DETAILED ACTION
Notice of AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim(s) 1-13 are pending.
Claim(s) 1-13 are rejected.
Priority
Foreign:
	Acknowledgment is made of applicant’s claim of foreign priority to application no. DE102018120347.0 filled on 08/21/2018.
PCT:
	Acknowledgment is made of applicant’s claim for priority to PCT application no. PCT/EP2019/066170 filled on 06/19/2019.
Information Disclosure Statement
The information disclosure statement (IDS) submitted on 04/06/2021 and 02/21/2021 is/are in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement(s) is/are being considered by the examiner.
Drawings
Drawings filled on 02/21/2021 are found to be acceptable for the examination purposes.




	Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f), is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f):
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f). The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f), is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f). The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f), is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f), except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f), except as otherwise indicated in an Office action.

This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f), because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitation(s) is/are:
“a platform” in claim 1.
“a fail-safe peripheral module” in claim 1.
“a safe runtime environment” in claims 1, 4-6, and 8.
“the manipulators” in claims 8 and 10.

The claim limitations as described above uses generic placeholders for performing the claimed function such that the generic placeholders are modified by functional language as discussed below,
the generic placeholder “a platform” is modified by the functional language “configured to execute user programs”.
the generic placeholder “a fail-safe peripheral module” is modified by the functional language “configured to couple the user programs with the safety-critical process”.
the generic placeholder “a safe runtime environment” is modified by the functional languages: “configured to provide the user programs with safe resources independent of the platform,” “configured to provide the safe resources,” “configured to perform cross comparisons,” “configured to provide timers as a safe resource and to execute tests to verify the timers,” and “configured to execute manipulators”.
the generic placeholder “the manipulators” is modified by the functional language “configured to manipulate the execution of at least one of the first user program, the second user program, and the safe resources,” and ‘’configured to desensitize the safe runtime environment against errors”

Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f), it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
“a platform” being interpreted to cover the corresponding structure described in the specification paragraph 44: “The automation system includes a platform 12 that serves as a data processing device and a computing unit. The platform 12 may be dedicated hardware 14, real or virtual computing systems 16, or infrastructure 18 provided as a cloud service. The platform 12 may also comprise a combination of the aforementioned equipment.”
“a fail-safe peripheral module” being interpreted to cover the corresponding structure described in the specification paragraph 83: “The monitoring device 70 and the fail-safe peripheral module 20 are coupled to the automation system 10 via a first communication interface 72 and a second communication interface 74. In addition to communication with the automation system, the first communication interface 72 and the second communication interface 74 likewise enable communication between the monitoring device 70 and the fail-safe peripheral module 20. In other words, the monitoring device 70 can communicate with the fail-safe peripheral module 20 via the platform 12.”
“a safe runtime environment” being interpreted to cover the corresponding structure described in the specification paragraph 49 and 50: “The safe runtime environment 22 is a software layer disposed between the platform 12 and the user programs 24, 26 and provides safe resources 30 to the user programs 24, 26 independent of the platform 12. The safe runtime environment 22 loads the user programs 24, 26, executes them on the platform, and coordinates their interconnections. The safe runtime environment 22 thus itself represents a small platform by means of which the user programs 24, 26 are executed.” (¶49)…. “The safe runtime environment 22 may in turn be divided into platform-specific components and platform-independent components, wherein in particular the safe resources 30 are implemented by platform-independent components so that the safe runtime environment 22 can be easily ported to different platforms.” (¶50)
 “the manipulators” being interpreted to cover the corresponding structure described in the specification paragraph 60: “The SPM 40 implements a second safety instance 41. The second safety instance may be implemented externally. The second safety instance 41 tests the safe runtime environment 22, in particular the first local safety instance 38, by selective error injection. Error injection occurs via services and manipulators of the safe runtime environment 22 that are activated by the external safety instance 41.”

