DETAILED ACTION
Claims 1-20 (filed 08/12/2022) have been considered in this action.  Claims 1, 8 and 15 have been amended.  Claims 2-7, 9-14 and 16-20 have been presented in the same format as previously presented.

Response to Arguments
Applicant’s arguments, see page 7 paragraph 2, filed 08/12/2022, with respect to rejection of claims 1-7 under 35 U.S.C. 112(a) have been fully considered and are persuasive.  The rejection of claims 1-7 under 35 U.S.C. 112(a) has been withdrawn. 

Applicant's arguments, see page 8 paragraph 4, filed 08/12/2022, with respect to rejection of claims 1-20 under 35 U.S.C. 112(b) have been fully considered but they are not persuasive.  Applicant has argued that “[page 10] The Applicant's specification at least at para. [0041] indicates that the primary controller maintains a secondary controller while creating a new, alternate secondary controller for load balancing or equipment update so that the current secondary can be shut down without any loss of availability, or disruption to synchronization. This approach allows for multiple concurrent secondaries as well, so that there are more than one active, viable backup nodes” however the use of the alternate (i.e. second concurrent secondary controller) is not linked in any way to the act of moving the first concurrent secondary controller because moving occurs to any node among the plurality of nodes, not a node which has already been synchronized such as the second concurrent secondary.  It would therefore appear that the stated benefit of having multiple secondaries is not achieved at the instant the first concurrent secondary is moved because the “another node among the plurality of nodes” has not been claimed as having been previously synchronized or receiving a backup.  The unclear nature of this limitation is further illuminated by the fact that “the disruption to the synchronization” does not have proper antecedent basis for a previous synchronization process.  Applicant has stated that the “moving” process involves having secondary functionality (i.e. taking over the control functions from the primary when the primary fails) reestablished, however this presupposes the fact that the another node already has the I/O and control functions running in synchronization, or else the another node would lack the ability to act as a secondary because it would not have the information necessary for it to act as a secondary by being updated/synchronized with the most recent information.  The mere act of “moving” does not adequately describe how “prevent loss or disruption to the synchronization of the primary controller” is achieved because if the another node has not previously been synchronized (as is not claimed) then “moving” the secondary inherently contains some period where synchronization occurs from the primary controller to the another node, thus failing the claimed functionality because during this time period while synchronization occurs, it cannot adequately take over as primary.  In other words, the claim is still unclear because “moving” does not adequately describe the steps required for another node to become a first concurrent secondary that “prevent loss during shutdown or disruption to the synchronization of the primary controller”.  The backup exists on the “at least one node” but not on the “another node”, therefore it is unclear how the data required to become a secondary for the primary is achieved by the claim language alone based upon the applicant’s arguments that present the “moving” to be taking over secondary controller responsibilities as able to changeover and become the primary.  

Applicant’s arguments, see page 10 paragraph 3, filed 08/12/2022, with respect to rejection of claims 1-7 under 35 U.S.C. 112(b) have been fully considered and are persuasive.  The rejection of claims 1-7 under 35 U.S.C. 112(b) has been withdrawn. 
 
Applicant’s arguments with respect to rejection of claims 1-20 under 35 U.S.C. 103 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.  Examiner has provided new references, which teach the concept of triple redundant systems that have two concurrent secondary controllers, and teach the concept of trickle synchronization methods for synchronizing primary controllers with secondary controllers.  See below for a more detailed explanation.
In terms of the arguments presented regarding the lack of Ong teaching the “moving” of a secondary controller from one node to another, the examiner does not find this line of reasoning convincing.  Ong teaches that for each time interval a load balancing algorithm determines where control modules and redundancy modules will be executed, wherein a redundancy module emulates the actions of the control module so it can take over in case of failure (Fig. 3, [0035]-[0045], [0051]-[0065]).  Therefore, if in a current time interval, a current secondary controller is found to have excess loading, its redundancy module that is the backup of the primary controller will be moved to another node which does not have excess loading in order to balance the load in the next time interval.  Therefore, Ong teaches that moving the first concurrent secondary controller to another node occurs “for load balancing” and reads on all aspects of the claim as the functions provided by this redistribution of resources can be considered “moving” the secondary to another node.  

Examiner’s comments
In order to assist the applicant, the examiner would like to note that the inventive concept as argued by their applicant in the response filed 08/12/2022 appears to be the implementation of a “M:N redundancy” through the operation of a control hive where controller responsibilities can float among different compute nodes.  The examiner recommends amending these features and the capabilities surrounding these features into the claim to help distinguish it over the prior art.  As it currently stands, there is no mention of M:N redundancy nor any particular feature that realizes this improvement.  It is recommended that if the applicant claims the “M:N” redundancy that the terms of M and N be clearly defined in the claims to prevent broad interpretation.   The examiner further recommends claiming that redundancy greater than triple redundancy (i.e. two secondaries) is achieved.  These statements are being provided to assist the applicant, and in no way should be interpreted as being indicative of allowable material, as further search and consideration would be required.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1-20 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 8 and 15 contain a form of the limitation “and moving the first concurrent secondary controller to another node among the plurality of nodes different than the at least one node among the plurality of nodes for load balancing or an equipment update to prevent loss during a shut down or a disruption to the synchronization of the at least one primary controller in the automation control system”.  This statement is unclear because it appears to be absent some steps that a person having ordinary skill in the art would understand as being required by the claim.  Applicant’s arguments filed 08/12/2022 (see page [0010]) establish that the “moving” establishes a node as a secondary controller, meaning that it contains all data necessary for it to operate as a secondary or to “reestablish secondary capability”.  However, the claim fails to link how the “another node” is first synchronized or downloaded with backup or information of the primary controller in order for it to operate as a fully functioning secondary that can “to prevent loss during shut down or disruption to the synchronization of the at least one primary controller in the automation control system”.  In other words, the act of merely making or moving another node as a secondary controller would fail to be able to prevent loss during shut down or disruption of synchronization to the primary controller because no previous steps in the claim perform any action on the another node that synchronize or backup the primary controller to the another node.  It is therefore unclear how this intended results comes about because without the backup or synchronized information from the primary controller, the mere establishment of an arbitrary node as a secondary controller would fail to take over the primary controller responsibilities.
It is further noted that there is a lack of antecedent basis for “the synchronization of the at least one primary controller” because there is no previously established synchronization, only the claiming of a “trickle sync” mechanism, thus it is unclear whether “the synchronization” is referring to the trickle sync mechanism or some other synchronization performed but not claimed.  For the sake of compact prosecution, the examiner shall consider “the synchronization” to refer to any synchronization performed by the system in order to create a secondary controller on a node.
Claims 2-7, 9-14 and 16-20 are rejected under 35 U.S.C. 112(b) for being dependent upon claims 1, 8 and 15.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Ong et al. (US 20190056719, hereinafter Ong) in view of Hefeeda et al. (US 20150378356, hereinafter Hefeeda) and McLaughlin et al. (US 6170044, hereinafter McLaughlin).

