating an automation control synchronization as incorporated by claim 10 above.  Ong further teaches “The system of claim 10, wherein the automation control hive comprises control applications and an environment not bound to dedicated hardware, but which float across any hardware within the automation control hive” ([0002] The process controllers, which are also typically located within the plant environment, receive signals indicative of process measurements made by the field devices and/or other information pertaining to the field devices and execute a controller application that runs, for example, different control modules which make process control decisions, generate control signals based on the received information and coordinate with the control modules or blocks being performed in the field devices; [0008] the same controller may control one set of field devices during a first time interval and another set of field devices in another portion of the process plant during a second time interval. This allows for increased flexibility in the process control system, such that any of the controllers in the controller farm may be utilized to execute control modules or other operations corresponding to any of the field devices in one or several process plants.  Control modules or other operations may be allocated amongst the controllers so that one controller is not performing several operations while others are inactive; [0018] a processor within a controller 150a-n of the controller farm 160 may be selected to implement or oversee one or more process control routines (stored in a memory), which may include control loops. The selected processor may communicate with the field devices 15-22 and 40-46 and with other nodes that are communicatively connected to the backbone 105; [0032] the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11; [0035] The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module. Similar to the control modules, the redundancy modules may be software, firmware, hardware, etc. Redundancy modules may be implemented in any desired software format, such as using object oriented programming, ladder logic, sequential function charts, function block diagrams, or using any other software programming language or design paradigm).

In regards to Claim 12, Ong and Hefeeda teach the system for operating an automation control synchronization as incorporated by claim 8 above.  Ong further teaches “The system of claim 8, wherein the at least one primary controller and each concurrent secondary controller among the plurality of concurrent secondary controllers comprise a process controller” ([0030] Also as used herein, a "controller farm" or a "centralized or distributed controller farm" may include several controllers each communicatively connected to each of the field devices 15-22, 40-46 in the process plant 10 and/or field devices in other process plants within the process control system 100. [0028] Although FIG. 1A illustrates a controller farm 160 having a particular number of controllers 150a-n, any number of controllers 150a-n may be included in the controller farm 160 including tens of controllers, hundreds of controllers, thousands of controllers, etc. [0001] The present disclosure relates generally to process plants and process control systems, and more particularly, to a centralized or distributed controller farm that controls several field devices distributed across one or several process plants).

In regards to Claim 13, Ong and Hefeeda teach the system for operating an automation control synchronization as incorporated by claim 8 above.  Ong further teaches “The system of claim 8, wherein the equipment update comprises at least one of: a controller firmware or a software migration” ([0018] It should be noted that any control routines or modules (including quality prediction and fault detection modules or function blocks) described herein may have parts thereof implemented or executed by different controllers or other devices if so desired. Likewise, the control routines or modules described herein which are to be implemented within the process control system 100 may take any form, including software, firmware, hardware, etc. ;[0052] during a first time interval a controller 150a may be assigned a first set of modules including control modules, big data modules, and redundancy modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the first time interval. Then during a second time interval, the controller 150a may be assigned a second set of modules different from the first set of modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the second time interval; wherein because the modules executed during a second time interval are different for the same controller, it can be considered that the modules (software) has migrated).  In addition, Hefeeda teaches this limitation ([0133] An embodiment of the invention moves some or preferably the entire computing and communication infrastructure required by an automation system into the cloud. This makes it easier and less costly for users to deploy, maintain, and upgrade their automation systems. Moreover, an embodiment of the invention supports switching to different cloud automation providers since all virtual machines can be group-migrated to a different provider.).

In regards to Claim 14, Ong and Hefeeda teach the system for operating an automation control synchronization as incorporated by claim 8 above.  Ong further teaches “The system of claim 8 wherein the equipment update comprises a controller hardware migration” ([0035] for each of the control routines or modules executed by the controllers 150a-n, one of the controllers 150a-n may include a redundancy module. The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails...The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module; wherein the changing from primary controller 150a to redundant controller 150b is considered a hardware migration because the hardware executing the control module has changed and been implemented by different hardware).  In addition, Hefeeda teaches this limitation ([0133] An embodiment of the invention moves some or preferably the entire computing and communication infrastructure required by an automation system into the cloud. This makes it easier and less costly for users to deploy, maintain, and upgrade their automation systems. Moreover, an embodiment of the invention supports switching to different cloud automation providers since all virtual machines can be group-migrated to a different provider.)

