Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
The amendment filed February 3, 2022 has been entered. Claims 1, 3-6, 8, 10-13, 15, 17-20, 22-24 remain pending in the application.

Claim Rejections - 35 USC § 112
Claims 1, 3-6, 8, 10-13, 15, 17-20, 22-24  are rejected under 35 U.S.C. 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention.
In claim 1, lines 14-17, the meaning of the limitation: “delaying, by the control system, responsive to the error state being reached, an execution of the sequence of one or more second driving decisions for a predefined interval by determining whether a condition for overriding execution of the sequence of one or more second driving decisions has been reached” is unclear. How can the determining overriding condition reached can perform the delaying?
Paragraphs [0058], [0059] of the application specification do not provide any information for understanding this limitation. 


	For purposes of examination, the limitation “by determining whether a condition for overriding execution of the sequence of one or more second driving decisions has been reached” will not be considered and other features of claim 1 will be considered the best reasonable interpretation of claim 1.
	Similar reasoning applies to claims 8, 15, 22.
	Claims 3-6, 10-13, 17-20, 23, 24 are also rejected under section 112(b) for depending from rejected base claims.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.
Claims 1, 3-6, 8, 10-13, 15, 17-20, 22-24 are rejected under 35 U.S.C. 103 as being unpatentable over US20200017114A1 to Santoni et al. (hereinafter, Santoni) in view of US 20170123429 to Levinson et al. (hereinafter, Levinson) and US20190018409A1 to Nickolaou et al. (hereinafter, Nickolaou). 
As explained below, Santoni discloses all limitations of claim 1 except that the first and second driving decisions are generated at a predetermined interval, which is remedied by Levinson. 
Regarding claim 1, Santoni discloses: a method for error handling in an autonomous vehicle, comprising: generating, by an automation computing system of the autonomous vehicle, a first driving decision and a sequence of one or more second driving decisions { Santoni, fig. 2, paragraphs [0024], [0030], [0073], [0042], [0046], [0053], [0059]: processors 202, memory devices 206, and network communication modules 212, may be interconnected on the vehicle system through a variety of interfaces (e.g., 208) / a vehicle 105 may further include a path planner 242, which may make use of the results of various other modules, such as data collection 234, sensor fusion 236, perception engine 238, and localization engine (e.g., 240) among others (e.g., recommendation engine 244) to determine a path plan and/or action plan for the vehicle [driving decisions], which may be used by drive controls (e.g., 220) to control the driving of the vehicle 105 within an environment / the automated driving system 210 [automation computing system] may be implemented to support automated driving system safety, respective hardware monitors may be provided to monitor hardware of both the compute subsystem 705 [related to first driving decision] and the safety companion subsystem 710 [related to second driving decision] and may deliver data describing conditions in the hardware to the safety companion subsystem software for processing and potential remedial action / system management tools 670 include logic to detect events and data collected by the automated driving system to detect and identify, remedy potential safety issues or errors, among other examples, system management tools 670 include safety sub-systems or companion tools, fault detection and remediation tools / a safety platform is implemented in connection with an automated driving system of an autonomous vehicle that remedies issues / a safety monitor application 810 is provided to implement logic to monitor the proper functioning of the compute subsystem, its software and hardware, monitor the performance of the safety companion hardware, and even, in some implementations, execute simplified automated driving operations (and/or invoke internal failover control logic (e.g., 750) or a more robust failover automated driving system provided on the vehicle) in an attempt to remedy or mitigate effects of errors or other issues determined to affect the safety of the automated driving decisions driven by the compute subsystem 705 / a hardware monitor (e.g., 835) may performs a periodic and run-time [predefined interval] test of the compute complex hardware via one or more hardware monitoring interfaces. The hardware monitor (e.g., 835) reports malfunctions to the safety companion subsystem (e.g., via a safety proxy 825) for analysis and consideration by the safety monitor application (e.g., 810), [the operation of the automation computing system as one of computer hardware of an autonomous vehicle is implied to be performed periodically, that is, at a predetermined interval]}.
Santoni does not explicitly disclose that generating the first and second driving instructions at a predefined interval. Levinson remedies this and teaches in paragraph [0154]: FIG. 37 is a diagram depicting an example of a trajectory tracker. Trajectory tracker 3728 may be implemented as a trajectory-tracking controller configured to apply contingency trajectory (“NCT”) data 3692 (e.g., as a nominal contingency trajectory) and/or to apply nominal driving trajectory (“NDT”) data 3672 to vehicle components, such as a propulsion unit or system (e.g., one or more drive trains), a steering system, a braking system, a heating and air-conditioning system, a communication system, etc. Diagram 3700 depicts a trajectory tracker 3728 including a validator 3741, a trajectory generator monitor 3743, a contingency trajectory execution processor 3745, and a driving trajectory execution processor 3747, contingency trajectory data 3692 and nominal driving trajectory data 3672 [first and second driving instructions] may be generated at the same time [at a predefined interval] or during a common time interval during which trajectory calculations and generations may be iterative or sequentially-determined. Note, however, data 3692 and 3672 may be generated asynchronously, at least in some cases.   / paragraph [0155]: Validator 3741 may be configured to validate contingency trajectory data 3692 and nominal driving trajectory data 3672 and related uncertainties or probability distributions (e.g., AI statistics, or statistics derived from a state and event manager (not shown) or the like) against validation criteria to, for example, confirm data 3692 and 3672 are within predicted values or tolerances. Driving trajectory execution processor 3747 is configured to control application of trajectory data 3672 to various physical vehicle components. Trajectory generator monitor 3743 is configured to monitor the generation of trajectories associated with nominal driving trajectory data 3672, trajectory generator monitor 3743 may detect absence or cessation of nominal driving trajectory data 3672 (or other data indicative of inoperable high-level logic of a planner). In this case, trajectory tracker 3728 facilitates operation of contingency trajectory execution processor 3745 to control application of contingent trajectory data 3692 to various physical vehicle components so as to effect a “safe-stop” maneuver, whereby motion of an autonomous vehicle ceases and the vehicle stops at a safe location. As shown, trajectory tracker 3728 and/or contingency trajectory execution processor 3745 may be configured to receive a subset of sensor data 3770 to facilitate application of the contingency trajectory. In some examples, subset of sensor data 3770 may be referred to as reactive sensors as they may be implemented during the safe-stop maneuver (e.g., when other trajectory types may not be generated). According to some examples, the reactive sensors include one or more sonar sensors and/or one or more radar sensors.
Fig. 37 of Levinson is repeated below.