In regards to Claim 1, Ong discloses “A method of synchronizing controllers in an automation control system, the method comprising: arranging a plurality of redundancy elements in the automation control system comprising a plurality of nodes, wherein the plurality of redundancy elements include at least one primary controller and a plurality of concurrent secondary controllers” (Fig. 2 and [0035] for each of the control routines or modules executed by the controllers 150a-n, one of the controllers 150a-n may include a redundancy module. The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails. To stay in sync with the controller 150a executing the control module, the redundancy module may cause the controller 150b executing the redundancy module to receive the same inputs, outputs, setpoints, etc. being received and provided by the controller 150a executing the control module. The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module; [0030] In some scenarios, the controllers are in a centralized controller farm and are located within the same area (e.g., a temperature controlled room). In other scenarios, the controllers are in a distributed controller farm and are located in several areas (e.g., several temperature controlled rooms); [0032] Turning now to FIG. 1B, the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11) “and wherein a back-up to the at least one primary controller exists on at least one node among the plurality of nodes;” (Fig. 2 and 3 and [0039] the controller farm 160 includes a control manager 152 that assigns control modules, redundancy modules, big data modules, and any other suitable operations to the controllers 150a-n; [0041] the control manager 152 automatically generates a redundancy module upon obtaining a corresponding control module. Referring now to FIG. 2, the control manager 152 communicates with several controllers 150a-n in the controller farm 160. Each of the controllers 150a-n and the control manager 152 may be physical machines (e.g., hardware) or virtual machines (e.g., software); [0043] the redundancy manager 206 generates a redundancy module for each control module 208 obtained by the control manager 152. The redundancy module may cause the controller 150a-n executing the redundancy module to receive the same inputs, outputs, setpoints, etc. being received and provided by the controller 150a-n executing the control module without executing the control loops or functions included in the control module. In some embodiments, the control executive 200 provides each of the obtained control modules 208 to the redundancy manager 206 for the redundancy manager to generate a corresponding redundancy module; [0065] At block 312, the assigned modules are downloaded to the respective controllers 150a-n for execution during the particular time interval. Each controller 150a-n executes its assigned modules by providing control signals and otherwise communicating with the field devices 15-22, 40-46 associated with each assigned module.) “backing-up the at least one primary controller by a first concurrent secondary controller among the plurality of concurrent secondary controllers” (Fig. 3 and [0035] The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails. To stay in sync with the controller 150a executing the control module, the redundancy module may cause the controller 150b executing the redundancy module to receive the same inputs, outputs, setpoints, etc.; [0051] the control executive 200 then provides the assigned modules to the corresponding controllers 150a-n, so that each controller 150a-n may execute the assigned modules. In some embodiments, the control executive 200 analyzes the assignments and may adjust some of the assignments to ensure that multiple controllers 150a-n are not providing control signals to the same field device and/or for the same parameter within the same time interval) “and moving the at first concurrent secondary controller to another node among the plurality of nodes different than the at least one node among the plurality of nodes for load balancing or an equipment update to prevent loss during a shut down or a disruption to the synchronization of the at least one primary controller in the automation control system” (Fig. 3 and [0045] The control executive 200 may communicate with the load balancer 202 to determine which controller 150a-n should execute which control modules 208, redundancy modules, and big data modules during a particular time interval. In some embodiments, the load balancer 202 receives an availability metric for each of the controllers 150a-n in the controller farm 160 and a list of control modules, redundancy modules, and big data modules to be executed within a particular time interval (e.g., 30 minutes, an hour, two days, a day, etc.) which may include respective priority levels for each of the modules. The load balancer 202 then assigns a controller 150a-n in the controller farm 160 to execute each of the modules. In some scenarios, a single controller 150a-n may execute several modules within the same time interval depending on the parallel processing capabilities and memory density of the controller 150a-n. In another example scenario, the load balancer 202 identifies two different controllers 150a-n to execute a control module and a redundancy module, so that the controller 150a-n executing the redundancy module can take over for the controller 150a-n executing the control module in the event of a failure at the controller; [0052] during a first time interval a controller 150a may be assigned a first set of modules including control modules, big data modules, and redundancy modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the first time interval. Then during a second time interval, the controller 150a may be assigned a second set of modules different from the first set of modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the second time interval; [0062] To balance the load amongst the controllers 150a-n within the controller farm 160, the control manager 152 may distribute the control modules, redundancy modules, and big data modules across each of the controllers 150a-n. In some embodiments, the control manager 152 uses a load balancing algorithm to assign modules to the controllers 150a-n. For example, the load balancing algorithm may be a reversing round robin mechanism, where the control manager 152 assigns the highest ranked module to the highest ranked controller 150a-n, then assigns the second highest ranked module to the second highest ranked controller 150a-n and continues in descending order until each controller 150a-n has been assigned a module. Then the control manager 152 assigns the remaining control modules in ascending order for the controllers 150a-n until each controller 150a-n has been assigned two modules; wherein when a redundancy module is assigned to a first controller in a first time interval, and then is assigned to a different controller in a second time interval due to load balancing, it can be considered a moving for load balancing; [0035] The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails; wherein redundancy modules offer the ability to “move” controllers and the load balancing algorithm is capable of moving functions from one node to another, including redundancy modules, based on load balancing).
Ong fails to teach “creating using a trickle sync mechanism, a second concurrent secondary controller for the at least one primary controller, wherein the second concurrent secondary controller is maintained as a new and as an alternative secondary controller to the first concurrent secondary controller;...or an equipment update to facilitate prevention of a loss during a shut down or a disruption to a synchronization of the at least one primary controller in the automation control system”.
Hefeeda teaches “creating ... a second concurrent secondary controller for the at least one primary controller, wherein the second concurrent secondary controller is maintained as a new and as an alternative secondary controller to the first concurrent secondary controller;” ([0154] In most practical systems, controller failures are handled by double redundancy, or at most triple redundancy for mission-critical processes; [0155] To achieve reliability in the proposed feedback control cloud service, one embodiment of the invention incorporates a distributed fault tolerance algorithm that is run asynchronously by all redundant controllers. The algorithm is known as Reliable Cloud Control (RCC). RCC supports double or higher redundancy and provides the following guarantees: [0156] G1: If the primary controller fails, the secondary controller is automatically hot-swapped in. This guarantee is generalizable to higher redundancy. For example, in the case of triple redundancy, if the primary and secondary controllers fail, the tertiary controller is hot-swapped in; [0175] Although the tertiary controller will also detect the failure of the primary, its engagement threshold is higher than that of the secondary controller. Before the value of lastActionAge (1) crosses the tertiary controller's engagement threshold, the secondary controller would have already acted. Thus, when the tertiary polls the state on the following sampling period, the time counter lastActionAge (2) would have incremented to δ, such that 0≦δ≦T.sub.s which is less than the tertiary's engagement threshold, forcing iAmEngaged flag for the tertiary controller to become FALSE. [0176] The tertiary controller will get engaged if and only if both the primary and secondary controllers become unavailable; wherein because there must have been a point in time when the tertiary controller was initially created or synchronized, it is considered new) “for ... an equipment update to facilitate prevention of a loss during a shut down or a disruption to a synchronization of the at least one primary controller in the automation control system” ([0155] To achieve reliability in the proposed feedback control cloud service, one embodiment of the invention incorporates a distributed fault tolerance algorithm that is run asynchronously by all redundant controllers. The algorithm is known as Reliable Cloud Control (RCC). RCC supports double or higher redundancy and provides the following guarantees: [0156] G1: If the primary controller fails, the secondary controller is automatically hot-swapped in. This guarantee is generalizable to higher redundancy. For example, in the case of triple redundancy, if the primary and secondary controllers fail, the tertiary controller is hot-swapped in; [0160] At any given time, RCC makes a single controller engaged in controlling the process, while it makes the other controllers standby (or backup). A standby controller is still reading the process output and preparing, but withholding, its own next action; [0175] Without loss of generality, we now focus on the triple redundancy case to illustrate the interaction among 3 controllers under RCC... The tertiary controller will get engaged if and only if both the primary and secondary controllers become unavailable. This addresses guarantee G1 If the primary controller recovers from failure, it will gain control over the process since it always operates in the engaged mode, forcing the secondary controller into the standby mode; [0185] Cloud controllers act as backups for physical controllers in systems requiring high reliability. This can achieve substantial cost savings compared to replicating all physical controllers. [0186] Cloud controllers can be used to temporarily manage systems while their physical controllers are being upgraded or replaced due to failures; wherein an upgrade or replacement is considered an equipment update).
It would have been obvious to a person having ordinary skill in the art before the effective file date of the claimed invention to have modified the cloud-based redundant control system that offers a control module (primary) and plurality of redundancy modules (secondaries) of Ong, with the use of a triply redundant cloud-based automation control system wherein a backup of a primary controller is performed by a cloud controller acting as a secondary or tertiary controller such that when upgrades occur a secondary controller takes over as primary and a tertiary controller acts as a backup/secondary because both inventions are in the related field of offering automation control system controllers via a cloud-based platform.  By implementing the features of Hefeeda in Ong, one would expect to gain the same benefits, namely a cost saving noted by Hefeeda “[0185] Cloud controllers act as backups for physical controllers in systems requiring high reliability. This can achieve substantial cost savings compared to replicating all physical controllers.”.  Furthermore, by offering a triply redundant system as opposed to only a double redundant system, a person having ordinary skill would expect the system to achieve improved reliability, as instead of having two points of failure for a complete system failure the triply redundant system would require three points of failure and thus offer an additional component that must fail before complete system failure (“[0156] in the case of triple redundancy, if the primary and secondary controllers fail, the tertiary controller is hot-swapped in”).  
The combination of Ong and Hefeeda fail to teach “creating using a trickle sync mechanism, a second concurrent secondary controller for the at least one primary controller”.
McLaughlin teaches “creating using a trickle sync mechanism, a second concurrent secondary controller for the at least one primary controller” ([col 11 line 50] FIG. 5 is a flow diagram 500 illustrating the operation of the primary control processor module 200 during one base control cycle execution in the synchronization maintenance phase of operation according to one embodiment of the present invention. At the start of the base control cycle, the primary control processor module 200 sends any track data that accumulated in data buffer 225 during the previous base control cycle to the secondary control processor module 250, thereby ensuring at least one transfer of track data per base control cycle. The primary control processor module 200 also sends a clean point signal (process step 501). [col 12 line 12] The above-described embodiment of the present invention provides a "trickle" method of synchronizing primary control processor module 200 and secondary control processor module 250. Rather than intermittently halting the foreground tasks executed by primary control processor module 200 while a large block of track data is transferred to secondary control processor module 250, the present invention provides a stream of much smaller blocks of updated track data synchronous with each base control cycle execution).
It would have been obvious to a person having ordinary skill in the art before the effective file date of the claimed invention to have modified the system that maintains two secondary controllers for a primary controller to act as redundant controllers for being able to take on control functions when the primary controller fails and that moves secondary controllers between different nodes for a load balancing as taught by Ong and Hefeeda with the use of a trickle synchronization method for creating the second concurrent secondary as taught by McLaughlin because it would gain the stated benefit of McLaughlin, notably that “[col 12 line 21] By making data buffer 225 and FIFO 215 sufficiently small, the time required to transfer a block of sync and/or track data to the secondary control processor module 250 may be kept sufficiently short so that the transfer or one of more sync/track data blocks may be completed within a single base control cycle execution. This provides a more seamless synchronization between the redundant controllers, thereby acquiring a synchronized secondary control processor module 250 without impacting the normal operations of the primary control processor module 200”.  In other words, by using the trickle sync method of McLaughlin, the inherent benefit of providing better synchronization occurs and disruption of the primary controller is avoided by having to process large blocks, especially when a new secondary controller is created when large amounts of data would be required to be sent.  By combining these elements, it can be considered taking the known plurality of automation nodes that include redundancy modules for having two concurrent secondary controllers on other nodes different from the primary controller node, and improving it by using a trickle sync method to synchronize the second secondary controller in a known way to achieve predictable results.

