Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Rejections - 35 USC § 102
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


Claim(s) 1, 10, 11, and 20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Egnor (U.S. Patent No. 9195232).
Regarding claim 1:
Egnor teaches:
A computer-implemented method for vehicle component fault detection, the method comprising: monitoring a health status of a first vehicle component over a period of time; (“the system may also include a monitoring system or component configured to check the operations of the secondary and primary controller set up in the redundant configuration.” [Column 14 lines 10-13]; here it shows a monitoring system for monitoring the health of vehicle components over time.)
detecting failure of the first vehicle component; (“As a primary controller, the controller may execute main controls of the vehicle, which may cause the vehicle to rely on the primary controller to control one or multiple functions of the vehicle unless the system detects that the controller may have failed due to an error (e.g., due to a software bug or power failure).” [Column 12 lines 58-63]; here it shows that a failure in the primary controller can be detected.)
determine a failure level associated with the failure of the first vehicle component; (“This may enable the system 414 to determine any possible failures that may require the system or a control module within the system to transfer control of one or multiple vehicle functions to another microprocessor, such as a microprocessor serving as a safety controller.” [Column 19 lines 35-39]; here it shows that different failures can be determined and it can be determined that a failure level is severe enough that control must be transferred to another vehicle component.)
determining, based at least in part on the failure level and a component type of the first vehicle component, a vehicle component task reassignment; (“This may enable the system 414 to determine any possible failures that may require the system or a control module within the system to transfer control of one or multiple vehicle functions to another microprocessor, such as a microprocessor serving as a safety controller.” [Column 19 lines 35-39])
and implementing the vehicle component task reassignment at least in part by offloading at least a portion of the task processing performed by the first vehicle component prior to failure to a second vehicle component, (“This may enable the system 414 to determine any possible failures that may require the system or a control module within the system to transfer control of one or multiple vehicle functions to another microprocessor, such as a microprocessor serving as a safety controller.” [Column 19 lines 35-39]; here again it shows that the reassignment involves transferring control of the primary controller to a second safety controller.)
wherein an operational health of the second vehicle component satisfies one or more operational health criteria. (“some example systems may include a control module configured to transfer control of vehicle operations between microprocessors, such as between the primary controller and the secondary controller. The control module may be configured to transfer control based on detecting a fault at one of the primary and the secondary controller in order to ensure proper control of the vehicle. In some instances, the control module may detect a common fault of the primary controller and the secondary controller. The common fault, which may also be described as a simultaneous failure of the primary controller and the secondary controller, may occur due to a variety of reasons, such as common errors of the controllers executing logic, cascading errors, or other situations where simple redundancy may be insufficient, for example. In some instances, the control module may be configured to responsively output a common fault signal. The common fault may cause the primary controller and the secondary controller to require a reset, which may further involve the control module transferring control to another microprocessor within the system, such as a safety controller.” [Column 3 line 57 - Column 4 line 10]; here it shows that the controllers are monitored to ensure that they satisfy healthy operation, and control is transferred to the controller that satisfies healthy control, in this case, a safety controller assumes control while the primary and secondary controllers reset themselves.)