If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) applicant may: (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f).
Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 3 rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 3:
	Claim limitation “the second user program is configured to process data inverse to the first user program.” has been evaluated under the three-prong test set forth in MPEP § 2181, subsection I, but the result is inconclusive. Thus, it is unclear whether this limitation should be interpreted under 35 U.S.C. 112(f), because claim recites “user program” that is not directed to a structure such that the boundaries of this claim limitation are ambiguous; therefore, the claim is indefinite and is rejected under 35 U.S.C. 112(b).  
In response to this rejection, applicant must clarify whether this limitation should be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. Mere assertion regarding applicant’s intent to invoke or not invoke 35 U.S.C. 112(f) is insufficient. Applicant may:
(a)	Amend the claim to clearly invoke 35 U.S.C. 112(f) by reciting “means” or a generic placeholder for means, or by reciting “step.” The “means,” generic placeholder, or “step” must be modified by functional language, and must not be modified by sufficient structure, material, or acts for performing the claimed function;
(b)	Present a sufficient showing that 35 U.S.C. 112(f) should apply because the claim limitation recites a function to be performed and does not recite sufficient structure, material, or acts to perform that function; 
(c)	Amend the claim to clearly avoid invoking 35 U.S.C. 112(f) by deleting the function or by reciting sufficient structure, material or acts to perform the recited function; or
(d)	Present a sufficient showing that 35 U.S.C. 112(f) does not apply because the limitation does not recite a function or does recite a function along with sufficient structure, material or acts to perform that function.





Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-2, 4-5, 8, 11, and 13 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hartung et al. (US20170139411A1) [hereinafter Hartung] and further in view of Ricci et al. (US20190222484A1) [hereinafter Ricci].
Claim 1:
	Regarding claim 1, Hartung discloses, “An automation system for monitoring a safety-critical process, comprising:” [See the automation system for monitoring safety-critical process (e.g.; monitoring process where safety is critical): “An autonomous vehicle platform and safety architecture are described. In embodiments, safety managers implemented as components of a safety architecture for a safety-critical system (e.g., an autonomous vehicle) monitor outputs of linked components of the safety-critical system.” (¶5)];
	“a platform configured to execute user programs,” [See platform 2526 executes user programs (e.g.; executes user programs using resources): “vehicle platform and safety architecture may be implemented in a distributed system, such as over a “cloud” 2524 in a platform 2526. The cloud 2524 includes and/or is representative of the platform 2526 for services 2528 and/or resources 2430.” (¶188)… “The resources 2530 may include applications and/or data that can be utilized while computer processing is executed on servers that are remote from the example device 2502.” “the functionality may be implemented” “via the platform 2526 that abstracts the functionality of the cloud 2524.” (¶189)];
	“a fail-safe peripheral module configured to couple the user programs with the safety-critical process; and” [See user programs are coupled to the safety critical process (e.g.; fail-safe I/O such that safety managers 512, 514 etc. connected to the process components 504, 506 etc.): “The safety-critical system 502 is also illustrated with safety managers 512, 514, 516, 518, these represent functionality to detect failures of one or more of the components 504, 506, 508, and 510 and to handle detected failures,” (¶62)… “The safety managers 512, 514, 516, 518 represent functionality to monitor the associated component for failures. Furthermore, the safety managers represent functionality to monitor outputs (e.g., messages) of components linked to the associated component for failures. The safety managers may monitor the linked components using one or more voting techniques as described above and below. In addition to monitoring the components 504, 506, 508, and 510, the safety managers represent functionality to determine actions to take when components fail and to carry out determined actions.” (¶63)];
	“a safe runtime environment implemented on the platform independently of the user programs and configured to provide the user programs with safe resources independent of the platform.” [See safe runtime environment implemented on the platform 2526 independently of the user programs (e.g.; safe runtime environment with resources 2530 is independent and doesn’t require any user programs) that provide the user programs with safe resources (e.g.; safe runtime such that the sources 2530 include applications and/or data that can be utilized while computer processing is executed on servers that are remote from the example device 2502): “an autonomous vehicle platform and safety architecture” “implemented in a distributed system, such as over a “cloud” 2524 in a platform 2526. The cloud 2524 includes and/or is representative of the platform 2526 for services 2528 and/or resources 2430. The platform 2526 abstracts underlying functionality of hardware, such as server devices (e.g., included in the services 2528) and/or software resources (e.g., included as the resources 2430), and connects the example device 2502 with other devices, servers, autonomous vehicle systems, etc.” (¶188)… “The resources 2530 may include applications and/or data that can be utilized while computer processing is executed on servers that are remote from the example device 2502. Additionally, the services 2528 and/or the resources 2530 may facilitate subscriber network services, such as over the Internet, a cellular network, or Wi-Fi network. The platform 2526 may also serve to abstract and scale resources to service a demand for the resources 2530 that are implemented via the platform, such as in an interconnected device embodiment with functionality distributed throughout the system 2500. For example, the functionality may be implemented in part at the example device 2502 as well as via the platform 2526 that abstracts the functionality of the cloud 2524. In implementations, an individual autonomous vehicle system may include the device 2502, an implementation of the cloud 2524 for storage, and the platform 2526.” (¶189)], but doesn’t explicitly disclose, “wherein the user programs include a first user program and a second user program, which together implement a safety function,” “and wherein the second user program is diversitary with respect to the first user program;”
	However, Ricci discloses, “wherein the user programs include a first user program and a second user program, which together implement a safety function,” [See the first and second programs together implement safety function (e.g.; software applications of first and second modules executed on the platform to ensure safety functions): “The computational module selector 2052 identifies the computational modules, particularly software applications, currently available within the local area network of the vehicle, the identification including” “capabilities and requirements (e.g., operating system, processing,” “and other requirements)” “The selector 2052 can select not only, for duplicated computational modules, a most current version of the duplicated module to execute and a computational platform (e.g., first, second, . . . processing module or external computational device 1532) for the execution.” (¶160)… “In step 2304, the computational module selector 2052, in step 2308, determines duplicated computational modules and the host processing platform(s) therefor. Host processing platforms can include a processing module, expansion module, and/or external computational device(s) 1532.” (¶240)];
	“and wherein the second user program is diversitary with respect to the first user program;” [See the first and second programs are diversified (e.g.; duplicate programs): “The computational module selector 2052 identifies the computational modules, particularly software applications, currently available within the local area network of the vehicle, the identification including” “capabilities and requirements (e.g., operating system, processing,” “and other requirements)” “The selector 2052 can select not only, for duplicated computational modules, a most current version of the duplicated module to execute and a computational platform (e.g., first, second, . . . processing module or external computational device 1532) for the execution.” (¶160)… “In step 2304, the computational module selector 2052, in step 2308, determines duplicated computational modules and the host processing platform(s) therefor. Host processing platforms can include a processing module, expansion module, and/or external computational device(s) 1532.” (¶240)];
	Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to have combined the user programs including a first and second user programs to implement safety, where the first and second user programs are diversified taught by Ricci with the system taught by Hartung as discussed above. A person of ordinary skill in the safety control system field would have been motivated to make such combination in order to have the ability to perform emergency safety actions easily and conveniently [Ricci: “this implementation may be useful in cases where there is an emergency that is within the vicinity of the vehicle (i.e., emergency road closure) that requires a third party such as the police to disable passing vehicles for safety reasons.” (¶212)].