In regards to Claim 2, Ong, Hefeeda and McLaughlin teach the method of operating an automation control system as incorporated by claim 1 above.  Ong further teaches “The method of claim 1, wherein the redundancy elements comprise compute nodes that support a workload of the at least one primary controller or the at least one secondary controller” ([0032] the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11;  [0062] To balance the load amongst the controllers 150a-n within the controller farm 160, the control manager 152 may distribute the control modules, redundancy modules, and big data modules across each of the controllers 150a-n; wherein balancing a load across controllers/blades is considered supporting a workload).

In regards to Claim 3, Ong, Hefeeda and McLaughlin teach the method of operating an automation control system as incorporated by claim 1 above.  Ong further teaches “The method of claim 1, wherein the automation control system comprises an automation control hive” ([0008] A process control system within one or several process plants includes a centralized or distributed controller farm having several controllers similar to a server farm. The controller farm may include blade servers or rack servers, where each of the controllers in the controller farm is configured to control each of the field devices in a process plant or in several process plants to control the operation of the process plants... A single controller within the controller farm may simultaneously control field devices in several portions of the process plant or in different process plants. Additionally, the same controller may control one set of field devices during a first time interval and another set of field devices in another portion of the process plant during a second time interval. This allows for increased flexibility in the process control system, such that any of the controllers in the controller farm may be utilized to execute control modules or other operations corresponding to any of the field devices in one or several process plants. Control modules or other operations may be allocated amongst the controllers so that one controller is not performing several operations while others are inactive; wherein a controller farm is considered an automation control hive).

In regards to Claim 4, Ong, Hefeeda and McLaughlin teach the method of operating an automation control system as incorporated by claim 3 above.  Ong further teaches “The method of claim 3, wherein the automation control hive comprises control applications and an environment not bound to dedicated hardware, but which float across any hardware within the automation control hive” ([0002] The process controllers, which are also typically located within the plant environment, receive signals indicative of process measurements made by the field devices and/or other information pertaining to the field devices and execute a controller application that runs, for example, different control modules which make process control decisions, generate control signals based on the received information and coordinate with the control modules or blocks being performed in the field devices; [0008] the same controller may control one set of field devices during a first time interval and another set of field devices in another portion of the process plant during a second time interval. This allows for increased flexibility in the process control system, such that any of the controllers in the controller farm may be utilized to execute control modules or other operations corresponding to any of the field devices in one or several process plants.  Control modules or other operations may be allocated amongst the controllers so that one controller is not performing several operations while others are inactive; [0018] a processor within a controller 150a-n of the controller farm 160 may be selected to implement or oversee one or more process control routines (stored in a memory), which may include control loops. The selected processor may communicate with the field devices 15-22 and 40-46 and with other nodes that are communicatively connected to the backbone 105; [0032] the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11; [0035] The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module. Similar to the control modules, the redundancy modules may be software, firmware, hardware, etc. Redundancy modules may be implemented in any desired software format, such as using object oriented programming, ladder logic, sequential function charts, function block diagrams, or using any other software programming language or design paradigm).

In regards to Claim 5 Ong, Hefeeda and McLaughlin teach the method of operating an automation control system as incorporated by claim 1 above.  Ong further teaches “The method of claim 1 wherein the at least one primary controller and each concurrent secondary controller among the plurality of concurrent secondary controllers comprise a process controller” ([0030] Also as used herein, a "controller farm" or a "centralized or distributed controller farm" may include several controllers each communicatively connected to each of the field devices 15-22, 40-46 in the process plant 10 and/or field devices in other process plants within the process control system 100. [0028] Although FIG. 1A illustrates a controller farm 160 having a particular number of controllers 150a-n, any number of controllers 150a-n may be included in the controller farm 160 including tens of controllers, hundreds of controllers, thousands of controllers, etc. [0001] The present disclosure relates generally to process plants and process control systems, and more particularly, to a centralized or distributed controller farm that controls several field devices distributed across one or several process plants).

In regards to Claim 6, Ong, Hefeeda and McLaughlin teach the method of operating an automation control system as incorporated by claim 1 above.  Ong further teaches “The method of claim 1 wherein the equipment update comprises at least one of: a controller firmware or a software migration” ([0018] It should be noted that any control routines or modules (including quality prediction and fault detection modules or function blocks) described herein may have parts thereof implemented or executed by different controllers or other devices if so desired. Likewise, the control routines or modules described herein which are to be implemented within the process control system 100 may take any form, including software, firmware, hardware, etc. ;[0052] during a first time interval a controller 150a may be assigned a first set of modules including control modules, big data modules, and redundancy modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the first time interval. Then during a second time interval, the controller 150a may be assigned a second set of modules different from the first set of modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the second time interval; wherein because the modules executed during a second time interval are different for the same controller, it can be considered that the modules (software) has migrated).  In addition, Hefeeda teaches this limitation ([0133] An embodiment of the invention moves some or preferably the entire computing and communication infrastructure required by an automation system into the cloud. This makes it easier and less costly for users to deploy, maintain, and upgrade their automation systems. Moreover, an embodiment of the invention supports switching to different cloud automation providers since all virtual machines can be group-migrated to a different provider.).