In regards to Claim 15, Ong discloses “A system for synchronizing controllers for automation control, comprising: a non-transitory computer-usable medium embodying computer program code, the computer-usable medium capable of communicating with at least one processor, the computer program code comprising instructions executable by the at least one processor and configured for:” ([0014] The distributed controller 11 may include a processor 30, a memory 32, and one or more control routines 38. Additionally, each of the controllers 150a-n within the controller farm 160 may include one or more processors, a memory, and one or more control routines, as described in more detail below; [0032] Turning now to FIG. 1B, the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11... the memory within each of the blades 150a-n, 152 may include high density memory storage technology, for example, solid state drive memory, semiconductor memory, optical memory, molecular memory, biological memory, or any other suitable high density memory technology; [0041] Each of the controllers 1-N (ref. nos. 150a-n) includes a processor 210a-n, such as a multi-core processor or another type of parallel processor and a memory 212a-n which may be a high density memory. Each of the memories 212a-n may store various routines assigned to the respective controller 150a-n, including control modules 214a-n, big data modules 216a-n, and redundancy modules 218a-n; [0056] FIG. 3 depicts a flow diagram representing an exemplary method 300 for load balancing between controllers in a process control system 100. The method 300 may be executed on the control manager 152 within the controller farm 160 or any other computing device, blade server, etc. within the controller farm 160 or in communication with the controller farm 160. In some embodiments, the method may be implemented in a set of instructions stored on a non-transitory computer-readable memory and executable by one or more processors of the control manager 152) “arranging a plurality of redundancy elements in the automation control system comprising a plurality of nodes, wherein the plurality of redundancy elements include at least one primary controller and a plurality of concurrent secondary controllers” (Fig. 2 and [0035] for each of the control routines or modules executed by the controllers 150a-n, one of the controllers 150a-n may include a redundancy module. The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails. To stay in sync with the controller 150a executing the control module, the redundancy module may cause the controller 150b executing the redundancy module to receive the same inputs, outputs, setpoints, etc. being received and provided by the controller 150a executing the control module. The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module; [0030] In some scenarios, the controllers are in a centralized controller farm and are located within the same area (e.g., a temperature controlled room). In other scenarios, the controllers are in a distributed controller farm and are located in several areas (e.g., several temperature controlled rooms); [0032] Turning now to FIG. 1B, the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11) “and wherein a back-up to the at least one primary controller exists on any node among the plurality of nodes;” (Fig. 2 and 3 and [0039] the controller farm 160 includes a control manager 152 that assigns control modules, redundancy modules, big data modules, and any other suitable operations to the controllers 150a-n; [0041] the control manager 152 automatically generates a redundancy module upon obtaining a corresponding control module. Referring now to FIG. 2, the control manager 152 communicates with several controllers 150a-n in the controller farm 160. Each of the controllers 150a-n and the control manager 152 may be physical machines (e.g., hardware) or virtual machines (e.g., software); [0043] the redundancy manager 206 generates a redundancy module for each control module 208 obtained by the control manager 152. The redundancy module may cause the controller 150a-n executing the redundancy module to receive the same inputs, outputs, setpoints, etc. being received and provided by the controller 150a-n executing the control module without executing the control loops or functions included in the control module. In some embodiments, the control executive 200 provides each of the obtained control modules 208 to the redundancy manager 206 for the redundancy manager to generate a corresponding redundancy module; [0065] At block 312, the assigned modules are downloaded to the respective controllers 150a-n for execution during the particular time interval. Each controller 150a-n executes its assigned modules by providing control signals and otherwise communicating with the field devices 15-22, 40-46 associated with each assigned module.) “backing-up the at least one primary controller by at least one secondary controller among the plurality of concurrent secondary controllers to allow the at least one primary controller to maintain the at least one secondary controller as an alternate to the at least one primary controller” (Fig. 3 and [0035] The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails. To stay in sync with the controller 150a executing the control module, the redundancy module may cause the controller 150b executing the redundancy module to receive the same inputs, outputs, setpoints, etc.; [0051] the control executive 200 then provides the assigned modules to the corresponding controllers 150a-n, so that each controller 150a-n may execute the assigned modules. In some embodiments, the control executive 200 analyzes the assignments and may adjust some of the assignments to ensure that multiple controllers 150a-n are not providing control signals to the same field device and/or for the same parameter within the same time interval) “and moving the at least one secondary controller to another node different than the existing node among the plurality of nodes for load balancing or an equipment update to facilitate prevention of a loss during a shut down or a disruption to the synchronization of the at least one primary controller in the automation control system” (Fig. 3 and [0045] The control executive 200 may communicate with the load balancer 202 to determine which controller 150a-n should execute which control modules 208, redundancy modules, and big data modules during a particular time interval. In some embodiments, the load balancer 202 receives an availability metric for each of the controllers 150a-n in the controller farm 160 