Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Status of Claims
Claims 1, 2, 4, 5, 8-20 are currently amended.
Claim 6 is original.
Claims 3 and 7 are previously presented.
Objections to claims 18-20 are withdrawn based on applicant’s amendments.
Claims 1-20 are pending.
This action is made NON-FINAL.
Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
Claim(s) 1, 2, 4, 7-11, 13, 16-18, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Ben-Ezra (U.S. Patent Publication No. 20210253116) in view of Egnor (U.S. Patent No. 9195232).
Regarding claim 1:
Ben-Ezra teaches:
A computer-implemented method of handling malfunctions in an autonomous driving vehicle (ADV), comprising: receiving, at a redundant system running on a first electronic control unit (ECU), a real-time value of each of one or more parameters of each of a plurality of components in the ADV, (“Information from all sensor modules 200, 204, 208 may be provided to global estimator 232. Global estimator 232 may combine the partial hostility levels as provided by the sensor modules into a general hostility level. The combination may be a defined as a sum of the separate hostility levels, a weighted sum, or the like, for example:” [0045]; here it shows a global estimator, shown on a separate piece of hardware 232 in figure 2, that receives real-time parameters from the 3 sensor modules 200, 204, and 208.)
wherein the ADV is driving in an autonomous driving mode using a primary autonomous driving system (ADS) that runs on a second ECU, wherein the redundant system includes a backup ADS; (“FIG. 1 shows a car 100 driven, for example autonomously,…” [0026]; here it shows that a car 100 is driven autonomously. “Additionally or alternatively, data management system 236 or global estimator 232 may send one or more commands to vehicle network and control module 268 configured to adapt the behavior of the vehicle,” [0057]; here it shows two ADS systems, the data management system and the global estimator. Each run on their own hardware as shown in figure 2.)
determining, by the redundant system, that a malfunction has occurred in at least one of the plurality of components based on a comparison between the real-time value of the parameter and an expected value of the parameter of each of the plurality of components; (“The integrity level may be evaluated, for example, by comparing information received from one or more sensors, such as sensors measuring the same size or factor and associated with different cars, sensors associated with one or more cars vs. fixed sensors, using external information such as weather report to verify indications, or the like.” [0021]; here it shows that real-time sensor data is compared to expected data to determine if the real-time data is not faulty data. For example, real-time sensed weather data can be compared to external information such as a weather report to verify indications.)
determining a level of failure risk for the malfunction based on a predetermined algorithm; (“The overall hostility level as computed by global estimator 232 may be provided to data management system 236 and examined there. For example, it may be determined whether the hostility level is acceptable, e.g. exceeds a predetermined threshold, in which case one or more actions need to be taken.” [0048]; here it shows that when a failure risk is determined it can be assigned a hostility level and it can be determined whether or not the risk is above or below a predetermined threshold)
and driving, by the redundant system, the ADV using the backup ADS, including issuing one or more driving commands directly to a controller area network (CAN bus) in the ADV to control the ADV in response to the level of failure risk of the malfunction. (“Data management system 236 or global estimator 232 may determine, optionally using any of the computing devices detailed above, upon the hostility level and the integrity levels associated with different sensors, one or more commands to be provided to different components in the system, in order to change their behavior. For example, one or more commands may be provided to configurator 216 of sensor 1 module 200 (or the other sensor modules) to change the operational parameters of sensor 212, the sensor behavior, or the like. Additionally or alternatively, data management system 236 or global estimator 232 may change the algorithm or the parameters of computing the hostility levels, the hostility threshold, the algorithm or the parameters of determining the integrity level, for example determining to ignore certain sensors or sensor types. Additionally or alternatively, data management system 236 or global estimator 232 may send one or more commands to vehicle network and control module 268 configured to adapt the behavior of the vehicle, for example instruct the relevant vehicle systems to reduce speed, increase speed, stop, change lane, blow the horn, start the wipers, or take any other action. The instructions may also be logged, together with indications from the vehicle systems or from sensors in logging system 256.” [0057]; here it shows that the global estimator or the data management system may send one or more commands to a vehicle network and control module to change the vehicle behavior such as changing speed and steering angles to change lanes based on the sensor data and its reliability. Paragraph’s [0085] and [0086]; show a communication network for sending and receiving information in the vehicle that could include a CAN bus.)
Ben-Ezra does not explicitly teach that the first ADS is a primary ADS and second ADS is a backup ADS or that both are fully redundant in that they can both plan trajectories, however,
Egnor teaches:
wherein each of the primary ADS and the backup ADS includes a plurality of autonomous driving modules for operating the ADV, including planning trajectories for the ADV, (“For example, a variety of functions may be executed by the primary controller, such as functions pertaining to the control of operations of the vehicle including vehicle propulsion, braking and steering. In order to execute the functions, a primary controller or other microprocessors of a vehicle may execute sets of logic to control the functions, which may vary within other examples.” [Column 3 lines 27-34]; here it shows a primary controller with a plurality of driving modules to control propulsion, braking, and steering trajectories of an autonomous vehicle.)
wherein the backup ADS is configured to monitor one or more output parameters of each of the plurality of autonomous driving modules in the primary ADS: (“the system of the vehicle may also include additional microprocessors, such as a secondary controller configured in a redundant configuration as the primary controller. In some examples, the primary controller and the secondary controller may be configured to perform cross-checks of each other. The primary controller and secondary controller may also be configured to reset based on detecting a fault or other error at one of the primary controller and the secondary controller. For example, the controllers may be configured to reset based on detecting the primary controller and/or secondary controller outputting an error. The system may include additional controllers configured to check the operation of the primary controller or secondary controller. Additionally, the different microprocessors (e.g., controllers) may be configured to perform self-checks, which may include determining whether or not the microprocessor is functioning properly internally. The microprocessors may output an error signal or reset based on internal self-checks as well as during any executed cross-checks performed with the assistance of at least one other microprocessor.” [Column 3 lines 36-56]; here it shows the secondary controller is configured in a redundant configuration as the primary and therefore also has the ability to plan propulsion, braking, and steering trajectories for a vehicle. Here it also shows that the secondary controller can monitor operations of the primary controller for faults.)
Ben-Ezra and Egnor are analogous art because they are in the same field of art, redundant systems for vehicle controls. It would have been obvious to one of ordinary skill in the art, at the time of filing, to modify the method of Ben-Ezra to include the functionality of Egnor in order for the backup system to also be an ADS that can plan trajectories and monitor the primary system. The teaching suggestion/motivation to combine is that this would greatly increase the safety and reliability of the autonomous control of the vehicle. 