In regards to Claim 7, Ong, Hefeeda and McLaughlin teach the method of operating an automation control system as incorporated by claim 1 above.  Ong further teaches “The method of claim 1 wherein the equipment update comprises a controller hardware migration” ([0035] for each of the control routines or modules executed by the controllers 150a-n, one of the controllers 150a-n may include a redundancy module. The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails...The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module; wherein the changing from primary controller 150a to redundant controller 150b is considered a hardware migration because the hardware executing the control module has changed and been implemented by different hardware).  In addition, Hefeeda teaches this limitation ([0133] An embodiment of the invention moves some or preferably the entire computing and communication infrastructure required by an automation system into the cloud. This makes it easier and less costly for users to deploy, maintain, and upgrade their automation systems. Moreover, an embodiment of the invention supports switching to different cloud automation providers since all virtual machines can be group-migrated to a different provider.)

In regards to Claim 8, Ong discloses “A system for synchronizing controllers for automation control, the system comprising: a plurality of redundancy elements in the automation control system comprising a plurality of nodes, wherein the plurality of redundancy elements include at least one primary controller and a plurality of concurrent secondary controllers” (Fig. 2 and [0035] for each of the control routines or modules executed by the controllers 150a-n, one of the controllers 150a-n may include a redundancy module. The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails. To stay in sync with the controller 150a executing the control module, the redundancy module may cause the controller 150b executing the redundancy module to receive the same inputs, outputs, setpoints, etc. being received and provided by the controller 150a executing the control module. The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module; [0030] In some scenarios, the controllers are in a centralized controller farm and are located within the same area (e.g., a temperature controlled room). In other scenarios, the controllers are in a distributed controller farm and are located in several areas (e.g., several temperature controlled rooms); [0032] Turning now to FIG. 1B, the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11) “and wherein a back-up to the at least one primary controller exists on at least one node among the plurality of nodes;” (Fig. 2 and 3 and [0039] the controller farm 160 includes a control manager 152 that assigns control modules, redundancy modules, big data modules, and any other suitable operations to the controllers 150a-n; [0041] the control manager 152 automatically generates a redundancy module upon obtaining a corresponding control module. Referring now to FIG. 2, the control manager 152 communicates with several controllers 150a-n in the controller farm 160. Each of the controllers 150a-n and the control manager 152 may be physical machines (e.g., hardware) or virtual machines (e.g., software); [0043] the redundancy manager 206 generates a redundancy module for each control module 208 obtained by the control manager 152. The redundancy module may cause the controller 150a-n executing the redundancy module to receive the same inputs, outputs, setpoints, etc. being received and provided by the controller 150a-n executing the control module without executing the control loops or functions included in the control module. In some embodiments, the control executive 200 provides each of the obtained control modules 208 to the redundancy manager 206 for the redundancy manager to generate a corresponding redundancy module; [0065] At block 312, the assigned modules are downloaded to the respective controllers 150a-n for execution during the particular time interval. Each controller 150a-n executes its assigned modules by providing control signals and otherwise communicating with the field devices 15-22, 40-46 associated with each assigned module.) “the back-up of the at least one primary controller by a first concurrent secondary controller among the plurality of concurrent secondary controllers” (Fig. 3 and [0035] The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails. To stay in sync with the controller 150a executing the control module, the redundancy module may cause the controller 150b executing the redundancy module to receive the same inputs, outputs, setpoints, etc.; [0051] the control executive 200 then provides the assigned modules to the corresponding controllers 150a-n, so that each controller 150a-n may execute the assigned modules. In some embodiments, the control executive 200 analyzes the assignments and may adjust some of the assignments to ensure that multiple controllers 150a-n are not providing control signals to the same field device and/or for the same parameter within the same time interval) “wherein the system is configured to move the first concurrent secondary controller to another node among the plurality of nodes different than the at least one node among the plurality of nodes for load balancing or an equipment update to facilitate prevention of a loss during a shut down or a disruption to the synchronization of the at least one primary controller in the automation control system” (Fig. 3 and [0045] The control executive 200 may communicate with the load balancer 202 to determine which controller 150a-n should execute which control modules 208, redundancy modules, and big data modules during a particular time interval. In some embodiments, the load balancer 202 receives an availability metric for each of the controllers 150a-n in the controller farm 160 and a list of control modules, redundancy modules, and big data modules to be executed within a particular time interval (e.g., 30 minutes, an hour, two days, a day, etc.) which may include respective priority levels for each of the modules. The load balancer 202 then assigns a controller 150a-n in the controller farm 160 to execute each of the modules. In some scenarios, a single controller 150a-n may execute several modules within the same time interval depending on the parallel processing capabilities and memory density of the controller 150a-n. In another example scenario, the load balancer 202 identifies two different controllers 150a-n to execute a control module and a redundancy module, so that the controller 150a-n executing the redundancy module can take over for the controller 150a-n executing the control module in the event of a failure at the controller; [0052] during a first time interval a controller 150a may be assigned a first set of modules including control modules, big data modules, and redundancy modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the first time interval. Then during a second time interval, the controller 150a may be assigned a second set of modules different from the first set of modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the second time interval; [0062] To balance the load amongst the controllers 150a-n within the controller farm 160, the control manager 152 may distribute the control modules, redundancy modules, and big data modules across each of the controllers 150a-n. In some embodiments, the control manager 152 uses a load balancing algorithm to assign modules to the controllers 150a-n. For example, the load balancing algorithm may be a reversing round robin mechanism, where the control manager 152 assigns the highest ranked module to the highest ranked controller 150a-n, then assigns the second highest ranked module to the second highest ranked controller 150a-n and continues in descending order until each controller 150a-n has been assigned a module. Then the control manager 152 assigns the remaining control modules in ascending order for the controllers 150a-n until each controller 150a-n has been assigned two modules; wherein when a redundancy module is assigned to a first controller in a first time interval, and then is assigned to a different controller in a second time interval due to load balancing, it can be considered a moving for load balancing; [0035] The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails).
Ong fails to teach “and a second concurrent secondary controller as a new and as an alternate secondary controller to the first concurrent secondary controller, wherein the second concurrent secondary controller is created using a trickle synch mechanism; ...or an equipment update to facilitate prevention of a loss during a shut down or a disruption to a synchronization of the at least one primary controller in the automation control system”.
Hefeeda teaches “and a second concurrent secondary controller as a new and as an alternate secondary controller to the first concurrent secondary controller, wherein the second concurrent secondary controller is created using a trickle synch mechanism” ([0154] In most practical systems, controller failures are handled by double redundancy, or at most triple redundancy for mission-critical processes; [0155] To achieve reliability in the proposed feedback control cloud service, one embodiment of the invention incorporates a distributed fault tolerance algorithm that is run asynchronously by all redundant controllers. The algorithm is known as Reliable Cloud Control (RCC). RCC supports double or higher redundancy and provides the following guarantees: [0156] G1: If the primary controller fails, the secondary controller is automatically hot-swapped in. This guarantee is generalizable to higher redundancy. For example, in the case of triple redundancy, if the primary and secondary controllers fail, the tertiary controller is hot-swapped in; [0175] Although the tertiary controller will also detect the failure of the primary, its engagement threshold is higher than that of the secondary controller. Before the value of lastActionAge (1) crosses the tertiary controller's engagement threshold, the secondary controller would have already acted. Thus, when the tertiary polls the state on the following sampling period, the time counter lastActionAge (2) would have incremented to δ, such that 0≦δ≦T.sub.s which is less than the tertiary's engagement threshold, forcing iAmEngaged flag for the tertiary controller to become FALSE. [0176] The tertiary controller will get engaged if and only if both the primary and secondary controllers become unavailable; wherein because there must have been a point in time when the tertiary controller was initially created or synchronized, it is considered new) “for ... an equipment update to facilitate prevention of a loss during a shut down or a disruption to a synchronization of the at least one primary controller in the automation control system” ([0155] To achieve reliability in the proposed feedback control cloud service, one embodiment of the invention incorporates a distributed fault tolerance algorithm that is run asynchronously by all redundant controllers. The algorithm is known as Reliable Cloud Control (RCC). RCC supports double or higher redundancy and provides the following guarantees: [0156] G1: If the primary controller fails, the secondary controller is automatically hot-swapped in. This guarantee is generalizable to higher redundancy. For example, in the case of triple redundancy, if the primary and secondary controllers fail, the tertiary controller is hot-swapped in; [0160] At any given time, RCC makes a single controller engaged in controlling the process, while it makes the other controllers standby (or backup). A standby controller is still reading the process output and preparing, but withholding, its own next action; [0175] Without loss of generality, we now focus on the triple redundancy case to illustrate the interaction among 3 controllers under RCC... The tertiary controller will get engaged if and only if both the primary and secondary controllers become unavailable. This addresses guarantee G1 If the primary controller recovers from failure, it will gain control over the process since it always operates in the engaged mode, forcing the secondary controller into the standby mode; [0185] Cloud controllers act as backups for physical controllers in systems requiring high reliability. This can achieve substantial cost savings compared to replicating all physical controllers. [0186] Cloud controllers can be used to temporarily manage systems while their physical controllers are being upgraded or replaced due to failures; wherein an upgrade or replacement is considered an equipment update).
It would have been obvious to a person having ordinary skill in the art before the effective file date of the claimed invention to have modified the cloud-based redundant control system that offers a control module (primary) and plurality of redundancy modules (secondaries) of Ong, with the use of a triply redundant cloud-based automation control system wherein a backup of a primary controller is performed by a cloud controller acting as a secondary or tertiary controller such that when upgrades occur a secondary controller takes over as primary and a tertiary controller acts as a backup/secondary because both inventions are in the related field of offering automation control system controllers via a cloud-based platform.  By implementing the features of Hefeeda in Ong, one would expect to gain the same benefits, namely a cost saving noted by Hefeeda “[0185] Cloud controllers act as backups for physical controllers in systems requiring high reliability. This can achieve substantial cost savings compared to replicating all physical controllers.”.  Furthermore, by offering a triply redundant system as opposed to only a double redundant system, a person having ordinary skill would expect the system to achieve improved reliability, as instead of having two points of failure for a complete system failure the triply redundant system would require three points of failure and thus offer an additional component that must fail before complete system failure (“[0156] in the case of triple redundancy, if the primary and secondary controllers fail, the tertiary controller is hot-swapped in”).  
The combination of Ong and Hefeeda fail to teach “wherein the second concurrent secondary controller is created using a trickle synch mechanism;”.
McLaughlin teaches “wherein the second concurrent secondary controller is created using a trickle synch mechanism;” ([col 11 line 50] FIG. 5 is a flow diagram 500 illustrating the operation of the primary control processor module 200 during one base control cycle execution in the synchronization maintenance phase of operation according to one embodiment of the present invention. At the start of the base control cycle, the primary control processor module 200 sends any track data that accumulated in data buffer 225 during the previous base control cycle to the secondary control processor module 250, thereby ensuring at least one transfer of track data per base control cycle. The primary control processor module 200 also sends a clean point signal (process step 501). [col 12 line 12] The above-described embodiment of the present invention provides a "trickle" method of synchronizing primary control processor module 200 and secondary control processor module 250. Rather than intermittently halting the foreground tasks executed by primary control processor module 200 while a large block of track data is transferred to secondary control processor module 250, the present invention provides a stream of much smaller blocks of updated track data synchronous with each base control cycle execution).
It would have been obvious to a person having ordinary skill in the art before the effective file date of the claimed invention to have modified the system that maintains two secondary controllers for a primary controller to act as redundant controllers for being able to take on control functions when the primary controller fails and that moves secondary controllers between different nodes for a load balancing as taught by Ong and Hefeeda with the use of a trickle synchronization method for creating the second concurrent secondary as taught by McLaughlin because it would gain the stated benefit of McLaughlin, notably that “[col 12 line 21] By making data buffer 225 and FIFO 215 sufficiently small, the time required to transfer a block of sync and/or track data to the secondary control processor module 250 may be kept sufficiently short so that the transfer or one of more sync/track data blocks may be completed within a single base control cycle execution. This provides a more seamless synchronization between the redundant controllers, thereby acquiring a synchronized secondary control processor module 250 without impacting the normal operations of the primary control processor module 200”.  In other words, by using the trickle sync method of McLaughlin, the inherent benefit of providing better synchronization occurs and disruption of the primary controller is avoided by having to process large blocks, especially when a new secondary controller is created when large amounts of data would be required to be sent.  By combining these elements, it can be considered taking the known plurality of automation nodes that include redundancy modules for having two concurrent secondary controllers on other nodes different from the primary controller node, and improving it by using a trickle sync method to synchronize the second secondary controller in a known way to achieve predictable results.