and a list of control modules, redundancy modules, and big data modules to be executed within a particular time interval (e.g., 30 minutes, an hour, two days, a day, etc.) which may include respective priority levels for each of the modules. The load balancer 202 then assigns a controller 150a-n in the controller farm 160 to execute each of the modules. In some scenarios, a single controller 150a-n may execute several modules within the same time interval depending on the parallel processing capabilities and memory density of the controller 150a-n. In another example scenario, the load balancer 202 identifies two different controllers 150a-n to execute a control module and a redundancy module, so that the controller 150a-n executing the redundancy module can take over for the controller 150a-n executing the control module in the event of a failure at the controller; [0052] during a first time interval a controller 150a may be assigned a first set of modules including control modules, big data modules, and redundancy modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the first time interval. Then during a second time interval, the controller 150a may be assigned a second set of modules different from the first set of modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the second time interval; [0062] To balance the load amongst the controllers 150a-n within the controller farm 160, the control manager 152 may distribute the control modules, redundancy modules, and big data modules across each of the controllers 150a-n. In some embodiments, the control manager 152 uses a load balancing algorithm to assign modules to the controllers 150a-n. For example, the load balancing algorithm may be a reversing round robin mechanism, where the control manager 152 assigns the highest ranked module to the highest ranked controller 150a-n, then assigns the second highest ranked module to the second highest ranked controller 150a-n and continues in descending order until each controller 150a-n has been assigned a module. Then the control manager 152 assigns the remaining control modules in ascending order for the controllers 150a-n until each controller 150a-n has been assigned two modules; wherein when a redundancy module is assigned to a first controller in a first time interval, and then is assigned to a different controller in a second time interval due to load balancing, it can be considered a moving for load balancing; [0035] The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails).
Ong fails to teach “...or an equipment update to facilitate prevention of a loss during a shut down or a disruption to a synchronization of the at least one primary controller in the automation control system”.
Hefeeda teaches “backing-up the at least one primary controller by at least one secondary controller among the plurality of concurrent secondary controllers to allow the at least one primary controller to maintain the at least one secondary controller as an alternate to the at least one primary controller; for ... an equipment update to facilitate prevention of a loss during a shut down or a disruption to a synchronization of the at least one primary controller in the automation control system” ([0155] To achieve reliability in the proposed feedback control cloud service, one embodiment of the invention incorporates a distributed fault tolerance algorithm that is run asynchronously by all redundant controllers. The algorithm is known as Reliable Cloud Control (RCC). RCC supports double or higher redundancy and provides the following guarantees: [0156] G1: If the primary controller fails, the secondary controller is automatically hot-swapped in. This guarantee is generalizable to higher redundancy. For example, in the case of triple redundancy, if the primary and secondary controllers fail, the tertiary controller is hot-swapped in; [0160] At any given time, RCC makes a single controller engaged in controlling the process, while it makes the other controllers standby (or backup). A standby controller is still reading the process output and preparing, but withholding, its own next action; [0175] Without loss of generality, we now focus on the triple redundancy case to illustrate the interaction among 3 controllers under RCC... The tertiary controller will get engaged if and only if both the primary and secondary controllers become unavailable. This addresses guarantee G1 If the primary controller recovers from failure, it will gain control over the process since it always operates in the engaged mode, forcing the secondary controller into the standby mode; [0185] Cloud controllers act as backups for physical controllers in systems requiring high reliability. This can achieve substantial cost savings compared to replicating all physical controllers. [0186] Cloud controllers can be used to temporarily manage systems while their physical controllers are being upgraded or replaced due to failures; wherein an upgrade or replacement is considered an equipment update).
It would have been obvious to a person having ordinary skill in the art before the effective file date of the claimed invention to have modified the cloud-based redundant control system that offers a control module (primary) and plurality of redundancy modules (secondaries) of Ong, with the use of a triply redundant cloud-based automation control system wherein a backup of a primary controller is performed by a cloud controller acting as a secondary or tertiary controller such that when upgrades occur a secondary controller takes over as primary and a tertiary controller acts as a backup/secondary because both inventions are in the related field of offering automation control system controllers via a cloud-based platform.  By implementing the features of Hefeeda in Ong, one would expect to gain the same benefits, namely a cost saving noted by Hefeeda “[0185] Cloud controllers act as backups for physical controllers in systems requiring high reliability. This can achieve substantial cost savings compared to replicating all physical controllers.”.  Furthermore, by offering a triply redundant system as opposed to only a double redundant system, a person having ordinary skill would expect the system to achieve improved reliability, as instead of having two points of failure for a complete system failure the triply redundant system would require three points of failure and thus offer an additional component that must fail before complete system failure (“[0156] in the case of triple redundancy, if the primary and secondary controllers fail, the tertiary controller is hot-swapped in”).  

