DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office action is in response to application filed on 2/4/2020.
Claim(s) 1-15 is/are pending in this Office Action.
Priority



Acknowledgment is made of applicant’s claim for foreign priority under 35 U.S.C. 119 (a)-(d).
The certified copy has been filed in parent Application No. EP17185954.9, filed 6/18/2018.
Acknowledgment is made of applicant's indication of National Stage entry from PCT application PCT/EP2018/066060, filed 8/11/2017.
Information Disclosure Statement
Applicant’s information disclosure statement(s) (IDS) submitted on 2/4/2020 and 3/24/2020 is/are being considered by the examiner. 
Specification





Applicant is reminded of the proper language and format for an abstract of the disclosure.
The abstract should be in narrative form and generally limited to a single paragraph on a separate sheet within the range of 50 to 150 words in length. The abstract should describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details.
The language should be clear and concise and should not repeat information given in the title. It should avoid using phrases which can be implied, such as, “The disclosure concerns,” “The disclosure defined by this invention,” “The disclosure describes,” etc.  In addition, the form and legal phraseology often used in patent claims, such as “means” and “said,” should be avoided.
The abstract of the disclosure is objected to because it does not describe the disclosure sufficiently to assist readers in deciding whether there is a need for consulting the full patent text for details, as the Abstract appears to repeat the language of the claims which must be read in light of the specification to glean its meaning.  Correction is required.  See MPEP § 608.01(b).
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.







Claim(s) 5-6, 8, 12-13, 15 is/are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
Claims 5, 8, 12, 13, and 15 recite the limitations "joined safety management". There is insufficient antecedent basis for this limitation in each claim. For the purposes of examination, the examiner is interpreting the limitation to be “collective safety management”, instead, as recited in independent claims 1 and 9. The instant specification uses the term “joined safety management” in the its Summary and “collective safety management” in its Brief Description. The examiner is interpreting these components to be the same component. The examiner suggests Applicant amend instances of “joined safety management” in the claims to “collective safety management”. Applicant may amend the specification to replace “joined safety management” with “collective safety management”, however this is not required.
Claim 6 is rejected due to its dependency on a rejected base claim.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.