In regards to Claim 9 Ong, Hefeeda and McLaughlin teach the system for operating an automation control synchronization as incorporated by claim 8 above.  Ong further teaches “The system of claim 8, wherein the redundancy elements comprise compute nodes that support a workload of the at least one primary controller or the at least one secondary controller” ([0032] the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11;  [0062] To balance the load amongst the controllers 150a-n within the controller farm 160, the control manager 152 may distribute the control modules, redundancy modules, and big data modules across each of the controllers 150a-n; wherein balancing a load across controllers/blades is considered supporting a workload).

In regards to Claim 10, Ong, Hefeeda and McLaughlin teach the system for operating an automation control synchronization as incorporated by claim 8 above.  Ong further teaches “The system of claim 8, wherein the automation control system comprises an automation control hive” ([0008] A process control system within one or several process plants includes a centralized or distributed controller farm having several controllers similar to a server farm. The controller farm may include blade servers or rack servers, where each of the controllers in the controller farm is configured to control each of the field devices in a process plant or in several process plants to control the operation of the process plants... A single controller within the controller farm may simultaneously control field devices in several portions of the process plant or in different process plants. Additionally, the same controller may control one set of field devices during a first time interval and another set of field devices in another portion of the process plant during a second time interval. This allows for increased flexibility in the process control system, such that any of the controllers in the controller farm may be utilized to execute control modules or other operations corresponding to any of the field devices in one or several process plants. Control modules or other operations may be allocated amongst the controllers so that one controller is not performing several operations while others are inactive; wherein a controller farm is considered an automation control hive).

In regards to Claim 11, Ong, Hefeeda and McLaughlin teach the system for operating an automation control synchronization as incorporated by claim 10 above.  Ong further teaches “The system of claim 10, wherein the automation control hive comprises control applications and an environment not bound to dedicated hardware, but which float across any hardware within the automation control hive” ([0002] The process controllers, which are also typically located within the plant environment, receive signals indicative of process measurements made by the field devices and/or other information pertaining to the field devices and execute a controller application that runs, for example, different control modules which make process control decisions, generate control signals based on the received information and coordinate with the control modules or blocks being performed in the field devices; [0008] the same controller may control one set of field devices during a first time interval and another set of field devices in another portion of the process plant during a second time interval. This allows for increased flexibility in the process control system, such that any of the controllers in the controller farm may be utilized to execute control modules or other operations corresponding to any of the field devices in one or several process plants.  Control modules or other operations may be allocated amongst the controllers so that one controller is not performing several operations while others are inactive; [0018] a processor within a controller 150a-n of the controller farm 160 may be selected to implement or oversee one or more process control routines (stored in a memory), which may include control loops. The selected processor may communicate with the field devices 15-22 and 40-46 and with other nodes that are communicatively connected to the backbone 105; [0032] the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11; [0035] The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module. Similar to the control modules, the redundancy modules may be software, firmware, hardware, etc. Redundancy modules may be implemented in any desired software format, such as using object oriented programming, ladder logic, sequential function charts, function block diagrams, or using any other software programming language or design paradigm).