Regarding claims 10 and 20:
Egnor teaches all of the limitations of claims 1 and 11.
Egnor further teaches:
The computer-implemented method of claim 1, further comprising: performing a real-time fault diagnosis for the first vehicle component; (“The control module may be configured to transfer control based on detecting a fault at one of the primary and the secondary controller in order to ensure proper control of the vehicle.” [Column 3 lines 60-63])
initiating, based at least in part on the real-time fault diagnosis, a fault recovery process for the first vehicle component; (“In some instances, the control module may detect a common fault of the primary controller and the secondary controller. The common fault, which may also be described as a simultaneous failure of the primary controller and the secondary controller, may occur due to a variety of reasons, such as common errors of the controllers executing logic, cascading errors, or other situations where simple redundancy may be insufficient, for example. In some instances, the control module may be configured to responsively output a common fault signal. The common fault may cause the primary controller and the secondary controller to require a reset,” [Column 63 – Column 4 line 6])
determining that an operational health of the first vehicle component has been restored to at least a threshold operational health level; (“The reset module may reset microprocessors, such as the primary controller and the secondary controller based on detecting a common fault between the two controllers, for example. Additionally, the reset module may also be configured to transfer or cause the transfer of control from a safety controller or another microprocessor back to the primary controller and/or secondary controller after the primary controller and/or secondary controller completes resetting.” [Column 4 lines 57-64])
reverting back to a vehicle component task assignment prior to the failure of the first vehicle component, wherein reverting back to the vehicle component task assignment comprises reassigning the at least a portion of the task processing from the second vehicle component back to the first vehicle component. (“The reset module may reset microprocessors, such as the primary controller and the secondary controller based on detecting a common fault between the two controllers, for example. Additionally, the reset module may also be configured to transfer or cause the transfer of control from a safety controller or another microprocessor back to the primary controller and/or secondary controller after the primary controller and/or secondary controller completes resetting.” [Column 4 lines 57-64])

Regarding claim 11.
Egnor teaches:
A system for vehicle component fault detection, the system comprising: at least one processor; and at least one processor; and at least one memory storing computer-executable instructions, wherein the at least one processor is configured to access the at least one memory and execute the computer-executable instructions to: (“The computing device 111 may include a processor 113, and a memory 114. The computing device 111 may be a controller, or part of the controller, of the vehicle 100. The memory 114 may include instructions 115 executable by the processor 113, and may also store map data 116.” [Column 5 lines 19-23])
monitor a health status of a first vehicle component over a period of time; (“the system may also include a monitoring system or component configured to check the operations of the secondary and primary controller set up in the redundant configuration.” [Column 14 lines 10-13]; here it shows a monitoring system for monitoring the health of vehicle components over time.)
detect failure of the first vehicle component; (“As a primary controller, the controller may execute main controls of the vehicle, which may cause the vehicle to rely on the primary controller to control one or multiple functions of the vehicle unless the system detects that the controller may have failed due to an error (e.g., due to a software bug or power failure).” [Column 12 lines 58-63]; here it shows that a failure in the primary controller can be detected.)
determine a failure level associated with the failure of the first vehicle component; (“This may enable the system 414 to determine any possible failures that may require the system or a control module within the system to transfer control of one or multiple vehicle functions to another microprocessor, such as a microprocessor serving as a safety controller.” [Column 19 lines 35-39]; here it shows that different failures can be determined and it can be determined that a failure level is severe enough that control must be transferred to another vehicle component.)
determine, based at least in part on the failure level and a component type of the first vehicle component, a vehicle component task reassignment; (“This may enable the system 414 to determine any possible failures that may require the system or a control module within the system to transfer control of one or multiple vehicle functions to another microprocessor, such as a microprocessor serving as a safety controller.” [Column 19 lines 35-39])
implement the vehicle component task reassignment at least in part by offloading at least a portion of the task processing performed by the first vehicle component prior to failure to a second vehicle component, (“This may enable the system 414 to determine any possible failures that may require the system or a control module within the system to transfer control of one or multiple vehicle functions to another microprocessor, such as a microprocessor serving as a safety controller.” [Column 19 lines 35-39]; here again it shows that the reassignment involves transferring control of the primary controller to a second safety controller.)
wherein an operational health of the second vehicle component satisfies one or more operational health criteria. (“some example systems may include a control module configured to transfer control of vehicle operations between microprocessors, such as between the primary controller and the secondary controller. The control module may be configured to transfer control based on detecting a fault at one of the primary and the secondary controller in order to ensure proper control of the vehicle. In some instances, the control module may detect a common fault of the primary controller and the secondary controller. The common fault, which may also be described as a simultaneous failure of the primary controller and the secondary controller, may occur due to a variety of reasons, such as common errors of the controllers executing logic, cascading errors, or other situations where simple redundancy may be insufficient, for example. In some instances, the control module may be configured to responsively output a common fault signal. The common fault may cause the primary controller and the secondary controller to require a reset, which may further involve the control module transferring control to another microprocessor within the system, such as a safety controller.” [Column 3 line 57 - Column 4 line 10]; here it shows that the controllers are monitored to ensure that they satisfy healthy operation, and control is transferred to the controller that satisfies healthy control, in this case, a safety controller assumes control while the primary and secondary controllers reset themselves.)