Claim(s) 1-2, 7, 9-10, 14 is/are rejected under 35 U.S.C. 103 as being unpatentable over Aldana et al. (US 2020/0120458 A1), hereafter referred to as Aldana, in view of U.S. Department of Transportation (USDOT) National Highway Traffic Safety Administration: Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application (Non-Patent Document U), hereafter referred to as USDOT.
Regarding claim 1, Aldana teaches a method for providing a safe operation of subsystems (see vehicles comprising “vehicular communication devices 10902-10906” in Fig. 109, “FIG. 109 shows an exemplary illustration 10900 for vehicular communication devices to verify sources of data according to some aspects of this disclosure. As shown in FIG. 109, vehicular communication devices 10902-10906 may belong to cluster 10910”, para. 0886) within a safety critical system SCS, the method comprising: 
a subsystem (“vehicular communication device 10904”, Fig. 109, see also “vehicle”, para. 0190) among the subsystems of the SCS (“As shown in FIG. 109, vehicular communication devices 10902-10906 may belong to cluster 10910, while vehicular communication devices 10920-10930 may be external to cluster 10910. In some aspects, the vehicular communication devices of cluster 10910 may coordinate to manage channel resources between multiple vehicular radio communication technologies, such as DSRC, LTE V2V/V2X, and/or any other vehicular radio communication technologies”, para. 0886, “The internal components of vehicular communication device 500 may be arranged around a vehicular housing of vehicular communication device 500, mounted on or outside of the vehicular housing, enclosed within the vehicular housing, or any other arrangement relative to the vehicular housing where the internal components move with vehicular communication device 500 as it travels. The vehicular housing, such as an automobile body, plane or helicopter fuselage, boat hull, or similar type of vehicular body dependent on the type of vehicle that vehicular communication device 500 is”, para. 0190); 
sending, by the subsystem of the SCS, a signal (“messages”, para. 0888, see also “message” of “11404”, Fig. 114) via a communication unit (“vehicular communication devices 10902”, Fig. 109) of the  subsystem to communication units (“vehicular communication devices 10902 and 10906”, Fig. 109, see also “one or more other devices” of “11406”, Fig. 114) of the other subsystems among the subsystems of the SCS, wherein the signal includes a cryptographic key (“private key”, para. 0888, see also “11404”, Fig. 114) being unique to the subsystem (“vehicular communication devices 10902-10906 may be configured to verify sources of data within cluster 10910, such as with the other vehicular communication devices in the cluster…Vehicular communication devices 10902-10906 may utilize certificates and signatures provided to verify data sources”, para. 0887,
“A vehicular communication device may be provided with a certificate from a particular trusted authority, such as a vehicle manufacturer or service provider. The certificate may include a public key and metadata detailing information about the certificate (e.g., the identity of the issuer, validity time, etc.). The certificate can also be signed with a hash that is usable to verify whether the certificate has been tampered. The vehicular communication device that possesses the certificate may also have a private key corresponding to the public key specified in the certificate…The vehicular communication device may therefore be able to create signatures for messages using the private key, such as by processing the data in the message using the private key to derive a signature that uniquely depends on both the data in the message and the private key. The vehicular communication device may then send the message, signature, and certificate to another vehicular communication device (where the private key remains secret)”, para. 0888); 
decrypting, by a control unit (“controller 606”, Fig. 6, “FIG. 5 shows an exemplary internal configuration of a vehicular communication device 500”, para. 0190, “As shown in FIG. 6, radio communication arrangement 504 may include RF transceiver 602, digital signal processor 604, and controller 606”, para. 0192, see also “controller 12300”, Fig. 150, “FIG. 150 shows an exemplary internal configuration of a vehicular communication device acting as a cluster head”, para. 1144) of each of the other subsystems of the SCS, the cryptographic key of the signal (“The other vehicular communication device may then use the public key specified in the certificate to check whether the signature is valid. As only devices that know the private key can create signatures that can be verified with the public key in the certificate, the other vehicular communication device may be able to determine whether the vehicular communication devices knows the private key (and is thus assumed to be trusted by the trusted authority). Vehicular communication devices that can sign messages with a valid signature for a certificate issued by a trusted authority may therefore also be assumed to be trusted”, para. 0888); and 
communicating to the subsystems of the SCS that the cryptographic key of the subsystem is expired (see “validity time”, para. 0888, see also “duration”, para. 0364, “a selected radio communication technology resource for the plurality of vehicular communication devices may include one or more radio communication technology resource candidates for the plurality of vehicular communication devices…the radio communication technology resource for the plurality of vehicular communication devices may specify a duration for which the selected radio communication technology resource is valid”, para. 0364).