In regards to Claim 12, Ong, Hefeeda and McLaughlin teach the system for operating an automation control synchronization as incorporated by claim 8 above.  Ong further teaches “The system of claim 8, wherein the at least one primary controller and each concurrent secondary controller among the plurality of concurrent secondary controllers comprise a process controller” ([0030] Also as used herein, a "controller farm" or a "centralized or distributed controller farm" may include several controllers each communicatively connected to each of the field devices 15-22, 40-46 in the process plant 10 and/or field devices in other process plants within the process control system 100. [0028] Although FIG. 1A illustrates a controller farm 160 having a particular number of controllers 150a-n, any number of controllers 150a-n may be included in the controller farm 160 including tens of controllers, hundreds of controllers, thousands of controllers, etc. [0001] The present disclosure relates generally to process plants and process control systems, and more particularly, to a centralized or distributed controller farm that controls several field devices distributed across one or several process plants).

In regards to Claim 13, Ong, Hefeeda and McLaughlin teach the system for operating an automation control synchronization as incorporated by claim 8 above.  Ong further teaches “The system of claim 8, wherein the equipment update comprises at least one of: a controller firmware or a software migration” ([0018] It should be noted that any control routines or modules (including quality prediction and fault detection modules or function blocks) described herein may have parts thereof implemented or executed by different controllers or other devices if so desired. Likewise, the control routines or modules described herein which are to be implemented within the process control system 100 may take any form, including software, firmware, hardware, etc. ;[0052] during a first time interval a controller 150a may be assigned a first set of modules including control modules, big data modules, and redundancy modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the first time interval. Then during a second time interval, the controller 150a may be assigned a second set of modules different from the first set of modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the second time interval; wherein because the modules executed during a second time interval are different for the same controller, it can be considered that the modules (software) has migrated).  In addition, Hefeeda teaches this limitation ([0133] An embodiment of the invention moves some or preferably the entire computing and communication infrastructure required by an automation system into the cloud. This makes it easier and less costly for users to deploy, maintain, and upgrade their automation systems. Moreover, an embodiment of the invention supports switching to different cloud automation providers since all virtual machines can be group-migrated to a different provider.).

In regards to Claim 14, Ong, Hefeeda and McLaughlin teach the system for operating an automation control synchronization as incorporated by claim 8 above.  Ong further teaches “The system of claim 8 wherein the equipment update comprises a controller hardware migration” ([0035] for each of the control routines or modules executed by the controllers 150a-n, one of the controllers 150a-n may include a redundancy module. The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails...The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module; wherein the changing from primary controller 150a to redundant controller 150b is considered a hardware migration because the hardware executing the control module has changed and been implemented by different hardware).  In addition, Hefeeda teaches this limitation ([0133] An embodiment of the invention moves some or preferably the entire computing and communication infrastructure required by an automation system into the cloud. This makes it easier and less costly for users to deploy, maintain, and upgrade their automation systems. Moreover, an embodiment of the invention supports switching to different cloud automation providers since all virtual machines can be group-migrated to a different provider.)

