DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
	The IDS of 08/24/21 has been considered.

Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. 

The following is a quotation of pre-AIA  35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.

The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art.  The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is invoked. 
As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph:
(A)	the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; 
(B)	the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and 
(C)	the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. 
Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. 
Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. 
Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action.
This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, because the claim limitation(s) uses a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier.  Such claim limitation(s) is/are: a first providing unit; a second providing unit; a linking unit; a testing unit; and an analyzing unit in claim 14.
Because this/these claim limitation(s) is/are being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, it/they is/are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof.
If applicant does not intend to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph, applicant may:  (1) amend the claim limitation(s) to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitation(s) recite(s) sufficient structure to perform the claimed function so as to avoid it/them being interpreted under 35 U.S.C. 112(f) or pre-AIA  35 U.S.C. 112, sixth paragraph.

Drawings
The drawings are objected to because:
figure 1 does not show the details of the various boxes S1-S6
Corrected drawing sheets in compliance with 37 CFR 1.121(d) are required in reply to the Office action to avoid abandonment of the application. Any amended replacement drawing sheet should include all of the figures appearing on the immediate prior version of the sheet, even if only one figure is being amended. The figure or figure number of an amended drawing should not be labeled as “amended.” If a drawing figure is to be canceled, the appropriate figure must be removed from the replacement sheet, and where necessary, the remaining figures must be renumbered and appropriate changes made to the brief description of the several views of the drawings for consistency. Additional replacement sheets may be necessary to show the renumbering of the remaining figures. Each drawing sheet submitted after the filing date of an application must be labeled in the top margin as either “Replacement Sheet” or “New Sheet” pursuant to 37 CFR 1.121(d). If the changes are not accepted by the examiner, the applicant will be notified and informed of any required corrective action in the next Office action. The objection to the drawings will not be held in abeyance.

Examiner’s Note - 35 USC § 101
Claims 1-15 qualify as eligible subject matter under 35 U.S.C. 101. With respect to step 2A, prong one, the claims do not recite an abstract idea, law of nature, or natural phenomenon. Although the claims do mention “models,” which are often associated with mathematical concepts, there are no specific mathematical relationships, formulas, equations, or calculations claimed or specifically disclosed in the specification. For argument’s sake, even if the claims did recite an abstract idea under step 2A, prong one, the claims also recite additional elements that integrate the judicial exception into a practical application under step 2A, prong two. The limitations of “linking elements of the safety model with elements of the test model for enabling a tracing between the test cases of the test model and the safety-relevant functionality of the safety model” and “analyzing the testing for providing coverage criteria for the safety-relevant functionality” improve the functioning of the claimed technical system by providing for suitable coverage criteria for the safety-relevant functionality of the technical system, such that a quantitative measure is available to determine how well the safety-relevant functionality is covered by the test cases or tests of the test model, in particular by already executed test cases (see page 3, lines 16-20 of the applicant’s specification).
As such, claims 1-15 are not directed to a judicial exception. They qualify as eligible subject matter under 35 U.S.C. 101.

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file provisions of the AIA  as explained in MPEP § 2159. See MPEP § 2146 et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.

Claims 1-5 and 10-15 are provisionally rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1, 4-10, and 13-15 of copending Application No. 17/410256 in view of Philip et al NPL (Philip, Gracy; Dsouza, Meenakshi; and V P Abidha – “Model Based Safety Analysis: Automatic Generation of Safety Validation Test Cases”; ©2017 IEEE). All other claims are also rejected as a result of their dependency on rejected claims.
This is a provisional nonstatutory double patenting rejection.