Claim 2:
	Regarding claim 2, Hartung and Ricci disclose all the elements of claim 1,
	Hartung further discloses, “wherein the platform is a non-safe platform.” [See the platform is a non-safe platform where safety of the platform is performed by the safe resources provided by the safe runtime environment: “an autonomous vehicle platform and safety architecture” “implemented in a distributed system, such as over a “cloud” 2524 in a platform 2526. The cloud 2524 includes and/or is representative of the platform 2526 for services 2528 and/or resources 2430. The platform 2526 abstracts underlying functionality of hardware, such as server devices (e.g., included in the services 2528) and/or software resources (e.g., included as the resources 2430), and connects the example device 2502 with other devices, servers, autonomous vehicle systems, etc.” (¶188)… “The resources 2530 may include applications and/or data that can be utilized while computer processing is executed on servers that are remote from the example device 2502. Additionally, the services 2528 and/or the resources 2530 may facilitate subscriber network services, such as over the Internet, a cellular network, or Wi-Fi network. The platform 2526 may also serve to abstract and scale resources to service a demand for the resources 2530 that are implemented via the platform, such as in an interconnected device embodiment with functionality distributed throughout the system 2500. For example, the functionality may be implemented in part at the example device 2502 as well as via the platform 2526 that abstracts the functionality of the cloud 2524. In implementations, an individual autonomous vehicle system may include the device 2502, an implementation of the cloud 2524 for storage, and the platform 2526.” (¶189)].

Claim 4:
	Regarding claim 4, Hartung and Ricci disclose all the elements of claim 1,
	Hartung further discloses, “the safe runtime environment is configured to provide the safe resources redundantly and diversitarily to the” user programs [See the system provides safe resources redundantly and diversely to the programs: “The resources 2530 may include applications and/or data that can be utilized while computer processing is executed on servers that are remote from the example device 2502. Additionally, the services 2528 and/or the resources 2530 may facilitate subscriber network services, such as over the Internet, a cellular network, or Wi-Fi network. The platform 2526 may also serve to abstract and scale resources to service a demand for the resources 2530 that are implemented via the platform, such as in an interconnected device embodiment with functionality distributed throughout the system 2500. For example, the functionality may be implemented in part at the example device 2502 as well as via the platform 2526 that abstracts the functionality of the cloud 2524. In implementations, an individual autonomous vehicle system may include the device 2502, an implementation of the cloud 2524 for storage, and the platform 2526.” (¶189)], but doesn’t explicitly disclose, “provide the safe resources redundantly and diversitarily to the first user program and the second user program.”
	However, Ricci discloses, “provide the safe resources redundantly and diversitarily to the first user program and the second user program.” [See the first and second programs are diversified (e.g.; duplicate programs) via safe resources (e.g.; execution using the safe resources): “The computational module selector 2052 identifies the computational modules, particularly software applications, currently available within the local area network of the vehicle, the identification including” “capabilities and requirements (e.g., operating system, processing,” “and other requirements)” “The selector 2052 can select not only, for duplicated computational modules, a most current version of the duplicated module to execute and a computational platform (e.g., first, second, . . . processing module or external computational device 1532) for the execution.” (¶160)… “In step 2304, the computational module selector 2052, in step 2308, determines duplicated computational modules and the host processing platform(s) therefor. Host processing platforms can include a processing module, expansion module, and/or external computational device(s) 1532.” (¶240)];
	Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to have combined the above described teachings of Ricci with the system taught by Hartung and Ricci as discussed above. A person of ordinary skill in the safety control system field would have been motivated to make such combination for the same reasons as described above in claim 1.

Claim 5:
	Regarding claim 5, Hartung and Ricci disclose all the elements of claim 1, but doesn’t explicitly disclose, “wherein the safe runtime environment is configured to perform cross comparisons independently of the user programs between the first user program and the second user programs.”
	However, Ricci discloses, “wherein the safe runtime environment is configured to perform cross comparisons independently of the user programs between the first user program and the second user programs.” [See runtime environment performs cross comparison independently (e.g.; without the help of the programs) between the two programs: “an arbitration module to arbitrate hand-off conflicts between duplicated first and second processing modules;” (¶15)…“The computational module selector 2052 identifies the computational modules, particularly software applications, currently available within the local area network of the vehicle, the identification including” “capabilities and requirements (e.g., operating system, processing,” “and other requirements)” (¶160)… “In step 2304, the computational module selector 2052, in step 2308, determines duplicated computational modules and the host processing platform(s) therefor. Host processing platforms can include a processing module, expansion module, and/or external computational device(s) 1532.” (¶240)].
	Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to have combined the above described teachings of Ricci with the system taught by Hartung and Ricci as discussed above. A person of ordinary skill in the safety control system field would have been motivated to make such combination for the same reasons as described above in claim 1.