    PNG
    media_image1.png
    2010
    2732
    media_image1.png
    Greyscale

Santoni in view of Levinson further teaches: wherein the sequence of one or more second driving decisions is generated to cause the autonomous vehicle to come to a safe stop {Santoni, paragraph [0061]: the failover control 750 of the safety companion system 710 brings the vehicle to a safe state (e.g., stopped in the lane or parked by the side of the road){Levinson,  paragraph [0155]}.
Santoni further discloses: sending, by the automation computing system, to a control system of the autonomous vehicle, the first driving decision and the sequence of one or more second driving decisions.
Fig. 7 of Santoni, which is repeated below, shows that the compute subsystem 705 sends command [first driving decision], and the safety companion subsystem 710 sends control [second driving decision] to the vehicle systems [control system of the autonomous vehicle].  

    PNG
    media_image2.png
    1273
    1216
    media_image2.png
    Greyscale

Santoni in view of Levinson further teaches: determining, by the control system, whether to execute a last received first driving decision or a last received sequence of one or more second driving decisions based on whether an error state associated with the autonomous vehicle has been reached {Santoni, paragraphs [0042], [0046], [0053]: system management tools 670 [control system] may include logic to detect and log events and various data collected and/or generated by the automated driving system [determining whether to execute first or second decisions], and identify and remedy potential safety issues or errors [based on whether an error state associated with the autonomous vehicle has been reached], and may further include fault detection and remediation tools / the safety monitoring software component of the architecture may independently monitor the compute hardware involved in the automated driving system (the compute hardware utilized to execute the automated driving system logic as well as the compute hardware utilized to execute the safety management or companion logic) and the automated driving system application(s) / a safety monitor application 810 may be provided to monitor the proper functioning of the compute subsystem, its software and hardware, monitor the performance of the safety companion hardware, and execute simplified automated driving operations, invoke internal failover control logic or a failover automated driving system provided on the vehicle in an attempt to remedy or mitigate effects of errors}{Levinson, paragraph [0155]}.
It is noted that at any time point, the first and second driving decisions in the control system are always the last received because the decisions are generated at a predefined interval and then sent to the control system.
Santoni in view of Levinson does not explicitly teach: delaying, by the control system, responsive to the error state being reached, an execution of the sequence of one or more second driving decisions for a predefined interval by determining whether a condition for overriding execution of the sequence of one or more second driving decisions has been reached.  
Nickolaou remedies this and teaches in paragraph [0005]: A method is provided for intelligently overriding a driving automation system for a vehicle. The method comprises requiring the driver to acknowledge the signal to disengage the driving automation system and take control of the vehicle; stopping the vehicle and shutting off the driving automation system if the driver fails to positively acknowledge the signal to disengage the driving automation system; passing the vehicle through the transition zone under control of the driver; and re-engaging the driving automation system once the vehicle exits the transition zone. / paragraph [0034]: If the driver fails to disengage the driving automation system 70 within a specified time period [implies delaying], the vehicle 10 stops at the end of the deceleration zone, engages an emergency parking brake (EPB) [execution of second driving decision] and shuts off the driving automation system 70.
In summary, Santoni discloses two modules, the compute subsystem 705, which performs functions related to the first driving decision, and the safety companion subsystem 710, which performs functions related to the second driving decision. That is, Santoni discloses separate systems for generating driving decisions and executing the driving decisions. Santoni further discloses repeatedly generating two separate sets of driving decisions (the claimed first and second driving decisions) at a predefined interval, providing both sets of driving decisions to a control system, and a control system that determines which of the two sets of driving decisions should be executed depending on whether or not an error state has been reached. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the trajectory tracker 3728 and the validator 3741 of Levinson and driver action waiting feature of Nickolaou with the described invention of Santoni in order to prepare against contingent operation state in advance, and to execute safe stop.
Similar logic applies to claims 8, 15, 22.