With respect to claim 1, application ‘256 discloses:
A computer-implemented method for testing a technical system having a plurality of technical components (claim 1)
a) providing a safety model modeling a safety relevant functionality of the technical system (claim 1)
b) providing a test model describing test cases for testing the technical system (claim 1)
c) linking elements of the safety model with elements of the test model for enabling a tracing between the test cases of the test model and the safety-relevant functionality of the safety model (claim 1)
With respect to claim 1, application ‘256 differs from the claimed invention in that it does not explicitly disclose: 
d) testing the technical system using at least one of the test cases generated based on the test model linked with the safety model
e) analyzing the testing for providing coverage criteria for the safety-relevant functionality
With respect to claim 1, Philip et al NPL discloses:
d) testing the technical system using at least one of the test cases generated based on the test model linked with the safety model (Page 8, column 2, paragraph 1 states, “The process is continued for all other system instances in the model and test cases are generated for each of the state. They are used for testing at hardware software integration test set-up …” Please also note the various teachings of risk-based testing throughout the disclosure of Philip et al NPL. (See, for example, teachings on page 1, column 2.)
e) analyzing the testing for providing coverage criteria for the safety-relevant functionality (obvious in view of teachings of Philip et al; Page 9, column 1, second to last paragraph (last paragraph of section VI.) states, “extended model is analysed to capture un-handled faults.” Philip et al NPL does not explicitly use the phrase “coverage criteria,” but such coverage criteria is obvious in view of Philip et al’s total teachings. For example, page 8, column 2, first paragraph (last paragraph of section V.) states, “These test cases are found to be more effective than traditionally generated test cases as it could uncover three additional safety critical faults …” The additional uncovering of additional safety faults provides coverage criteria.)
With respect to claim 1, it would have been obvious to one having ordinary skill in the art before the effective filing date of the invention to incorporate the teachings of Philip et al NPL into the invention of copending application 17/410256. The motivation for the skilled artisan in doing so is to gain the benefit of greater effectiveness at uncovering potential safety faults.

With respect to claim 2, application ‘256, as modified, discloses:
wherein, in step a), the safety model is provided as a tree of logic, such that it includes a top event associated to a violation of the safety-relevant functionality (claim 4)

With respect to claim 3, application ‘256, as modified, discloses:
wherein, in step a), the safety model is provided such that it includes, for each of the technical components having an input port and/or an output port (claim 5)
an output failure mode for modeling a certain failure visible at the output port of the technical component (claim 5)
an output failure mode for modeling a certain failure visible at the output port of the technical component and an input failure mode for modeling how a certain failure propagates from the input port to the output port (claim 5)

With respect to claim 4, application ‘256, as modified, discloses:
wherein in step a), the safety model is provided such that it includes, for each of the technical components having an input port and/or an output port (claim 6)
an input failure mode for modeling how a certain failure propagates from the input port to the output port (claim 6)
an output failure mode for modeling a certain failure visible at the output port of the technical component, and/or (claim 6)
a number of basic events, each of the basic events modeling an internal component failure of the technical component (claim 6)

With respect to claim 5, application ‘256, as modified, discloses:
wherein the safety model includes a number of cut-sets, each of the cut-sets combining a number of basic events and adapted to cause the top event (claim 7)

With respect to claim 10, application ‘256, as modified, discloses:
wherein, in step c), the top event of the safety model is linked with those elements of the test model capturing a functionality that is configured to influence an occurrence of the top event (claim 8)

With respect to claim 11, application ‘256, as modified, discloses:
wherein in step c), the safety model and the test model are linked such that a certain input failure mode of the safety model is linked with a certain input interface of the test model (claim 9)
a certain output failure mode of the safety model is linked with a certain output interface of the test model (claim 9)
a certain basic event of the safety model is linked with an internal component state of the test model (claim 9) 
the top event of the safety model is linked with a certain test case of the test cases of the test model (claim 9)

With respect to claim 12, application ‘256, as modified, discloses:
providing a system model modeling a functional behavior of the technical system, wherein in step c), the safety model and the test model are linked via the system model (claim 10)
wherein a certain input failure mode of the safety model is linked with a certain input interface of the test model via a certain input port of the system model (claim 10)
a certain output failure mode of the safety model is linked with a certain output interface of the test model via an output port of the system model
a certain basic event of the safety model is linked with a certain internal component state of the test model via an internal component failure of the system model (claim 10)
the top event of the safety model is linked with a test case of the test model via a system function of the system model (claim 10)