Claim 8:
	Regarding claim 8, Hartung and Ricci disclose all the elements of claim 1, 
	Hartung further discloses,  “the safe runtime environment is configured to execute manipulators; and the manipulators are configured to manipulate the execution of at least one of the first user program, the second user program, and the safe resources.” [Examiner notes that claim requires manipulate the execution of only one of the first user program, the second user program, and the safe resources.
	See the system executes manipulators in order to manipulate execution of programs or safe resources (e.g.; applications and/or data that can be utilized while computer processing is executed): “The resources 2530 may include applications and/or data that can be utilized while computer processing is executed on servers that are remote from the example device 2502. Additionally, the services 2528 and/or the resources 2530 may facilitate subscriber network services, such as over the Internet, a cellular network, or Wi-Fi network. The platform 2526 may also serve to abstract and scale resources to service a demand for the resources 2530 that are implemented via the platform, such as in an interconnected device embodiment with functionality distributed throughout the system 2500. For example, the functionality may be implemented in part at the example device 2502 as well as via the platform 2526 that abstracts the functionality of the cloud 2524. In implementations, an individual autonomous vehicle system may include the device 2502, an implementation of the cloud 2524 for storage, and the platform 2526.” (¶189)].
	
Claim 11:
	Regarding claim 11, Hartung and Ricci disclose all the elements of claim 1,
	Hartung further discloses, “the safe runtime environment comprises a hardware-specific component and a hardware- nonspecific component.” [See platform include hardware specific component (e.g.; the resources 2530) and hardware- nonspecific component (e.g.; the server): “vehicle platform and safety architecture may be implemented in a distributed system, such as over a “cloud” 2524 in a platform 2526. The cloud 2524 includes and/or is representative of the platform 2526 for services 2528 and/or resources 2430.” (¶188)… “The resources 2530 may include applications and/or data that can be utilized while computer processing is executed on servers that are remote from the example device 2502.” “the functionality may be implemented” “via the platform 2526 that abstracts the functionality of the cloud 2524.” (¶189)].
	