Aldana does not explicitly teach wherein the subsystem is a malfunctioning subsystem and wherein the signal is a malfunction signal; nor
assessing a malfunction within the malfunctioning subsystem; and
initiating collective safety management of the malfunctioning subsystem and the other subsystems when the decrypted cryptographic key is valid. 
However, USDOT teaches Vehicle-to-Vehicle Communications, comprising:
assessing a malfunction (“malfunction”, first para. of pg. 42, see also “current vehicle conditions” and “necessary evaluations”, Section C., pg. 70) within a malfunctioning subsystem (“vehicle”, first para. of pg. 42) (“There are a couple of types of roadside infrastructure that may be involved in facilitating DSRC-based V2V, as discussed in Section III.D.3. Communications infrastructure physically helps get the messages from the vehicles to and from the SCMS (as at first usage, when the vehicle is self-reporting a malfunction, or when it is reporting on another vehicle’s perceived malfunction), and helps get new certificates and the CRL from the SCMS to the V2V-equipped fleet”, Section IV.5., pg. 41-42); and
initiating collective safety management (“warning about potential danger through a safety application”, Section V.C., pg. 70) of the malfunctioning subsystem and other subsystems (“vehicles”, Section V.C., pg. 70) when a decrypted cryptographic key (“message”, Section V.D.1.a., pg. 72) is valid 
(“V2V communications is based on the wireless exchange of messages between vehicles. The messages provide information that a device can then use to provide a warning about potential danger through a safety application. Fundamentally, the basic hardware of a DSRC device is analogous to a common radio that not only receives information but transmits data as well. As a result the “core” of a DSRC device will be the software that gives devices the “intelligence” needed to determine and transmit current vehicle conditions and perform the necessary evaluations to potentially issue a warning. At the most basic level, a device will require low-level components to both transmit and receive the basic safety message; a relatively simple operating system; connection to a driver-vehicle interface; and algorithms to control the issuance of warnings (along with continual device diagnosis)”, Section V.C., pg. 70,
“V2V communications consists of two types of messages: safety messages and certificate exchange messages. The safety messages are used to support the safety applications…NHTSA’s current research is based on the assumption that the V2V system will use a Public Key Infrastructure (PKI) to authenticate messages…PKI uses certificates to inform a receiving device that the message is from a trusted source, and it uses cryptography to send encrypted message content. For V2V communications,…messages that contain security information (e.g., certificates) are trusted and the contents encrypted”, Section V.D.1.a., pg. 72).
All the components are known in Aldana and USDOT. Both teach communications between vehicles to achieve joined operation. Aldana teaches all the limitations, but for wherein the signal being communicated between vehicles is indicative of a malfunction of one of the vehicles and performing a subsequent action in response to said malfunction. Thus, USDOT is relied upon to show that that identifying malfunctions of vehicles in V2V systems and transmitting a signal indicative of said malfunctions to other vehicles in the V2V system was known before the effective filing date (see citations of USDOT above). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to combine the inventions of Aldana and USDOT such that the “vehicular communication device 10904” (Fig. 109) of Aldana is assessed to be malfunctioning, as taught by USDOT (“when the vehicle is self-reporting a malfunction”, Section IV.5., pg. 41-42), wherein the “messages” (para. 0888, see also “message” of “11404”, Fig. 114) of Aldana would be structured as the “messages” (Section V.D.1.a., pg. 72) of USDOT. The motivation for doing so would be for use “by other vehicles for a variety of crash avoidance applications”, as taught by USDOT (Section V.D.1.a., pg. 72).