With respect to claim 13, application ‘256, as modified, discloses:
A computer program product, comprising a computer readable hardware storage device having computer readable program code stored therein, said program code executable by a processor of a computer system to implement a method comprising a program code for executing the method of claim 1 for testing a technical system having a plurality of technical components when run on at least one computer (claim 13)

With respect to claim 14, application ‘256 discloses:
A computerized device for testing a technical system having a plurality of technical components, the computerized device comprising: (claim 14)
a first providing unit for providing a safety model modeling a safety relevant functionality of the technical system (claim 14)
a second providing unit for providing a test model describing test cases for testing the technical system (claim 14)
a linking unit for linking elements of the safety model with elements of the test model for enabling a tracing between the test cases of the test model and the safety-relevant functionality of the safety model (claim 14)
With respect to claim 14, application ‘256 differs from the claimed invention in that it does not explicitly disclose:
a testing unit for testing the technical system using at least one of the test cases generated based on the test model linked with the safety model
an analyzing unit for analyzing the testing for providing coverage criteria for the safety-relevant functionality
With respect to claim 14, Philip et al NPL discloses:
a testing unit for testing the technical system using at least one of the test cases generated based on the test model linked with the safety model (Page 8, column 2, paragraph 1 states, “The process is continued for all other system instances in the model and test cases are generated for each of the state. They are used for testing at hardware software integration test set-up …” Please also note the various teachings of risk-based testing throughout the disclosure of Philip et al NPL. (See, for example, teachings on page 1, column 2.)
an analyzing unit for analyzing the testing for providing coverage criteria for the safety-relevant functionality (obvious in view of teachings of Philip et al; Page 9, column 1, second to last paragraph (last paragraph of section VI.) states, “extended model is analysed to capture un-handled faults.” Philip et al NPL does not explicitly use the phrase “coverage criteria,” but such coverage criteria is obvious in view of Philip et al’s total teachings. For example, page 8, column 2, first paragraph (last paragraph of section V.) states, “These test cases are found to be more effective than traditionally generated test cases as it could uncover three additional safety critical faults …” The additional uncovering of additional safety faults provides coverage criteria.)
With respect to claim 14, it would have been obvious to one having ordinary skill in the art before the effective filing date of the invention to incorporate the teachings of Philip et al NPL into the invention of copending application 17/410256. The motivation for the skilled artisan in doing so is to gain the benefit of greater effectiveness at uncovering potential safety faults.

With respect to claim 15, application ‘256, as modified, discloses:
An arrangement comprising a technical system having a plurality of technical components and a computerized device for testing the technical system according to claim 14 (claim 15)

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 3-4, 9, and 11-12 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.

The claims use the phrase “and/or” which renders the claims indefinite. The words “and” and “or” represent different scopes of claim interpretation. For the purposes of examination, the examiner will interpret that the claims should state “or” in each case that “and/or” is used. 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claim(s) 1-15 is/are rejected under 35 U.S.C. 103 as being unpatentable over Philip et al NPL (Philip, Gracy; Dsouza, Meenakshi; and V P Abidha – “Model Based Safety Analysis: Automatic Generation of Safety Validation Test Cases”; ©2017 IEEE).