Claim 13:
	Regarding claim 13, Hartung discloses, “A method for monitoring a safety-critical process, comprising:” [See the method for monitoring safety-critical process (e.g.; monitoring process where safety is critical): “An autonomous vehicle platform and safety architecture are described. In embodiments, safety managers implemented as components of a safety architecture for a safety-critical system (e.g., an autonomous vehicle) monitor outputs of linked components of the safety-critical system.” (¶5)];
	“providing a platform for executing user programs,” [See platform 2526 executes user programs (e.g.; executes user programs using resources): “vehicle platform and safety architecture may be implemented in a distributed system, such as over a “cloud” 2524 in a platform 2526. The cloud 2524 includes and/or is representative of the platform 2526 for services 2528 and/or resources 2430.” (¶188)… “The resources 2530 may include applications and/or data that can be utilized while computer processing is executed on servers that are remote from the example device 2502.” “the functionality may be implemented” “via the platform 2526 that abstracts the functionality of the cloud 2524.” (¶189)];
	“coupling the user programs with the safety-critical process via a fail-safe peripheral module;” [See user programs are coupled to the safety critical process (e.g.; fail-safe I/O such that safety managers 512, 514 etc. connected to the process components 504, 506 etc.): “The safety-critical system 502 is also illustrated with safety managers 512, 514, 516, 518, these represent functionality to detect failures of one or more of the components 504, 506, 508, and 510 and to handle detected failures,” (¶62)… “The safety managers 512, 514, 516, 518 represent functionality to monitor the associated component for failures. Furthermore, the safety managers represent functionality to monitor outputs (e.g., messages) of components linked to the associated component for failures. The safety managers may monitor the linked components using one or more voting techniques as described above and below. In addition to monitoring the components 504, 506, 508, and 510, the safety managers represent functionality to determine actions to take when components fail and to carry out determined actions.” (¶63)];
	“providing, by a safe runtime environment that is implemented independently of the user programs on the platform, safe resources that are independent of the platform;” “executing” user programs “on the platform using the safe resources” [See safe runtime environment implemented on the platform 2526  that provide the user programs with safe resources (e.g.; safe runtime such that the sources 2530 include applications and/or data that can be utilized while computer processing is executed on servers that are remote from the example device 2502): “an autonomous vehicle platform and safety architecture” “implemented in a distributed system, such as over a “cloud” 2524 in a platform 2526. The cloud 2524 includes and/or is representative of the platform 2526 for services 2528 and/or resources 2430. The platform 2526 abstracts underlying functionality of hardware, such as server devices (e.g., included in the services 2528) and/or software resources (e.g., included as the resources 2430), and connects the example device 2502 with other devices, servers, autonomous vehicle systems, etc.” (¶188)… “The resources 2530 may include applications and/or data that can be utilized while computer processing is executed on servers that are remote from the example device 2502. Additionally, the services 2528 and/or the resources 2530 may facilitate subscriber network services, such as over the Internet, a cellular network, or Wi-Fi network. The platform 2526 may also serve to abstract and scale resources to service a demand for the resources 2530 that are implemented via the platform, such as in an interconnected device embodiment with functionality distributed throughout the system 2500. For example, the functionality may be implemented in part at the example device 2502 as well as via the platform 2526 that abstracts the functionality of the cloud 2524. In implementations, an individual autonomous vehicle system may include the device 2502, an implementation of the cloud 2524 for storage, and the platform 2526.” (¶189)], but doesn’t explicitly disclose, “wherein the user programs include a first user program and a second user program, which together implement a safety function, the second user program being diversitary with respect to the first user program;” “executing the first user program and the second user program on the platform using the safe resources.”
	However, Ricci discloses, “wherein the user programs include a first user program and a second user program, which together implement a safety function,” “executing the first user program and the second user program on the platform using the safe resources.” [See the first and second programs together implement safety function (e.g.; software applications of first and second modules executed on the platform to ensure safety functions): “The computational module selector 2052 identifies the computational modules, particularly software applications, currently available within the local area network of the vehicle, the identification including” “capabilities and requirements (e.g., operating system, processing,” “and other requirements)” “The selector 2052 can select not only, for duplicated computational modules, a most current version of the duplicated module to execute and a computational platform (e.g., first, second, . . . processing module or external computational device 1532) for the execution.” (¶160)… “In step 2304, the computational module selector 2052, in step 2308, determines duplicated computational modules and the host processing platform(s) therefor. Host processing platforms can include a processing module, expansion module, and/or external computational device(s) 1532.” (¶240)];
	“the second user program being diversitary with respect to the first user program;” [See the first and second programs are diversified (e.g.; duplicate programs): “The computational module selector 2052 identifies the computational modules, particularly software applications, currently available within the local area network of the vehicle, the identification including” “capabilities and requirements (e.g., operating system, processing,” “and other requirements)” “The selector 2052 can select not only, for duplicated computational modules, a most current version of the duplicated module to execute and a computational platform (e.g., first, second, . . . processing module or external computational device 1532) for the execution.” (¶160)… “In step 2304, the computational module selector 2052, in step 2308, determines duplicated computational modules and the host processing platform(s) therefor. Host processing platforms can include a processing module, expansion module, and/or external computational device(s) 1532.” (¶240)];
	Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to have combined the user programs including a first and second user programs to implement safety, where the first and second user programs are diversified taught by Ricci with the method taught by Hartung as discussed above. A person of ordinary skill in the safety control system field would have been motivated to make such combination in order to have the ability to perform emergency safety actions easily and conveniently [Ricci: “this implementation may be useful in cases where there is an emergency that is within the vicinity of the vehicle (i.e., emergency road closure) that requires a third party such as the police to disable passing vehicles for safety reasons.” (¶212)].