Regarding claim 9, Aldana teaches a safety critical system SCS, comprising subsystems (see vehicles comprising “vehicular communication devices 10902-10906” in Fig. 109, “FIG. 109 shows an exemplary illustration 10900 for vehicular communication devices to verify sources of data according to some aspects of this disclosure. As shown in FIG. 109, vehicular communication devices 10902-10906 may belong to cluster 10910”, para. 0886), each subsystem comprising:
an integrated identifier memory (“memory”, para. 0903) storing a cryptographic key (“private key”, para. 0888, see also “11404”, Fig. 114) unique to that subsystem (“A vehicular communication device may be provided with a certificate from a particular trusted authority, such as a vehicle manufacturer or service provider. The certificate may include a public key and metadata detailing information about the certificate (e.g., the identity of the issuer, validity time, etc.). The certificate can also be signed with a hash that is usable to verify whether the certificate has been tampered. The vehicular communication device that possesses the certificate may also have a private key corresponding to the public key specified in the certificate”, para. 0888, “the vehicular communication device may store the approved certificate in a memory component for future communications”, para. 0903); 
a communication unit (“vehicular communication devices 10902”, Fig. 109) being configured to facilitate communication with the other subsystems (“As shown in FIG. 109, vehicular communication devices 10902-10906 may belong to cluster 10910, while vehicular communication devices 10920-10930 may be external to cluster 10910. In some aspects, the vehicular communication devices of cluster 10910 may coordinate to manage channel resources between multiple vehicular radio communication technologies, such as DSRC, LTE V2V/V2X, and/or any other vehicular radio communication technologies”, para. 0886); and 
a control unit (“controller 606”, Fig. 6, “FIG. 5 shows an exemplary internal configuration of a vehicular communication device 500”, para. 0190, “As shown in FIG. 6, radio communication arrangement 504 may include RF transceiver 602, digital signal processor 604, and controller 606”, para. 0192, see also “controller 12300”, Fig. 150, “FIG. 150 shows an exemplary internal configuration of a vehicular communication device acting as a cluster head”, para. 1144) being configured to send a signal (“messages”, para. 0888, see also “message” of “11404”, Fig. 114) via the communication unit to the communication units (“vehicular communication devices 10902 and 10906”, Fig. 109, see also “one or more other devices” of “11406”, Fig. 114) of the other subsystems (“The internal components of vehicular communication device 500 may be arranged around a vehicular housing of vehicular communication device 500, mounted on or outside of the vehicular housing, enclosed within the vehicular housing, or any other arrangement relative to the vehicular housing where the internal components move with vehicular communication device 500 as it travels. The vehicular housing, such as an automobile body, plane or helicopter fuselage, boat hull, or similar type of vehicular body dependent on the type of vehicle that vehicular communication device 500 is”, para. 0190, (“vehicular communication devices 10902-10906 may be configured to verify sources of data within cluster 10910, such as with the other vehicular communication devices in the cluster…Vehicular communication devices 10902-10906 may utilize certificates and signatures provided to verify data sources”, para. 0887,
“The vehicular communication device may therefore be able to create signatures for messages using the private key, such as by processing the data in the message using the private key to derive a signature that uniquely depends on both the data in the message and the private key. The vehicular communication device may then send the message, signature, and certificate to another vehicular communication device (where the private key remains secret)”, para. 0888), the signal including the cryptographic key, and to decrypt a cryptographic key of a signal being communicated by one of the other subsystems (“The other vehicular communication device may then use the public key specified in the certificate to check whether the signature is valid. As only devices that know the private key can create signatures that can be verified with the public key in the certificate, the other vehicular communication device may be able to determine whether the vehicular communication devices knows the private key (and is thus assumed to be trusted by the trusted authority). Vehicular communication devices that can sign messages with a valid signature for a certificate issued by a trusted authority may therefore also be assumed to be trusted”, para. 0888), and to communicate to the subsystems that the cryptographic key of the subsystem is expired (see “validity time”, para. 0888, see also “duration”, para. 0364, “a selected radio communication technology resource for the plurality of vehicular communication devices may include one or more radio communication technology resource candidates for the plurality of vehicular communication devices…the radio communication technology resource for the plurality of vehicular communication devices may specify a duration for which the selected radio communication technology resource is valid”, para. 0364).