With respect to claim 1, Philip et al NPL discloses:
A computer-implemented method for testing a technical system having a plurality of technical components (abstract states, “Model based software engineering, can bring in visibility to safety assurance process by basing analysis on a single comprehensive model. AADL is one such architecture modelling language suitable for modelling avionics systems. It can be used for systematic modelling of safety critical systems.”)
a) providing a safety model modeling a safety relevant functionality of the technical system (abstract states, “Both categories of safety requirements can be modelled in AADL. The model then can be analysed to generate fault trees representing functional hazards.”)
b) providing a test model describing test cases for testing the technical system (abstract states, “Test cases for validation of mitigation of hazards can be generated automatically from the model.”; Page 1, column 2, last two paragraphs state, “Here we propose a framework for automatic generation of safety validation test cases, from the extended model. Here we combine the benefits of architecture modelling, fault modelling, automatic analysis of the model, with risk based testing to generate test cases at system level for safety validation … Minimal cut set generated from fault trees are augmented with information from the instantiated and declarative model to generate test cases to demonstrate mitigation of hazards.”; Page 4, column 2, last paragraph states, “Once a systematic model is realized and analysed the same can be used by system development team to realise the safety critical embedded system, either manually or automatically.”)
c) linking elements of the safety model with elements of the test model for enabling a tracing between the test cases of the test model and the safety-relevant functionality of the safety model (page 1, column 2, second to last paragraph states, “Here we combine the benefits of architecture modelling, fault modelling, automatic analysis of the model, with risk based testing to generate test cases at system level for safety validation.”; page 4, column 2, last two paragraphs (Sections B. and C.) state, “As a first step, the model is analysed using fault analysis provision provided by OSATE … Once a systematic model is realized and analysed the same can be used by system development team to realise the safety critical embedded system, either manually or automatically. Safety engineer can use it for automatic generation of test cases.”; Page 5, column 1, second to last paragraph (first paragraph of section IV.) states, “Input to our framework is an AADL extended model. The framework outputs a set of test cases that ca be used for safety validation of the embedded system. Safety validation test cases are automatically generated from AADL model as per the methods suggested in the previous section.” Here, it is clear that Philip et al NPL integrates aspects of its system, safety, and test models, which anticipates the claimed “linking elements.”)
d) testing the technical system using at least one of the test cases generated based on the test model linked with the safety model (Page 8, column 2, paragraph 1 states, “The process is continued for all other system instances in the model and test cases are generated for each of the state. They are used for testing at hardware software integration test set-up …” Please also note the various teachings of risk-based testing throughout the disclosure of Philip et al NPL. (See, for example, teachings on page 1, column 2.)
With respect to claim 1, Philip et al NPL differs from the claimed invention in that it does not explicitly disclose: 
e) analyzing the testing for providing coverage criteria for the safety-relevant functionality
With respect to claim 1, the following limitation(s) is/are obvious in view of what Philip et al NPL, as a whole, discloses:
e) analyzing the testing for providing coverage criteria for the safety-relevant functionality (Page 9, column 1, second to last paragraph (last paragraph of section VI.) states, “extended model is analysed to capture un-handled faults.” Philip et al NPL does not explicitly use the phrase “coverage criteria,” but such coverage criteria is obvious in view of Philip et al’s total teachings. For example, page 8, column 2, first paragraph (last paragraph of section V.) states, “These test cases are found to be more effective than traditionally generated test cases as it could uncover three additional safety critical faults …” The additional uncovering of additional safety faults provides coverage criteria.)
With respect to claim 1, it would have been obvious to one having ordinary skill in the art before the effective filing date of the invention to incorporate the teachings of Philip et al NPL. The motivation for the skilled artisan in doing so is to gain the benefit of greater effectiveness at uncovering potential safety faults.

With respect to claim 2, Philip et al NPL, as modified, discloses:
wherein, in step a), the safety model is provided as a tree of logic, such that it includes a top event associated to a violation of the safety-relevant functionality (abstract states, “The model then can be analysed to generate fault trees representing functional hazards.”; see further fault tree teachings throughout disclosure of Philip et al NPL.)

With respect to claim 3, Philip et al NPL, as modified, discloses:
wherein, in step a), the safety model is provided such that it includes, for each of the technical components having an input port or an output port, an output failure mode for modeling a certain failure visible at the output port of the technical component, or an output failure mode for modeling a certain failure visible at the output port of the technical component, and an input failure mode for modeling how a certain failure propagates from the input port to the output port (page 5, column 1, paragraphs 2-4 (section on Validation of safety properties) states, “In AADL, properties can be associated with each component and with each port. In addition, properties also talk about flow of data across the model. These properties represent generic safety requirements, performance and timing assumptions … Generic safety requirements modelled as properties of AADL components … are to be validated to ensure safety. All these safety properties are to be validated in normal and fault scenario. System has to be validated for safe behavior in the presence of single or multiple failures.” The claimed output failure mode is obvious in view of such disclosure. Please note that the presence of “or” language significantly broadens the BRI of the claim.)