Claim(s) 3 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hartung and Ricci as described above,  and further in view of Kishita et al. (US20100287563A1) [hereinafter Kishita].
Claim 3:
	Regarding claim 3, Hartung and Ricci disclose all the elements of claim 1, but they do not explicitly disclose, “wherein the second user program is configured to process data inverse to the first user program.”
	However, Kishita discloses, “wherein the second user program is configured to process data inverse to the first user program.” [See second program is capable of processing data inverse to the first program: “in the present invention, the control information processing section in the second processing section performs information processing on the basis of the abstracted information, and generates abstracted information as a result of the information processing; then, when the information processing result is supplied from the second processing section to the first processing section, the conversion section converts the abstracted information, resulting from the information processing, into an information format suitable for the first processing section (i.e., a process inverse to abstraction is performed), and the converted information is supplied to the first processing section.” (¶27)];
	Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to have combined the second program that is capable of processing data inverse to the firs program taught by Kishita with the system taught by Hartung and Ricci as discussed above. A person of ordinary skill in the safety control system field would have been motivated to make such combination in order to increase reliability of the device control apparatus and that of a device operation [Kishita: “invalid information access to the first processing section from the second processing section can be prevented, thereby making it possible to increase reliability of the device control apparatus and that of a device operation.” (¶31)].

Claim(s) 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hartung and Ricci as described above and further in view of McRae (US20150190074A1) [hereinafter McRae].
Claim 6:
	Regarding claim 6, Hartung and Ricci disclose all the elements of claim 1, but they do not explicitly disclose, “provide timers as a safe resource and to execute tests to verify the timers.”
	However, McRae discloses, “provide timers as a safe resource and to execute tests to verify the timers.” [See the tests are performed to verify the functionality of the timers: “Functional test modules can include: [0143] 1. Timer Test—checks timer function by verifying timer is incrementing. [0144] (¶142)];
	Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to have combined the capability of perform test on timers to verify the timers taught by McRae with the system taught by Hartung and Ricci as discussed above. A person of ordinary skill in the safety control system field would have been motivated to make such combination in order to verify timers are performing properly [McRae: “checks timer function by verifying timer is incrementing” (¶142)].

Claim(s) 7, 9, and 12 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hartung and Ricci as described above and further in view of Galera et al. (US20160070991A1) [hereinafter Galera].
Claim 7:
	Regarding claim 7, Hartung and Ricci disclose all the elements of claim 1, but they do not explicitly disclose, “the safe runtime environment is couplable to an external safety device.”
	However, Galera discloses, “the safe runtime environment is couplable to an external safety device.” [See the safe runtime environment can be coupled to external safety controller 1112 (e.g.; fig. 11, safety controller external to HMI 1106, industrial controlled 1104 and robot controller 1110): “safety controller 1112 may interface directly with one or both of the industrial controller 1104 or the robot controller 1110 via the controllers I/O.” (¶84)];
	Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to have combined the capability of coupling the runtime environment to an external safety controller taught by Galera with the system taught by Hartung and Ricci as discussed above. A person of ordinary skill in the safety control system field would have been motivated to make such combination in order to have the advantage of remotely monitoring the safety and avoid hazardous incidents [Galera: “industrial safety monitoring applications must be able to reliably detect the presence of human beings within a potentially hazardous area, and to respond with appropriate safety control outputs (e.g., commands to stop or slow a running machine, to remove power from hazardous machinery, etc.) with minimal delay to prevent injury.” (¶38)].