Aldana does not explicitly teach wherein the signal is a malfunction signal; nor wherein the control unit is further configured to:
assess a malfunction of the subsystem; and
initiate collective safety management of the subsystems when the decrypted cryptographic key is valid. 
However, USDOT teaches Vehicle-to-Vehicle Communications, comprising:
assessing a malfunction (“malfunction”, first para. of pg. 42, see also “current vehicle conditions” and “necessary evaluations”, Section C., pg. 70) of a subsystem (“vehicle”, first para. of pg. 42) (“There are a couple of types of roadside infrastructure that may be involved in facilitating DSRC-based V2V, as discussed in Section III.D.3. Communications infrastructure physically helps get the messages from the vehicles to and from the SCMS (as at first usage, when the vehicle is self-reporting a malfunction, or when it is reporting on another vehicle’s perceived malfunction), and helps get new certificates and the CRL from the SCMS to the V2V-equipped fleet”, Section IV.5., pg. 41-42); and
initiating collective safety management (“warning about potential danger through a safety application”, Section V.C., pg. 70) of the subsystems (“vehicles”, Section V.C., pg. 70) when a decrypted cryptographic key (“message”, Section V.D.1.a., pg. 72) is valid 
(“V2V communications is based on the wireless exchange of messages between vehicles. The messages provide information that a device can then use to provide a warning about potential danger through a safety application. Fundamentally, the basic hardware of a DSRC device is analogous to a common radio that not only receives information but transmits data as well. As a result the “core” of a DSRC device will be the software that gives devices the “intelligence” needed to determine and transmit current vehicle conditions and perform the necessary evaluations to potentially issue a warning. At the most basic level, a device will require low-level components to both transmit and receive the basic safety message; a relatively simple operating system; connection to a driver-vehicle interface; and algorithms to control the issuance of warnings (along with continual device diagnosis)”, Section V.C., pg. 70,
“V2V communications consists of two types of messages: safety messages and certificate exchange messages. The safety messages are used to support the safety applications…NHTSA’s current research is based on the assumption that the V2V system will use a Public Key Infrastructure (PKI) to authenticate messages…PKI uses certificates to inform a receiving device that the message is from a trusted source, and it uses cryptography to send encrypted message content. For V2V communications,…messages that contain security information (e.g., certificates) are trusted and the contents encrypted”, Section V.D.1.a., pg. 72).
All the components are known in Aldana and USDOT. Both teach communications between vehicles to achieve joined operation. Aldana teaches all the limitations, but for wherein the signal being communicated between vehicles is indicative of a malfunction of one of the vehicles and performing a subsequent action in response to said malfunction. Thus, USDOT is relied upon to show that that identifying malfunctions of vehicles in V2V systems and transmitting a signal indicative of said malfunctions to other vehicles in the V2V system was known before the effective filing date (see citations of USDOT above). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to combine the inventions of Aldana and USDOT such that the “controller 606” (Fig. 6) of Aldana is configured to assess the “vehicular communication device 10904” (Fig. 109) of Aldana to be malfunctioning, as taught by USDOT (“when the vehicle is self-reporting a malfunction”, Section IV.5., pg. 41-42), wherein the “messages” (para. 0888, see also “message” of “11404”, Fig. 114) of Aldana would be structured as the “messages” (Section V.D.1.a., pg. 72) of USDOT. The motivation for doing so would be for use “by other vehicles for a variety of crash avoidance applications”, as taught by USDOT (Section V.D.1.a., pg. 72).

Regarding claim 2, Aldana further teaches wherein a unique cryptographic key is allocated to each subsystem of the SCS (“FIG. 112 is an exemplary illustration 11200 showing a manufacturer 11202 providing a certificate 11204 to a vehicular communication device 11206. It is appreciated that other providing and/or manufacturing entities (e.g., service providers, regulatory authorities, etc.) may implement a similar method as shown with respect to manufacturer 11202”, para. 0909, “The certificates may specify a public key and metadata for the certificate, and may optionally be signed with a hash”, para. 0910).

Regarding claim 10, Aldana further teaches a safety cloud backend (“network 11210”, Fig. 12) configured to allocate the cryptographic key to each subsystem of the SCS (“FIG. 112 is an exemplary illustration 11200 showing a manufacturer 11202 providing a certificate 11204 to a vehicular communication device 11206. It is appreciated that other providing and/or manufacturing entities (e.g., service providers, regulatory authorities, etc.) may implement a similar method as shown with respect to manufacturer 11202”, para. 0909, “The certificates may specify a public key and metadata for the certificate, and may optionally be signed with a hash”, para. 0910).

Regarding claims 7 and 14, Aldana further teaches wherein the SCS is a transportation system comprising autonomous vehicles, the autonomous vehicles constituting the subsystems of the SCS (“steering and movement system 502 may also include autonomous driving functionality, and accordingly may also include a central processor configured to perform autonomous driving computations and decisions and an array of sensors for movement and obstacle sensing. The autonomous driving components of steering and movement system 502 may also interface with radio communication arrangement 504 to facilitate communication with other nearby vehicular communication devices and/or central networking components that perform decisions and computations for autonomous driving”, para. 0190).