Regarding claim 3, which depends from claim 1, Santoni further discloses: determining, by the control system, that the error state has been reached by determining that a driving decision has not been received from the automation computing system {paragraph [0074]: Failures may be identified and controlled through the exchange of safety-related information using one or more interfaces of the automated driving system interface that are configured to ensure against loss of communication, message corruption, unacceptable message delay, message loss [driving decision has not been received], unintended message repetition, incorrect message sequencing, message insertion, message masquerading, and incorrect message addressing, among other enhanced features to guard the integrity of these interfaces and the signals they carry}.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the message reception checking feature of Santoni with the described invention of the modified Santoni in order to consider non-reception of decision as a factor for determining error state.
	Similar logic applies to claims 10, 17.
Regarding claim 4, which depends from claim 1, Santoni further discloses: determining, by the control system, that the error state has been reached by determining that a received driving decision comprises one or more invalid commands {paragraph [0074]: configured to ensure against loss of communication, message corruption, unacceptable message delay, message loss, unintended message repetition, incorrect message sequencing, message insertion, message masquerading, and incorrect message addressing [examples of invalid commands]}.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the message validation feature of Santoni with the described invention of the modified Santoni in order to consider invalid command as a factor for determining error state.
	Similar logic applies to claims 11, 18.
Regarding claim 5, which depends from claim 1, Santoni further discloses: receiving, by the control system, from the automation computing system, the first driving decision and the sequence of one or more second driving decisions; storing the sequence of one or more second driving decisions; and executing, responsive to the error state not being reached, the first driving decision {fig. 2, paragraphs [0024], [0030], [0073]: memory elements (e.g., 206) may be provided to store machine-executable instructions [storing the sequence of one or more second driving decisions] implementing all or a portion of any one of the modules or sub-modules of an autonomous driving stack implemented on the vehicle, as well as, sensor data (e.g., 258), and other data received, generated, or used in connection with autonomous driving functionality to be performed by the vehicle}. 
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the storing and executing instructions features of Santoni with the described invention of the modified Santoni in order to execute instructions suitable for the vehicle’s operating states.
Similar logic applies to claims 12, 19.
Regarding claim 6, which depends from claim 5, Santoni further discloses: loading, responsive to the error state being reached, the stored sequence of one or more second driving decisions; and executing the loaded sequence of one or more second driving decisions {paragraph [0024]: loading sequence is implied as inherent operation of a computerized device}.
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the sequence loading feature of Santoni with the described invention of the modified Santoni in order to control the vehicle by a computer device.
	Similar logic applies to claims 13, 20.
Regarding claim 23, which depends from claim 1, Nickolaou further teaches: wherein the condition for overriding execution of the sequence of one or more second driving decisions comprises entering a user-operated driving mode {Nickolaou, paragraph [0016]: the intelligent override system 100 determines that the vehicle 10 is approaching a road feature that requires overriding of an engaged driving automation system function and signals the driver of the vehicle 10 that automation is no longer available and that the driver needs to take over control of the vehicle 10}.  
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the driver’s control feature of Nickolaou with the described invention of the modified Santoni in order to provide human driver’s control when automatic control malfunctions.
Regarding claim 24, which depends from claim 1, Nickolaou further teaches: wherein the condition for overriding execution of the sequence of one or more second driving decisions comprises receiving a valid driving decision {Nickolaou, paragraph [0034]: In some embodiments, the driver disengages the driving automation system 70 and takes control of the vehicle 10 by pressing the accelerator [valid driving decision]. In some embodiments, the driver may maintain partial control of the vehicle by pressing the accelerator while the automated driving system retains control of the steering}.   
It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to incorporate the driver’s predetermined action feature of Nickolaou with the described invention of the modified Santoni in order to provide prerequisite for overriding. 

Response to Arguments
	Applicant's arguments filed February 3, 2022 have been fully considered but they are not persuasive. In response to Applicant's arguments that the added limitation of the independent claims is not taught by Santoni and Levinson, 103 rejections are written for the amended claim set further citing Nickolaou.
 
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHANMIN PARK whose telephone number is (408)918-7555. The examiner can normally be reached Monday - Thursday and alternate Fridays, 7:30-4:30 PT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Elaine L Gort can be reached on (571)272-6781. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.



/C.P./Examiner, Art Unit 3661                                                                                                                                                                                                        
/SZE-HON KONG/Primary Examiner, Art Unit 3661