With respect to claim 4, Philip et al NPL, as modified, discloses:
wherein, in step a), the safety model is provided such that it includes, for each of the technical components having an input port or an output port, an input failure mode for modeling how a certain failure propagates from the input port to the output port, an output failure mode for modeling a certain failure visible at the output port of the technical component, or a number of basic events, each of the basic events modeling an internal component failure of the technical component (page 5, column 1, paragraphs 2-4 (section on Validation of safety properties) states, “In AADL, properties can be associated with each component and with each port. In addition, properties also talk about flow of data across the model. These properties represent generic safety requirements, performance and timing assumptions … Generic safety requirements modelled as properties of AADL components … are to be validated to ensure safety. All these safety properties are to be validated in normal and fault scenario. System has to be validated for safe behavior in the presence of single or multiple failures.” The claimed output failure mode is obvious in view of such disclosure. Please note that the presence of “or” language significantly broadens the BRI of the claim.)

With respect to claim 5, Philip et al NPL, as modified, discloses:
wherein the safety model includes a number of cut-sets, each of the cut-sets combining a number of basic events and adapted to cause the top event (page 1, column 2, last paragraph states, “Minimal cut set generated from fault trees are augments with information …”; see also figure 3; page 5, column 1, paragraph 1; page 5, column 2, paragraphs 2-3; and page 6, column 1, paragraph 2 (section E.) for more cut set teachings.)

With respect to claim 6, Philips et al NPL, as modified, discloses:
wherein, in step e), the coverage criteria are provided such that they include probabilistic criteria for each respective test case of the test cases used in step d), the probabilistic criteria indicating a probability of occurrence during operation of the technical system, wherein the probability of occurrence is derived by a probability of the cut-set corresponding to the respective test case via the linking of the test model and the safety model (obvious in view of the total teachings of Philip et al NPL. Probabilistic criteria is obvious to the fault trees taught in Philip et al, as the mathematical nature of fault trees is associated with statistical probabilities. As discussed above, Philip et al also teaches coverage criteria, linking between test model and safety model, and cut sets.)

With respect to claim 7, Philip et al NPL, as modified, discloses:
wherein, in step e), the coverage criteria are provided such that they include qualitative criteria for each respective test case of the test cases used in step d), the qualitative criteria being derived from the number of basic events of the cut-set corresponding to the respective test case via the linking of the test model and the safety model (page 6, column 1, last paragraph states, “For safety validation test case the same is guided by minimal cut se paths from the fault tree analysis and properties in the path containing minimal cut sets are to be validated against the expected value. Expected values are extracted from the property table based on the system states. Then for each event in the minimal cut sets details like id, description are obtained from database. Depending on number of events in the minimal cut sets, combinations are taken.”)

With respect to claim 8, Philip et al NPL, as modified, discloses:
wherein that, as part of the qualitative criteria, a plurality N of different classes for the test cases used in step d) are provided, each of the N different classes being defined by a different number M of basic events configured to cause the top event in combination, with M є[1,…,N] (obvious in view of Philip et al NPL teachings on page 6, column 1, last paragraph; Philip et al teaches different expected values for different properties and events, which each have different details.)

With respect to claim 9, Philip et al NPL, as modified, discloses:
wherein, in step e), the coverage criteria are provided such that they include criteria of occurrence or of probability of occurrence for minimal cut-sets corresponding to the test cases used in step d) (obvious for reasons discussed above; as stated above, although Philips et al NPL does not explicitly use the phrase “coverage criteria,” it discusses uncovering safety faults that imply the claimed criteria of occurrence. Philip et al NPL also teaches cut-set, as discussed above.)