Claim(s) 3-6, 11-13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Aldana et al. (US 2020/0120458 A1) in view of U.S. Department of Transportation (USDOT) National Highway Traffic Safety Administration: Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application (NPL) in view of DiCrescenzo (US 2011/0083011 A1).
Regarding claim 3, Aldana in view of USDOT do not explicitly teach wherein the expiration of the cryptographic key of the malfunctioning subsystem is communicated to a safety cloud backend of the SCS.
However, DiCrescenzo teaches a method for public-key infrastructure for vehicular networks with a limited number of infrastructure servers, comprising:
an expiration of a cryptographic key (“certificates”, para. 0063) of a subsystem (“vehicle 20”, Fig. 1) is communicated to a safety cloud backend (“network 50”, Fig. 1, para. 0059) of a safety critical system (SCS) (“static system 100”, Fig. 2) (“For vehicle to vehicle (V2V) communications 22, where vehicles have little or no infrastructure network connectivity, a vehicular network needs to satisfy suitable extensions of the previously formulated security and privacy requirements”, para. 0048, “The present invention includes techniques to support vehicular network public-key infrastructure (VN-PKI) operations using a PKI module 90”, para. 0059, “Embodiments of the present invention provide certificate replacement for expired and revoked certificates. Users with a high level of infrastructure connectivity using a public-key infrastructure (PKI) system use pre-established highly trusted authorities referred to as the certificate authorities (CAs) which have the power to issue, revoke, and replace certificates”, para. 0073, “In the first technique, a vehicle with an expired certificate contacts the CA 74 when it moves into the radio coverage area of an infrastructure radio base station such as a static 110 (FIG. 2) or mobile server to request a replacement certificate”, para. 0080).

All the components are known in Aldana, USDOT, and DiCrescenzo. Aldana in view of USDOT teach all the limitations but for communicating the expiration of the “certificate” which includes “a public key and metadata detailing information about the certificate” (para. 0088) of Aldana to a cloud backend. Thus, DiCresenzo is relied upon to show that it was known in the art to communicate with a backend system once a certificate has expired (see citations of DiCresenzo). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to combine the inventions of Aldana in view of USDOT and DiCresenzo such that the expiration of the of the cryptographic key is communicated to a remote server. The motivation for doing so would be “For vehicle to vehicle (V2V) communications 22, where vehicles have little or no infrastructure network connectivity, a vehicular network needs to satisfy suitable extensions of the previously formulated security and privacy requirements”, as taught by DiCresenzo (para. 0048). 

Regarding claim 4, Aldana further teaches wherein a unique cryptographic key is allocated to each subsystem of the SCS via a safety cloud backend (“network 11210”, Fig. 112) of the SCS (“FIG. 112 is an exemplary illustration 11200 showing a manufacturer 11202 providing a certificate 11204 to a vehicular communication device 11206. It is appreciated that other providing and/or manufacturing entities (e.g., service providers, regulatory authorities, etc.) may implement a similar method as shown with respect to manufacturer 11202”, para. 0909, “As shown, manufacturer 11202 provides a certificate 11204 which it registers with network 11210 certifying that all devices with certificate 11204 comes from a trusted authority, e.g., the vehicle manufacturer. The certificates may specify a public key and metadata for the certificate, and may optionally be signed with a hash”, para. 0910).