In regards to Claim 16, Ong and Hefeeda teach the system for operating an automation control synchronization as incorporated by claim 15 above.  Ong further teaches “The system of claim 15, wherein the redundancy elements comprise compute nodes that support a workload of the at least one primary controller or the at least one secondary controller” ([0032] the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11;  [0062] To balance the load amongst the controllers 150a-n within the controller farm 160, the control manager 152 may distribute the control modules, redundancy modules, and big data modules across each of the controllers 150a-n; wherein balancing a load across controllers/blades is considered supporting a workload).

In regards to Claim 17, Ong and Hefeeda teach the system for operating an automation control synchronization as incorporated by claim 15 above.  Ong further teaches “The system of claim 15, wherein the automation control system comprises an automation control hive” ([0008] A process control system within one or several process plants includes a centralized or distributed controller farm having several controllers similar to a server farm. The controller farm may include blade servers or rack servers, where each of the controllers in the controller farm is configured to control each of the field devices in a process plant or in several process plants to control the operation of the process plants... A single controller within the controller farm may simultaneously control field devices in several portions of the process plant or in different process plants. Additionally, the same controller may control one set of field devices during a first time interval and another set of field devices in another portion of the process plant during a second time interval. This allows for increased flexibility in the process control system, such that any of the controllers in the controller farm may be utilized to execute control modules or other operations corresponding to any of the field devices in one or several process plants. Control modules or other operations may be allocated amongst the controllers so that one controller is not performing several operations while others are inactive; wherein a controller farm is considered an automation control hive) “that comprises control applications and an environment not bound to dedicated hardware, but which float across any hardware within the automation control hive” ([0002] The process controllers, which are also typically located within the plant environment, receive signals indicative of process measurements made by the field devices and/or other information pertaining to the field devices and execute a controller application that runs, for example, different control modules which make process control decisions, generate control signals based on the received information and coordinate with the control modules or blocks being performed in the field devices; [0008] the same controller may control one set of field devices during a first time interval and another set of field devices in another portion of the process plant during a second time interval. This allows for increased flexibility in the process control system, such that any of the controllers in the controller farm may be utilized to execute control modules or other operations corresponding to any of the field devices in one or several process plants.  Control modules or other operations may be allocated amongst the controllers so that one controller is not performing several operations while others are inactive; [0018] a processor within a controller 150a-n of the controller farm 160 may be selected to implement or oversee one or more process control routines (stored in a memory), which may include control loops. The selected processor may communicate with the field devices 15-22 and 40-46 and with other nodes that are communicatively connected to the backbone 105; [0032] the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11; [0035] The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module. Similar to the control modules, the redundancy modules may be software, firmware, hardware, etc. Redundancy modules may be implemented in any desired software format, such as using object oriented programming, ladder logic, sequential function charts, function block diagrams, or using any other software programming language or design paradigm).