With respect to claim 10, Philip et al NPL, as modified, discloses:
wherein, in step c), the top event of the safety model is linked with those elements of the test model capturing a functionality that is configured to influence an occurrence of the top event (obvious in view of teachings of the fault tree teachings in Philip et al NPL; see figure 9; Page 8, column 1, last paragraph states, “As per Figure 9 the component AP … can be in the state degraded mode on the occurrence of any of the sixteen primary events under the logic depicted in the fault tree.” The claimed “top event” is obvious in view of the primary events of the fault tree.)

With respect to claim 11, Philip et al NPL, as modified, discloses:
wherein, in step c), the safety model and the test model are linked such that a certain input failure mode of the safety model is linked with a certain input interface of the test model, a certain output failure mode of the safety model is linked with a certain output interface of the test model, a certain basic event of the safety model is linked with an internal component state of the test model, or the top event of the safety model is linked with a certain test case of the test cases of the test model (obvious in view of teachings of Philip et al NPL; see page 4, column 1, paragraphs bolded with “Identification of all inputs of the system and modelling” through “Identifiation of subcomponents or sub-systems.”; the “or” broadens the claims such that only one of the claimed conditions needs to be anticipated.)

With respect to claim 12, Philip et al NPL, as modified, discloses:
wherein providing a system model modeling a functional behavior of the technical system, wherein in step c), the safety model and the test model are linked via the system model (page 1, column 2, last 2 paragraphs – page 2, column 1, first paragraph), wherein a certain input failure mode of the safety model is linked with a certain input interface of the test model via a certain input port of the system model, a certain output failure mode of the safety model is linked with a certain output interface of the test model via an output port of the system model, a certain basic event of the safety model is linked with a certain internal component state of the test model via an internal component failure of the system model, or the top event of the safety model is linked with a test case of the test model via a system function of the system model (obvious in view of what Philips et al NPL teaches; see bullet points on page 4, column 1, from “Identification of all inputs of the system and modelling” through “Identification of subcomponents or sub-systems.” Also, the “top event of the safety model being linked with a test case of the test model via a system function of the system model is obvious in view of the fault tree teachings of Philips et al NPL.) 

With respect to claim 13, Philip et al NPL, as modified, discloses:
A computer program product, comprising a computer readable hardware storage device having computer readable program code stored therein, said program code executable by a processor of a computer system to implement a method comprising a program code for executing the method of claim 1 for testing a technical system having a plurality of technical components when run on at least one computer (suggested by teachings of hardware software integration testing on page 1, paragraph 1)

With respect to claim 14, Philip et al NPL discloses:
A computerized device for testing a technical system having a plurality of technical components (abstract; page 1, column 1 discloses hardware software integration testing)
a first providing unit for providing a safety model modeling a safety relevant functionality of the technical system (This element is interpreted under 35 U.S.C. 112(f) as the circuitry or the software needed to perform the claimed function; page 1, column 1, paragraph 1 teaches hardware software integration; claimed function described in rejection of claim 1 above)
a second providing unit for providing a test model describing test cases for testing the technical system (This element is interpreted under 35 U.S.C. 112(f) as the circuitry or the software needed to perform the claimed function; page 1, column 1, paragraph 1 teaches hardware software integration; claimed function described in rejection of claim 1 above)
a linking unit for linking elements of the safety model with elements of the test model for enabling a tracing between the test cases of the test model and the safety-relevant functionality of the safety model (This element is interpreted under 35 U.S.C. 112(f) as the circuitry or the software needed to perform the claimed function; page 1, column 1, paragraph 1 teaches hardware software integration; claimed function described in rejection of claim 1 above)
a testing unit for testing the technical system using at least one of the test cases generated based on the test model linked with the safety model (This element is interpreted under 35 U.S.C. 112(f) as the circuitry or the software needed to perform the claimed function; page 1, column 1, paragraph 1 teaches hardware software integration; claimed function described in rejection of claim 1 above)
With respect to claim 14, Philip et al NPL differs from the claimed invention in that it does not explicitly disclose: 
an analyzing unit for analyzing the testing for providing coverage criteria for the safety-relevant functionality
With respect to claim 14, the following limitation(s) is/are obvious in view of what Philip et al NPL, as a whole, discloses:
an analyzing unit for analyzing the testing for providing coverage criteria for the safety-relevant functionality (This element is interpreted under 35 U.S.C. 112(f) as the circuitry or the software needed to perform the claimed function; page 1, column 1, paragraph 1 teaches hardware software integration; claimed function described in rejection of claim 1 above)
With respect to claim 14, it would have been obvious to one having ordinary skill in the art before the effective filing date of the invention to incorporate the teachings of Philip et al NPL. The motivation for the skilled artisan in doing so is to gain the benefit of greater effectiveness at uncovering potential safety faults.