Regarding claim 11, Aldana in view of USDOT do not explicitly teach wherein each control unit is configured to communicate an expiration of the cryptographic key to the safety cloud backend of the SCS.
However, DiCrescenzo teaches a method for public-key infrastructure for vehicular networks with a limited number of infrastructure servers, comprising:
communicating an expiration of a cryptographic key (“certificates”, para. 0063) of a subsystem (“vehicle 20”, Fig. 1) to a safety cloud backend (“network 50”, Fig. 1, para. 0059) of a safety critical system (SCS) (“static system 100”, Fig. 2) (“For vehicle to vehicle (V2V) communications 22, where vehicles have little or no infrastructure network connectivity, a vehicular network needs to satisfy suitable extensions of the previously formulated security and privacy requirements”, para. 0048, “The present invention includes techniques to support vehicular network public-key infrastructure (VN-PKI) operations using a PKI module 90”, para. 0059, “Embodiments of the present invention provide certificate replacement for expired and revoked certificates. Users with a high level of infrastructure connectivity using a public-key infrastructure (PKI) system use pre-established highly trusted authorities referred to as the certificate authorities (CAs) which have the power to issue, revoke, and replace certificates”, para. 0073, “In the first technique, a vehicle with an expired certificate contacts the CA 74 when it moves into the radio coverage area of an infrastructure radio base station such as a static 110 (FIG. 2) or mobile server to request a replacement certificate”, para. 0080).
All the components are known in Aldana, USDOT, and DiCrescenzo. Aldana in view of USDOT teach all the limitations but for communicating the expiration of the “certificate” which includes “a public key and metadata detailing information about the certificate” (para. 0088) of Aldana to a cloud backend. Thus, DiCresenzo is relied upon to show that it was known in the art to communicate with a backend system once a certificate has expired (see citations of DiCresenzo). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to combine the inventions of Aldana in view of USDOT and DiCresenzo such that each “controller 606” (Fig. 6) of Aldana communicates the expiration of the of the cryptographic key is to a remote server. The motivation for doing so would be “For vehicle to vehicle (V2V) communications 22, where vehicles have little or no infrastructure network connectivity, a vehicular network needs to satisfy suitable extensions of the previously formulated security and privacy requirements”, as taught by DiCresenzo (para. 0048). 

Regarding claims 5 and 12, DiCresenzo further teaches: allocating, by the safety cloud backend, a new cryptographic key to the malfunctioning subsystem after the joined safety management has been terminated (“Certificates in a PKI-based system usually have an expiry attribute that is used to determine the validity of the certificates. When certificates expire, they need to be replaced”, para. 0063, see also “request a replacement certificate”, para. 0080).

Regarding claim 6, USDOT further teaches wherein the joined safety management comprises an emergency stop of the malfunctioning subsystem (“Emergency Electronic Brake Light enables a vehicle to warn its driver to brake in a situation where another V2V-equipped vehicle decelerates quickly but may not be directly in front of the warning vehicle”, Section III.C.1.c., pg. 27).

Regarding claim 13, USDOT further teaches initiating an emergency stop of the corresponding subsystem when a malfunction of this subsystem is assessed and joined safety management is initiated (“Emergency Electronic Brake Light enables a vehicle to warn its driver to brake in a situation where another V2V-equipped vehicle decelerates quickly but may not be directly in front of the warning vehicle”, Section III.C.1.c., pg. 27, see also Section IV.5., pg. 41-42 and Section V.C., pg. 70 citations in the rejection to claim 9).  