In regards to Claim 18, Ong and Hefeeda teach the system for operating an automation control synchronization as incorporated by claim 15 above.  Ong further teaches “The system of claim 15, wherein the at least one primary controller and each concurrent secondary controller among the plurality of concurrent secondary controllers comprise a process controller” ([0030] Also as used herein, a "controller farm" or a "centralized or distributed controller farm" may include several controllers each communicatively connected to each of the field devices 15-22, 40-46 in the process plant 10 and/or field devices in other process plants within the process control system 100. [0028] Although FIG. 1A illustrates a controller farm 160 having a particular number of controllers 150a-n, any number of controllers 150a-n may be included in the controller farm 160 including tens of controllers, hundreds of controllers, thousands of controllers, etc. [0001] The present disclosure relates generally to process plants and process control systems, and more particularly, to a centralized or distributed controller farm that controls several field devices distributed across one or several process plants).

In regards to Claim 19, Ong and Hefeeda teach the system for operating an automation control synchronization as incorporated by claim 15 above.  Ong further teaches “The system of claim 15, wherein the equipment update comprises at least one of: a controller firmware or a software migration” ([0018] It should be noted that any control routines or modules (including quality prediction and fault detection modules or function blocks) described herein may have parts thereof implemented or executed by different controllers or other devices if so desired. Likewise, the control routines or modules described herein which are to be implemented within the process control system 100 may take any form, including software, firmware, hardware, etc. ;[0052] during a first time interval a controller 150a may be assigned a first set of modules including control modules, big data modules, and redundancy modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the first time interval. Then during a second time interval, the controller 150a may be assigned a second set of modules different from the first set of modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the second time interval; wherein because the modules executed during a second time interval are different for the same controller, it can be considered that the modules (software) has migrated).  In addition, Hefeeda teaches this limitation ([0133] An embodiment of the invention moves some or preferably the entire computing and communication infrastructure required by an automation system into the cloud. This makes it easier and less costly for users to deploy, maintain, and upgrade their automation systems. Moreover, an embodiment of the invention supports switching to different cloud automation providers since all virtual machines can be group-migrated to a different provider.).

In regards to Claim 20, Ong and Hefeeda teach the system for operating an automation control synchronization as incorporated by claim 15 above.  Ong further teaches “The system of claim 15 wherein the equipment update comprises a controller hardware migration” ([0035] for each of the control routines or modules executed by the controllers 150a-n, one of the controllers 150a-n may include a redundancy module. The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails...The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module; wherein the changing from primary controller 150a to redundant controller 150b is considered a hardware migration because the hardware executing the control module has changed and been implemented by different hardware).  In addition, Hefeeda teaches this limitation ([0133] An embodiment of the invention moves some or preferably the entire computing and communication infrastructure required by an automation system into the cloud. This makes it easier and less costly for users to deploy, maintain, and upgrade their automation systems. Moreover, an embodiment of the invention supports switching to different cloud automation providers since all virtual machines can be group-migrated to a different provider.)



ConclusionAny inquiry concerning this communication or earlier communications from the examiner should be directed to JONATHAN M SKRZYCKI whose telephone number is (571)272-0933. The examiner can normally be reached M-F 7:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kenneth Lo can be reached on (571) 272-9774. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/JONATHAN MICHAEL SKRZYCKI/Examiner, Art Unit 2116                                                                                                                                                                                                        

/KENNETH M LO/Supervisory Patent Examiner, Art Unit 2116