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.
The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claims 2-9 and 12-19 are rejected under 35 U.S.C. 103 as being unpatentable over Egnor (U.S. Patent No. 9195232) in view of Somers (U.S. Publication No. 20200201335).
Regarding claims 2 and 12:
Egnor teaches all of the limitations of claims 1 and 11.
Somers further teaches:
wherein detecting the failure of the first vehicle component comprises determining that a latency associated with the task processing performed by the first vehicle component has increased by at least a threshold amount during the period of time. (“The latency threshold component 136 may include information about latency thresholds for each of the systems of the vehicle 102. For example, the latency threshold component 136 may determine whether a latency determined by the latency determination component 134 falls within a threshold or expected latency range. When the latency for one of the systems is outside of the expected range, the latency threshold component 136 may determine an anomalous performance event. As described further herein, the latency threshold component 136 may also be configured to determine the latency thresholds or ranges for one or more of the systems of the vehicle 102. For example, the latency threshold component 136 may receive historical data indicating actual latency data (which may include statistical data) for one or more the systems, and determine an acceptable operating range based on the historical latencies.” [0039])
Egnor and Somers are analogous art because they are in the same field of art, autonomous vehicle controls. It would have been obvious to one of ordinary skill in the art, at the time of filing, to modify the computer-implemented method of Egnor to include the ability to determine a latency error as taught by Somers in order to determine that a latency associated with a task processing has increased by at least a threshold amount during the period of time. The teaching suggestion/motivation to combine is that it will help prevent a system malfunction which may result in unsafe operation as taught by Somers in paragraph [0001].

Regarding claims 3 and 13:
Egnor in view of Somers teaches all of the limitations of claims 2 and 12.
Somers further teaches:
wherein determining the failure level associated with the failure of the first vehicle component comprises: determining a latency associated with the task processing performed by the first vehicle component subsequent to the failure of the first vehicle component or an amount of latency increase associated with the failure of the first vehicle component; (“The latency threshold component 136 may include information about latency thresholds for each of the systems of the vehicle 102. For example, the latency threshold component 136 may determine whether a latency determined by the latency determination component 134 falls within a threshold or expected latency range. When the latency for one of the systems is outside of the expected range, the latency threshold component 136 may determine an anomalous performance event. As described further herein, the latency threshold component 136 may also be configured to determine the latency thresholds or ranges for one or more of the systems of the vehicle 102. For example, the latency threshold component 136 may receive historical data indicating actual latency data (which may include statistical data) for one or more the systems, and determine an acceptable operating range based on the historical latencies.” [0039])
determining the failure level from a mapping of failure levels to latency ranges or ranges of latency changes. (“The latency component 532 can also compare determined latencies (or statistical attributes of aggregated information) to latency thresholds or latency ranges to determine whether the vehicle 502 or some system of the vehicle 502 is functioning properly. By way of nonlimiting example, each system on the vehicle 502, e.g., the localization system 520, the perception system 522, each of the sensor system(s) 506, or the like, may have a different acceptable range of latencies i.e. equal to or above a first threshold latency and/or equal to or below a second (e.g., higher) threshold latency. In some examples, calculations may comprise comparing a latency with a min, max, mean, variance/standard deviation, etc of previously collected nominal operating behavior. In implementations described herein, the latency component 532 can compare a latency determined for a given system to the acceptable latency range of that system. When the calculated latency is within the acceptable range, the vehicle may be deemed to be functioning as expected. However, when the calculated latency is outside the acceptable latency range, the latency component 532 may identify an anomalous latency event. In some examples, information about the anomalous latency event may be provided to the safe state component 536 to take some safe action. The safe state component 536 is described in more detail below.” [0075])