Claim(s) 8 and 15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Aldana et al. (US 2020/0120458 A1) in view of U.S. Department of Transportation (USDOT) National Highway Traffic Safety Administration: Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application (NPL) in view of Dudar (US 2018/0047293 A1).
Regarding claim 8, Aldana in view of USDOT do not explicitly teach wherein the joined safety management comprises collectively adapting individual movements of the subsystems. 
USDOT instead teaches providing a “warning about potential danger through a safety application”, (Section V.C., pg. 70). However, collectively controlling vehicles in a fleet if one vehicle is malfunctioning was known in the art. See, Dudar teaches platooning autonomous vehicle navigation sensory exchange, comprising:
wherein a joined safety management comprises collectively adapting individual movements of subsystems (“other vehicles in the platoon”, para. 0012, see also “FIG. 3 illustrates multiple vehicles traveling in a forward direction 305 in a platoon”, para. 0021) (“As illustrated in FIG. 1, a host vehicle 100, which may be the lead vehicle in a platoon, includes a platooning system 105 that transmits control signals to other vehicles in the platoon. The control signals may coordinate the collective movement of the vehicles in the platoon, including causing the platoon to move in a reverse direction. For instance, the platooning system 105 may determine whether the platoon needs to move in the reverse direction. The platooning system 105 may make such a determination if, e.g., the roadway is unexpectedly closed or blocked, the lead vehicle misses a turn, etc.”, para. 0012).
All the components are known in Aldana, USDOT, and Dudar. Aldana in view of USDOT teach all the limitations but for collectively adapting individual movements of the subsystems. Thus, Dudar is relied upon to show that it was known in the art to collectively control vehicles operating in a platoon (see citations of Dudar, see also Fig. 3-4). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to combine the inventions of Aldana in view of USDOT and Dudar such that the vehicles comprising the “Vehicular communication devices 10902-10906” (para. 0887) of Aldana operate collectively when receiving the “warning about potential danger through a safety application” (Section V.C., pg. 70) of USDOT. The motivation for doing so would be “greater fuel economy resulting from reduced air resistance, reduced traffic congestion, etc.”, as taught by Dudar (para. 0001). 

Regarding claim 15, Aldana in view of USDOT do not explicitly teach wherein the control units of the subsystems are configured to collectively adapt individual movements of the subsystems within the joined safety management. 
USDOT instead teaches providing a “warning about potential danger through a safety application”, (Section V.C., pg. 70). However, collectively controlling vehicles in a fleet if one vehicle is malfunctioning was known in the art. See, Dudar teaches platooning autonomous vehicle navigation sensory exchange, comprising:
collectively adapting individual movements of subsystems (“other vehicles in the platoon”, para. 0012, see also “FIG. 3 illustrates multiple vehicles traveling in a forward direction 305 in a platoon”, para. 0021) within a joined safety management (“e.g., the roadway is unexpectedly closed or blocked, the lead vehicle misses a turn, etc.”, para. 0012) (“As illustrated in FIG. 1, a host vehicle 100, which may be the lead vehicle in a platoon, includes a platooning system 105 that transmits control signals to other vehicles in the platoon. The control signals may coordinate the collective movement of the vehicles in the platoon, including causing the platoon to move in a reverse direction. For instance, the platooning system 105 may determine whether the platoon needs to move in the reverse direction. The platooning system 105 may make such a determination if, e.g., the roadway is unexpectedly closed or blocked, the lead vehicle misses a turn, etc.”, para. 0012).
All the components are known in Aldana, USDOT, and Dudar and both teach joined safety management. Aldana in view of USDOT teach all the limitations but for collectively adapting individual movements of the subsystems. Thus, Dudar is relied upon to show that it was known in the art to collectively control vehicles operating in a platoon (see citations of Dudar, see also Fig. 3-4). Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date to combine the inventions of Aldana in view of USDOT and Dudar such that such that each “controller 606” (Fig. 6) of the vehicles comprising the “Vehicular communication devices 10902-10906” (para. 0887) of Aldana operate collectively when receiving the “warning about potential danger through a safety application” (Section V.C., pg. 70) of USDOT. The motivation for doing so would be “greater fuel economy resulting from reduced air resistance, reduced traffic congestion, etc.”, as taught by Dudar (para. 0001). 
Conclusion

The prior art made of record and not relied upon is considered pertinent to Applicant's disclosure:  See Notice of References Cited.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to AMELIA VORCE whose telephone number is (313) 446-4917.  The examiner can normally be reached on Monday-Friday, 8AM-5PM, MT.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Christian Chace can be reached at (571) 272-4190.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
	
	/A.V./               Examiner, Art Unit 3665                                                                                                                                                                                         /CHRISTIAN CHACE/Supervisory Patent Examiner, Art Unit 3665