In regards to Claim 15, Ong discloses “A system for synchronizing controllers for automation control, comprising: a non-transitory computer-usable medium embodying computer program code, the computer-usable medium capable of communicating with at least one processor, the computer program code comprising instructions executable by the at least one processor and configured for:” ([0014] The distributed controller 11 may include a processor 30, a memory 32, and one or more control routines 38. Additionally, each of the controllers 150a-n within the controller farm 160 may include one or more processors, a memory, and one or more control routines, as described in more detail below; [0032] Turning now to FIG. 1B, the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11... the memory within each of the blades 150a-n, 152 may include high density memory storage technology, for example, solid state drive memory, semiconductor memory, optical memory, molecular memory, biological memory, or any other suitable high density memory technology; [0041] Each of the controllers 1-N (ref. nos. 150a-n) includes a processor 210a-n, such as a multi-core processor or another type of parallel processor and a memory 212a-n which may be a high density memory. Each of the memories 212a-n may store various routines assigned to the respective controller 150a-n, including control modules 214a-n, big data modules 216a-n, and redundancy modules 218a-n; [0056] FIG. 3 depicts a flow diagram representing an exemplary method 300 for load balancing between controllers in a process control system 100. The method 300 may be executed on the control manager 152 within the controller farm 160 or any other computing device, blade server, etc. within the controller farm 160 or in communication with the controller farm 160. In some embodiments, the method may be implemented in a set of instructions stored on a non-transitory computer-readable memory and executable by one or more processors of the control manager 152) “arranging a plurality of redundancy elements in the automation control system comprising a plurality of nodes, wherein the plurality of redundancy elements include at least one primary controller and a plurality of concurrent secondary controllers” (Fig. 2 and [0035] for each of the control routines or modules executed by the controllers 150a-n, one of the controllers 150a-n may include a redundancy module. The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails. To stay in sync with the controller 150a executing the control module, the redundancy module may cause the controller 150b executing the redundancy module to receive the same inputs, outputs, setpoints, etc. being received and provided by the controller 150a executing the control module. The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module; [0030] In some scenarios, the controllers are in a centralized controller farm and are located within the same area (e.g., a temperature controlled room). In other scenarios, the controllers are in a distributed controller farm and are located in several areas (e.g., several temperature controlled rooms); [0032] Turning now to FIG. 1B, the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11) “and wherein a back-up to the at least one primary controller exists on at least one node among the plurality of nodes;” (Fig. 2 and 3 and [0039] the controller farm 160 includes a control manager 152 that assigns control modules, redundancy modules, big data modules, and any other suitable operations to the controllers 150a-n; [0041] the control manager 152 automatically generates a redundancy module upon obtaining a corresponding control module. Referring now to FIG. 2, the control manager 152 communicates with several controllers 150a-n in the controller farm 160. Each of the controllers 150a-n and the control manager 152 may be physical machines (e.g., hardware) or virtual machines (e.g., software); [0043] the redundancy manager 206 generates a redundancy module for each control module 208 obtained by the control manager 152. The redundancy module may cause the controller 150a-n executing the redundancy module to receive the same inputs, outputs, setpoints, etc. being received and provided by the controller 150a-n executing the control module without executing the control loops or functions included in the control module. In some embodiments, the control executive 200 provides each of the obtained control modules 208 to the redundancy manager 206 for the redundancy manager to generate a corresponding redundancy module; [0065] At block 312, the assigned modules are downloaded to the respective controllers 150a-n for execution during the particular time interval. Each controller 150a-n executes its assigned modules by providing control signals and otherwise communicating with the field devices 15-22, 40-46 associated with each assigned module.) “backing-up the at least one primary controller by a first concurrent secondary controller among the plurality of concurrent secondary controllers” (Fig. 3 and [0035] The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails. To stay in sync with the controller 150a executing the control module, the redundancy module may cause the controller 150b executing the redundancy module to receive the same inputs, outputs, setpoints, etc.; [0051] the control executive 200 then provides the assigned modules to the corresponding controllers 150a-n, so that each controller 150a-n may execute the assigned modules. In some embodiments, the control executive 200 analyzes the assignments and may adjust some of the assignments to ensure that multiple controllers 150a-n are not providing control signals to the same field device and/or for the same parameter within the same time interval) “and moving the at least one secondary controller to another node among the plurality of nodes different than the at least one node among the plurality of nodes for load balancing or an equipment update to facilitate prevention of a loss during a shut down or a disruption to the synchronization of the at least one primary controller in the automation control system” (Fig. 3 and [0045] The control executive 200 may communicate with the load balancer 202 to determine which controller 150a-n should execute which control modules 208, redundancy modules, and big data modules during a particular time interval. In some embodiments, the load balancer 202 receives an availability metric for each of the controllers 150a-n in the controller farm 160 and a list of control modules, redundancy modules, and big data modules to be executed within a particular time interval (e.g., 30 minutes, an hour, two days, a day, etc.) which may include respective priority levels for each of the modules. The load balancer 202 then assigns a controller 150a-n in the controller farm 160 to execute each of the modules. In some scenarios, a single controller 150a-n may execute several modules within the same time interval depending on the parallel processing capabilities and memory density of the controller 150a-n. In another example scenario, the load balancer 202 identifies two different controllers 150a-n to execute a control module and a redundancy module, so that the controller 150a-n executing the redundancy module can take over for the controller 150a-n executing the control module in the event of a failure at the controller; [0052] during a first time interval a controller 150a may be assigned a first set of modules including control modules, big data modules, and redundancy modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the first time interval. Then during a second time interval, the controller 150a may be assigned a second set of modules different from the first set of modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the second time interval; [0062] To balance the load amongst the controllers 150a-n within the controller farm 160, the control manager 152 may distribute the control modules, redundancy modules, and big data modules across each of the controllers 150a-n. In some embodiments, the control manager 152 uses a load balancing algorithm to assign modules to the controllers 150a-n. For example, the load balancing algorithm may be a reversing round robin mechanism, where the control manager 152 assigns the highest ranked module to the highest ranked controller 150a-n, then assigns the second highest ranked module to the second highest ranked controller 150a-n and continues in descending order until each controller 150a-n has been assigned a module. Then the control manager 152 assigns the remaining control modules in ascending order for the controllers 150a-n until each controller 150a-n has been assigned two modules; wherein when a redundancy module is assigned to a first controller in a first time interval, and then is assigned to a different controller in a second time interval due to load balancing, it can be considered a moving for load balancing; [0035] The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails).
Ong fails to teach “creating using a trickle synch mechanism, a second concurrent secondary controller for the at least one primary controller, wherein the second concurrent secondary controller is maintained as a new and as an alternate secondary controller to the first concurrent secondary controller;...or an equipment update to facilitate prevention of a loss during a shut down or a disruption to a synchronization of the at least one primary controller in the automation control system”.
Hefeeda teaches “creating using a trickle synch mechanism, a second concurrent secondary controller for the at least one primary controller, wherein the second concurrent secondary controller is maintained as a new and as an alternate secondary controller to the first concurrent secondary controller;” ([0154] In most practical systems, controller failures are handled by double redundancy, or at most triple redundancy for mission-critical processes; [0155] To achieve reliability in the proposed feedback control cloud service, one embodiment of the invention incorporates a distributed fault tolerance algorithm that is run asynchronously by all redundant controllers. The algorithm is known as Reliable Cloud Control (RCC). RCC supports double or higher redundancy and provides the following guarantees: [0156] G1: If the primary controller fails, the secondary controller is automatically hot-swapped in. This guarantee is generalizable to higher redundancy. For example, in the case of triple redundancy, if the primary and secondary controllers fail, the tertiary controller is hot-swapped in; [0175] Although the tertiary controller will also detect the failure of the primary, its engagement threshold is higher than that of the secondary controller. Before the value of lastActionAge (1) crosses the tertiary controller's engagement threshold, the secondary controller would have already acted. Thus, when the tertiary polls the state on the following sampling period, the time counter lastActionAge (2) would have incremented to δ, such that 0≦δ≦T.sub.s which is less than the tertiary's engagement threshold, forcing iAmEngaged flag for the tertiary controller to become FALSE. [0176] The tertiary controller will get engaged if and only if both the primary and secondary controllers become unavailable; wherein because there must have been a point in time when the tertiary controller was initially created or synchronized, it is considered new) “for ... an equipment update to facilitate prevention of a loss during a shut down or a disruption to a synchronization of the at least one primary controller in the automation control system” ([0155] To achieve reliability in the proposed feedback control cloud service, one embodiment of the invention incorporates a distributed fault tolerance algorithm that is run asynchronously by all redundant controllers. The algorithm is known as Reliable Cloud Control (RCC). RCC supports double or higher redundancy and provides the following guarantees: [0156] G1: If the primary controller fails, the secondary controller is automatically hot-swapped in. This guarantee is generalizable to higher redundancy. For example, in the case of triple redundancy, if the primary and secondary controllers fail, the tertiary controller is hot-swapped in; [0160] At any given time, RCC makes a single controller engaged in controlling the process, while it makes the other controllers standby (or backup). A standby controller is still reading the process output and preparing, but withholding, its own next action; [0175] Without loss of generality, we now focus on the triple redundancy case to illustrate the interaction among 3 controllers under RCC... The tertiary controller will get engaged if and only if both the primary and secondary controllers become unavailable. This addresses guarantee G1 If the primary controller recovers from failure, it will gain control over the process since it always operates in the engaged mode, forcing the secondary controller into the standby mode; [0185] Cloud controllers act as backups for physical controllers in systems requiring high reliability. This can achieve substantial cost savings compared to replicating all physical controllers. [0186] Cloud controllers can be used to temporarily manage systems while their physical controllers are being upgraded or replaced due to failures; wherein an upgrade or replacement is considered an equipment update).
It would have been obvious to a person having ordinary skill in the art before the effective file date of the claimed invention to have modified the cloud-based redundant control system that offers a control module (primary) and plurality of redundancy modules (secondaries) of Ong, with the use of a triply redundant cloud-based automation control system wherein a backup of a primary controller is performed by a cloud controller acting as a secondary or tertiary controller such that when upgrades occur a secondary controller takes over as primary and a tertiary controller acts as a backup/secondary because both inventions are in the related field of offering automation control system controllers via a cloud-based platform.  By implementing the features of Hefeeda in Ong, one would expect to gain the same benefits, namely a cost saving noted by Hefeeda “[0185] Cloud controllers act as backups for physical controllers in systems requiring high reliability. This can achieve substantial cost savings compared to replicating all physical controllers.”.  Furthermore, by offering a triply redundant system as opposed to only a double redundant system, a person having ordinary skill would expect the system to achieve improved reliability, as instead of having two points of failure for a complete system failure the triply redundant system would require three points of failure and thus offer an additional component that must fail before complete system failure (“[0156] in the case of triple redundancy, if the primary and secondary controllers fail, the tertiary controller is hot-swapped in”).  
The combination of Ong and Hefeeda fail to teach “creating using a trickle sync mechanism, a second concurrent secondary controller for the at least one primary controller”.
McLaughlin teaches “creating using a trickle sync mechanism, a second concurrent secondary controller for the at least one primary controller” ([col 11 line 50] FIG. 5 is a flow diagram 500 illustrating the operation of the primary control processor module 200 during one base control cycle execution in the synchronization maintenance phase of operation according to one embodiment of the present invention. At the start of the base control cycle, the primary control processor module 200 sends any track data that accumulated in data buffer 225 during the previous base control cycle to the secondary control processor module 250, thereby ensuring at least one transfer of track data per base control cycle. The primary control processor module 200 also sends a clean point signal (process step 501). [col 12 line 12] The above-described embodiment of the present invention provides a "trickle" method of synchronizing primary control processor module 200 and secondary control processor module 250. Rather than intermittently halting the foreground tasks executed by primary control processor module 200 while a large block of track data is transferred to secondary control processor module 250, the present invention provides a stream of much smaller blocks of updated track data synchronous with each base control cycle execution).
It would have been obvious to a person having ordinary skill in the art before the effective file date of the claimed invention to have modified the system that maintains two secondary controllers for a primary controller to act as redundant controllers for being able to take on control functions when the primary controller fails and that moves secondary controllers between different nodes for a load balancing as taught by Ong and Hefeeda with the use of a trickle synchronization method for creating the second concurrent secondary as taught by McLaughlin because it would gain the stated benefit of McLaughlin, notably that “[col 12 line 21] By making data buffer 225 and FIFO 215 sufficiently small, the time required to transfer a block of sync and/or track data to the secondary control processor module 250 may be kept sufficiently short so that the transfer or one of more sync/track data blocks may be completed within a single base control cycle execution. This provides a more seamless synchronization between the redundant controllers, thereby acquiring a synchronized secondary control processor module 250 without impacting the normal operations of the primary control processor module 200”.  In other words, by using the trickle sync method of McLaughlin, the inherent benefit of providing better synchronization occurs and disruption of the primary controller is avoided by having to process large blocks, especially when a new secondary controller is created when large amounts of data would be required to be sent.  By combining these elements, it can be considered taking the known plurality of automation nodes that include redundancy modules for having two concurrent secondary controllers on other nodes different from the primary controller node, and improving it by using a trickle sync method to synchronize the second secondary controller in a known way to achieve predictable results.