Regarding claims 4 and 14:
Egnor teaches all of the limitations of claims 1 and 11.
Egnor further teaches:
wherein determining the vehicle component task reassignment comprises: determining that a component type of the second vehicle component matches the component type of the first vehicle component; (“At block 304, the method 300 may also include providing a secondary controller configured in a redundant configuration as the primary controller.” [Column 13 lines 55-57]; here it shows that the secondary controller is configured to operate the same way as the primary controller.)
determining that offloading the at least a portion of the task processing performed by the first vehicle component prior to failure to the second vehicle component would satisfy minimum vehicle operational requirements. (“some example systems may include a control module configured to transfer control of vehicle operations between microprocessors, such as between the primary controller and the secondary controller. The control module may be configured to transfer control based on detecting a fault at one of the primary and the secondary controller in order to ensure proper control of the vehicle. In some instances, the control module may detect a common fault of the primary controller and the secondary controller. The common fault, which may also be described as a simultaneous failure of the primary controller and the secondary controller, may occur due to a variety of reasons, such as common errors of the controllers executing logic, cascading errors, or other situations where simple redundancy may be insufficient, for example. In some instances, the control module may be configured to responsively output a common fault signal. The common fault may cause the primary controller and the secondary controller to require a reset, which may further involve the control module transferring control to another microprocessor within the system, such as a safety controller.” [Column 3 line 57 - Column 4 line 10]; here it shows that the controllers are monitored to ensure that they satisfy healthy operation, and control is transferred to the controller that satisfies healthy control, in this case, a safety controller assumes control while the primary and secondary controllers reset themselves.)
Somers also teaches 
determining that offloading the at least a portion of the task processing performed by the first vehicle component prior to failure to the second vehicle component would satisfy minimum vehicle operational requirements. (“The safe state component 138 may receive event information from the latency threshold component 136, e.g., when the latency threshold component 136 detects an anomalous event, and institute one or more operations in response to the event. In the illustrated example, the safe state component 138 may control the vehicle 102 by issuing a safe state control 140. For example, the safe state control 140 can control the vehicle 102 to execute a safe stop maneuver. An example safe stop maneuver may include controlling the vehicle 102 to follow a trajectory 142, e.g., along which the vehicle 102 can safely navigate to the side of the road. Once on the side of the road, the vehicle 102 may be placed in a safety state, e.g., in which some or all functionality is disabled. The vehicle 102 may remain in this state until further diagnostics or the like are carried out, e.g., to determine a source of the anomalous latency event and/or to correct the event.” [0040]; here it shows that when a vehicle component has failed due to latency, the processing can be offloaded to a vehicle safe state component that will control the vehicle to satisfy minimum vehicle operational requirements.)


Regarding claims 5 and 15:
Egnor and Somers teach all of the limitations of claims 4 and 14.
Somers further teaches:
wherein determining that offloading the at least a portion of the task processing performed by the first vehicle component prior to failure to the second vehicle component would satisfy minimum vehicle operational requirements comprises: determining a change in latency associated with the second vehicle component performing the at least a portion of the task processing instead of the first vehicle component; (“The safe state component 138 may receive event information from the latency threshold component 136, e.g., when the latency threshold component 136 detects an anomalous event, and institute one or more operations in response to the event. In the illustrated example, the safe state component 138 may control the vehicle 102 by issuing a safe state control 140.” [0040]; here it shows that when a change in latency exceeds a threshold, control can be transferred to a second vehicle component, in this case a safe state component that controls the vehicle to satisfy minimum vehicle operational requirements.)
determining that the change in latency requires a corresponding change in a vehicle speed; (“The safe state control 140 that causes the vehicle 102 to follow the trajectory 142 is only one example of a safe state control. In other examples, instead of bringing the vehicle 102 to a complete stop, the safe state component 138 may control the vehicle 102 to slow down. For example, travelling at a lower speed may be more tolerant of events, e.g., because an acceptable latency range may be larger at a slower speed.” [0041])
and determining that the change in the vehicle speed would result in the vehicle speed after the change being not less than a threshold minimum vehicle speed. (“The safe state control 140 that causes the vehicle 102 to follow the trajectory 142 is only one example of a safe state control. In other examples, instead of bringing the vehicle 102 to a complete stop, the safe state component 138 may control the vehicle 102 to slow down. For example, travelling at a lower speed may be more tolerant of events, e.g., because an acceptable latency range may be larger at a slower speed.” [0041]; here it shows that instead of bringing the vehicle to a threshold minimum vehicle speed of 0, the vehicle can be slowed down.)