With respect to claim 15, Philip et al NPL, as modified, discloses:
An arrangement comprising a technical system having a plurality of technical components and a computerized device for testing the technical system (abstract)

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Zeller (US PgPub 20200225652) discloses a method for modelling technical systems.
Hoefig et al (US PgPub 20160170868) discloses a method and apparatus for the automated testing of a subsystem of a safety critical system.
Hofig (US PgPub 20160246661) discloses analyzing the availability of a system.
Klar et al NPL (Klar, Dennis; Huhn, Michaela; and Gruhser, Jochen – “Symptom Propagation and Transformation Analysis: A Pragmatic Model for System-level Diagnosis of Large Automation Systems”; This paper was presented as part of the main technical program at IEEE ETFA ‘2011.)
Gannous et al NPL (Gannous, Aiman; Andrews, Anneliese; and Gallina, Barbara – “Toward a Systematic and Safety Evidence Productive Verification Approach for Safety-Critical Systems”; 2018 IEEE International Symposium on Software Reliability Engineering Workshops.)
Ammann et al NPL (Ammann, Paul; Ding, Wei; and Xu, Daling – “Using a Model Checker to Test Safety Properties”; ©2001 IEEE.)
Huang et al NPL (Huang, Ling; Li, Chenling; Li, KaiCheng; Tang, Tao; and LV, JiDong -  “Model-Based Generation of Safety Test-Cases for Onboard Systems; ©2013 IEEE.)
Lahtinen NPL (Lahtinen, Jussi – “Hardware failure modelling methodology for model checking”; Research Report VTT-R-00213-14; This report was prepared as part of the research project Safety Evaluation and Reliability Analysis of Nuclear Automation (SARANA), which is part of the Finnish Research Programme on Nuclear Power Plant Safety 2011-2014 (SAFIR2014); 02/26/14.)
Abdulkhaleq et al NPL (Abdulkhaleq, Asim; Wagner, Stefan; and Leveson, Nancy – “A comprehensive safety engineering approach for software-intensive systems based on STPA”; 3rd European STAMP Workshop, STAMP EU 2015.)
Lyu NPL (Lyu, Michael R. – “An integrated Approach to Achieving High Software Reliability”; ©1998 IEEE.)
Kloos et al NPL (Kloos, Johannes; Hussain, Tanvir; and Eschbach, Robert – “Risk-based Testing of Safety-Critical Embedded Systems Driven by Fault Tree Analysis”; 2011 Fourth International Conference on Software Testing, Verification and Validation Workshops.)
Wu et al NPL (Wu, Li-Jin; Xu, Zhao-Wei; Liu, Bo-Jiang; Han, Xin-Yu; and Tang, Long-Li; “Software Safety Test Requirements Analysis Technology Based on Failure Modes”; 2019 International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering (QR2MSE 2019) August 6-9, 2019, Zhangjiajle, Hunan, China.)

Any inquiry concerning this communication or earlier communications from the examiner should be directed to LEONARD S LIANG whose telephone number is (571)272-2148. The examiner can normally be reached M-F 10:00 AM - 7 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ARLEEN VAZQUEZ can be reached on (571)272-2619. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/LEONARD S LIANG/Examiner, Art Unit 2862                                                                                                                                                                                                        08/18/22


/ARLEEN M VAZQUEZ/Supervisory Patent Examiner, Art Unit 2865
08/25/2022