In regards to Claim 16, Ong, Hefeeda and McLaughlin teach the system for operating an automation control synchronization as incorporated by claim 15 above.  Ong further teaches “The system of claim 15, wherein the redundancy elements comprise compute nodes that support a workload of the at least one primary controller or the at least one secondary controller” ([0032] the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11;  [0062] To balance the load amongst the controllers 150a-n within the controller farm 160, the control manager 152 may distribute the control modules, redundancy modules, and big data modules across each of the controllers 150a-n; wherein balancing a load across controllers/blades is considered supporting a workload).

In regards to Claim 17, Ong, Hefeeda and McLaughlin teach the system for operating an automation control synchronization as incorporated by claim 15 above.  Ong further teaches “The system of claim 15, wherein the automation control system comprises an automation control hive” ([0008] A process control system within one or several process plants includes a centralized or distributed controller farm having several controllers similar to a server farm. The controller farm may include blade servers or rack servers, where each of the controllers in the controller farm is configured to control each of the field devices in a process plant or in several process plants to control the operation of the process plants... A single controller within the controller farm may simultaneously control field devices in several portions of the process plant or in different process plants. Additionally, the same controller may control one set of field devices during a first time interval and another set of field devices in another portion of the process plant during a second time interval. This allows for increased flexibility in the process control system, such that any of the controllers in the controller farm may be utilized to execute control modules or other operations corresponding to any of the field devices in one or several process plants. Control modules or other operations may be allocated amongst the controllers so that one controller is not performing several operations while others are inactive; wherein a controller farm is considered an automation control hive) “that comprises control applications and an environment not bound to dedicated hardware, but which float across any hardware within the automation control hive” ([0002] The process controllers, which are also typically located within the plant environment, receive signals indicative of process measurements made by the field devices and/or other information pertaining to the field devices and execute a controller application that runs, for example, different control modules which make process control decisions, generate control signals based on the received information and coordinate with the control modules or blocks being performed in the field devices; [0008] the same controller may control one set of field devices during a first time interval and another set of field devices in another portion of the process plant during a second time interval. This allows for increased flexibility in the process control system, such that any of the controllers in the controller farm may be utilized to execute control modules or other operations corresponding to any of the field devices in one or several process plants.  Control modules or other operations may be allocated amongst the controllers so that one controller is not performing several operations while others are inactive; [0018] a processor within a controller 150a-n of the controller farm 160 may be selected to implement or oversee one or more process control routines (stored in a memory), which may include control loops. The selected processor may communicate with the field devices 15-22 and 40-46 and with other nodes that are communicatively connected to the backbone 105; [0032] the controller farm 160 may include one or several blade servers each having several blades 150a-n, 152 that include controllers 150a-n and a control manager 152. Each of the blades 150a-n, 152 may be a thin electronic circuit board having one or more processors and a memory similar to the distributed controller 11; [0035] The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module. Similar to the control modules, the redundancy modules may be software, firmware, hardware, etc. Redundancy modules may be implemented in any desired software format, such as using object oriented programming, ladder logic, sequential function charts, function block diagrams, or using any other software programming language or design paradigm).

In regards to Claim 18, Ong, Hefeeda and McLaughlin teach the system for operating an automation control synchronization as incorporated by claim 15 above.  Ong further teaches “The system of claim 15, wherein the at least one primary controller and each concurrent secondary controller among the plurality of concurrent secondary controllers comprise a process controller” ([0030] Also as used herein, a "controller farm" or a "centralized or distributed controller farm" may include several controllers each communicatively connected to each of the field devices 15-22, 40-46 in the process plant 10 and/or field devices in other process plants within the process control system 100. [0028] Although FIG. 1A illustrates a controller farm 160 having a particular number of controllers 150a-n, any number of controllers 150a-n may be included in the controller farm 160 including tens of controllers, hundreds of controllers, thousands of controllers, etc. [0001] The present disclosure relates generally to process plants and process control systems, and more particularly, to a centralized or distributed controller farm that controls several field devices distributed across one or several process plants).

In regards to Claim 19, Ong, Hefeeda and McLaughlin teach the system for operating an automation control synchronization as incorporated by claim 15 above.  Ong further teaches “The system of claim 15, wherein the equipment update comprises at least one of: a controller firmware or a software migration” ([0018] It should be noted that any control routines or modules (including quality prediction and fault detection modules or function blocks) described herein may have parts thereof implemented or executed by different controllers or other devices if so desired. Likewise, the control routines or modules described herein which are to be implemented within the process control system 100 may take any form, including software, firmware, hardware, etc. ;[0052] during a first time interval a controller 150a may be assigned a first set of modules including control modules, big data modules, and redundancy modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the first time interval. Then during a second time interval, the controller 150a may be assigned a second set of modules different from the first set of modules. The control executive 200 may download the control modules 214a, big data modules 216a, and redundancy modules 218a to the controller 150a during the second time interval; wherein because the modules executed during a second time interval are different for the same controller, it can be considered that the modules (software) has migrated).  In addition, Hefeeda teaches this limitation ([0133] An embodiment of the invention moves some or preferably the entire computing and communication infrastructure required by an automation system into the cloud. This makes it easier and less costly for users to deploy, maintain, and upgrade their automation systems. Moreover, an embodiment of the invention supports switching to different cloud automation providers since all virtual machines can be group-migrated to a different provider.).

In regards to Claim 20, Ong, Hefeeda and McLaughlin teach the system for operating an automation control synchronization as incorporated by claim 15 above.  Ong further teaches “The system of claim 15 wherein the equipment update comprises a controller hardware migration” ([0035] for each of the control routines or modules executed by the controllers 150a-n, one of the controllers 150a-n may include a redundancy module. The redundancy module may cause the controller 150b executing the redundancy module to stay in sync with the controller 150a executing the control module, so that the controller 150b executing the redundancy module is available to take over and execute the control module if the controller 150a currently executing the control module fails...The controller 150a executing the control module may be a different controller or blade than the controller or blade 150b executing the redundancy module; wherein the changing from primary controller 150a to redundant controller 150b is considered a hardware migration because the hardware executing the control module has changed and been implemented by different hardware).  In addition, Hefeeda teaches this limitation ([0133] An embodiment of the invention moves some or preferably the entire computing and communication infrastructure required by an automation system into the cloud. This makes it easier and less costly for users to deploy, maintain, and upgrade their automation systems. Moreover, an embodiment of the invention supports switching to different cloud automation providers since all virtual machines can be group-migrated to a different provider.)

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to JONATHAN M SKRZYCKI whose telephone number is (571)272-0933. The examiner can normally be reached M-F 7:30-5.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kenneth Lo can be reached on (571) 272-9774. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/JONATHAN MICHAEL SKRZYCKI/Examiner, Art Unit 2116                                                                                                                                                                                                        
/KENNETH M LO/Supervisory Patent Examiner, Art Unit 2116