Claim 9:
	Regarding claim 9, Hartung and Ricci disclose all the elements of claims 1 and 8, but they do not explicitly disclose, “the manipulators are triggerable by an external safety device.”
	However, Galera discloses, “the manipulators are triggerable by an external safety device.” [See the external safety controller 1112 triggers manipulators (e.g.; fig. 11 triggers control of the programs or resources): “safety controller 1112 may interface directly with one or both of the industrial controller 1104 or the robot controller 1110 via the controllers I/O.” (¶84)… “safety controller 1112 to generate a control output placing the robot 1102 in a safe mode. This may comprise, for example, sending a control output to industrial controller 1104 instructing the controller to disable the robot 1102 and any other sub-systems (e.g., conveyors) associated with the robot 1102.” (¶87)];
	Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to have combined the above described teachings of Galera with the system taught by Hartung and Ricci as discussed above. A person of ordinary skill in the safety control system field would have been motivated to make such combination for the same reasons as described above in claim 7.

Claim 12:
	Regarding claim 12, Hartung and Ricci disclose all the elements of claims 1 and 11, but they do not explicitly disclose, “only the hardware- nonspecific component is couplable to an external safety device.”
	However, Galera discloses, “only the hardware- nonspecific component is couplable to an external safety device.” [See hardware- nonspecific component is couplable to an external safety device 1112  (e.g.; fig. 11; HMI 1106 is not specific to 1112 but can be connected to 1112): “HMI 1106” “and safety controller 1112 may all reside on a plant network or safety network; e.g., via one or more network switches 1108.” (¶84)];
	Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to have combined the above described teachings of Galera with the system taught by Hartung and Ricci as discussed above. A person of ordinary skill in the safety control system field would have been motivated to make such combination for the same reasons as described above in claim 7.

Claim(s) 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Hartung and Ricci as described above,  and further in view of Pavlik et al. (US20030125824A1) [hereinafter Pavlik].
Claim 10:
	Regarding claim 10, Hartung and Ricci disclose all the elements of claims 1 and 8, but the do not explicitly disclose, “the manipulators are configured to desensitize the safe runtime environment against errors.”
	However, Pavlik further discloses, “the manipulators are configured to desensitize the safe runtime environment against errors.” [See the system desensitize the safe runtime environment against errors: “Respective sensor signals S1, S2 are inputted into the two processing units P1, P2 and provide in view of the configuration same information through two channels. In the event of an error, i.e., when, for example, the sensor signal S1 does not coincide with the sensor signal S2, the machine is transferred into a safe machine state by means of the secure functional modules SF1, SF2.” (¶23)].
	Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the claimed invention to have combined the capability of desensitizing runtime environment against errors taught by Pavlik with the system taught by Hartung and Ricci as discussed above. A person of ordinary skill in the safety control system field would have been motivated to make such combination in order to have an improved method of generating and/or executing a diversified program flow [Pavlik: “improved method of generating and/or executing a diversified program flow” (¶6)].
Conclusion
	The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed in the PTO-892 Notice of Reference Cited document.
US20040064205A1 - Method and device for programming a failsafe control system:
	Selected program module is uniquely assigned to a defined functional group, a first functional group containing program modules which pick up input signals of the failsafe control system and, in dependence on them, provide first interim variables, a second functional group containing program modules which logically interconnect the first interim variables to one another and, in dependence on them, provide second interim variables, and a third functional group containing program modules which assign the second interim variables to the output signals of the failsafe control system (¶14).

US20090240347A1 - Operating method for a control device of a safety-oriented automation device for checking the reliability of an automation system:
	For determining the reliability information I′, I″ over at least two channels, it is possible that the control device 4 processes diversified software 10, 10′ according to FIG. 4. In this context, the control device 4 determines in each case once per unit of the diversified software 10, 10′ one of the reliability information items I′, I″. Furthermore, it receives the results of the other determinations per unit and carries out the abovementioned comparison (¶34).
	Any inquiry concerning this communication or earlier communications from the examiner should be directed to MOHAMMED SHAFAYET whose telephone number is (571)272-8239. The examiner can normally be reached M-F 8:30 AM-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kenneth M Lo can be reached on (571)272-9774. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/M.S./
Examiner
Art Unit 2116


/KENNETH M LO/Supervisory Patent Examiner, Art Unit 2116