Regarding claim 6 and 16:
Egnor in view of Somers teaches all of the limitations of claims 5 and 15. 
Somers further teaches:
further comprising initiating the change in the vehicle speed in connection with implementing the vehicle component task reassignment. (“when the latency is outside of an expected latency range, an anomalous latency event can be identified, and a safe action can be taken in response to the action.” [0042]; here it shows that the safe action of changing the vehicle speed occurs when the latency is outside of an expected latency range and control is transferred to a safe state control component as seen in [0040])

Regarding claims 7 and 17:
Egnor teaches all of the limitations of claims 1 and 11.
Somers further teaches:
wherein determining the vehicle component task reassignment comprises: identifying a third vehicle component associated with a component type that is the same as the component type of the first vehicle component; (“Fig. 7 shows that CPU usage is determined for multiple different systems to see if they are within acceptable usage ranges.”)
determining that offloading the at least a portion of the task processing performed by the first vehicle component prior to failure to the third vehicle component would results in at least a threshold amount of performance degradation for the third component; (Fig. 7 again shows in box 712 that when the vehicle components are outside an acceptable usage range, control is transferred to a safe state component prior to failure for safe control.)
identifying the second vehicle component, wherein a component type of the second vehicle component is different from the component type of the first vehicle component; (Fig. 7 shows that CPU usages for multiple systems, alike or different, are determined.)
determining that the operational health of the second vehicle component satisfies one or more operational health criteria. (Fig. 7 shows in box 706 that it is determined that the systems are operation within an acceptable range.)
Egnor and Somers are analogous art because they are in the same field of art, autonomous vehicle controls. It would have been obvious to one of ordinary skill in the art, at the time of filing, to modify the method taught by Egnor to further include the functionality of Somers in order to determine the operational health of multiple vehicle components for task reassignment. The teaching suggestion/motivation to combine is that it will help prevent a system malfunction which may result in unsafe operation as taught by Somers in paragraph [0001].
Regarding claims 8 and 18:
Egnor in view of Somers teaches all of the limitations of claims 7 and 17.
Somers further teaches:
wherein determining that the operational health of the second vehicle component satisfies one or more operational health criteria comprises determining that the second vehicle component has at least a threshold amount of available processing capacity. (See Fig. 7 box 706)

Regarding claims 9 and 19:
Egnor in view of Somers teaches all of the limitations of claims 7 and 17.
Somers further teaches:
wherein determining that the operational health of the second vehicle component satisfies one or more operational health criteria comprises determining that offloading the at least a portion of the task processing performed by the first vehicle component prior to failure to the second vehicle component would result in less than the threshold amount of performance degradation. (Figure 7 shows that when it is determined that the CPU usage is out of an acceptable range, control is offloaded to a safe state component that will operate the vehicle without performance degradation.)
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMAL A SHAH whose telephone number is (571)272-5782. The examiner can normally be reached M-F 8 am-5 pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Burke can be reached on 571-270-3844. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JAMAL A SHAH/Examiner, Art Unit 3664                                                                                                                                                                                                        
/Nicholas Kiswanto/Primary Examiner, Art Unit 3664