Regarding claim 2:
Ben-Ezra in view of Egnor teaches all of the limitations of claim 1. 
Ben-Ezra further teaches:
The method of claim 1, wherein the parameter is one of an output data channel frequency, central process unit (CPU) utilization, memory utilization, disk space, a data processing delay, or a total link delay timeout. (“the partial hostility estimation and sensor adaptation may repeat constantly, at a predetermined frequency. In addition, possibly at a lower frequency, the general hostility level may be determined, and the sensors behavior or data analysis may be changed accordingly.” [0080]; here it shows that the real-time parameter sensor data adaptation can occur at a specific predetermined output data channel frequency.)

Regarding claim 4:
Ben-Ezra in view of Egnor teaches all of the limitations of claim 1.
Ben-Ezra further teaches:
The method of claim 1, wherein when the level of failure risk of the malfunction is high, the one or more driving commands cause the ADV to perform an emergency braking. (“Data management system 236 or global estimator 232 may determine, optionally using any of the computing devices detailed above, upon the hostility level and the integrity levels associated with different sensors, one or more commands to be provided to different components in the system, in order to change their behavior. For example, one or more commands may be provided to configurator 216 of sensor 1 module 200 (or the other sensor modules) to change the operational parameters of sensor 212, the sensor behavior, or the like. Additionally or alternatively, data management system 236 or global estimator 232 may change the algorithm or the parameters of computing the hostility levels, the hostility threshold, the algorithm or the parameters of determining the integrity level, for example determining to ignore certain sensors or sensor types. Additionally or alternatively, data management system 236 or global estimator 232 may send one or more commands to vehicle network and control module 268 configured to adapt the behavior of the vehicle, for example instruct the relevant vehicle systems to reduce speed, increase speed, stop, change lane, blow the horn, start the wipers, or take any other action. The instructions may also be logged, together with indications from the vehicle systems or from sensors in logging system 256.” [0057]; here it shows that when a hostility or integrity level exceeds a certain threshold (high risk level), the car can be controlled to reduce speed or stop.)

Regarding claim 7:
Ben-Ezra in view of Egnor teaches all of the limitations of claim 1. 
Ben-Ezra further teaches:
The method of claim 1, wherein the predetermined algorithm includes of a plurality of factors associated with the malfunction, each factor having a weight. (“Information from all sensor modules 200, 204, 208 may be provided to global estimator 232. Global estimator 232 may combine the partial hostility levels as provided by the sensor modules into a general hostility level. The combination may be a defined as a sum of the separate hostility levels, a weighted sum, or the like,” [0045]; here it shows that method includes adding the partial hostility levels (plurality of factors) in a weighted sum to find the general hostility level associated with a specific malfunction.)

Regarding claim 8:
Ben-Ezra in view of Egnor teaches all of the limitations of claim 1.
Ben-Ezra further teaches:
The method of claim 1, wherein the plurality of components include one or more hardware sensors, the first ECU, the second ECU, and a plurality of autonomous driving modules in the first ADS. (Figure 2 shows 3 hardware sensors 200, 204, and 208, a vehicle network and control system 268 on a second piece of hardware (ECU), and a plurality of autonomous driving modules 240, 244, 248, and 252.)

Regarding claim 9:
Ben-Ezra teaches: 
A non-transitory machine-readable medium storing a redundant system program on a first electronic control unit (ECU) for handling malfunctions in an autonomous driving vehicle (ADV), wherein the redundant system program, when executed by the first ECU, cause the redundant system to perform operations, the operations comprising: receiving, a real-time value of each of one or more parameters of each of a plurality of components in the ADV, (“Information from all sensor modules 200, 204, 208 may be provided to global estimator 232. Global estimator 232 may combine the partial hostility levels as provided by the sensor modules into a general hostility level. The combination may be a defined as a sum of the separate hostility levels, a weighted sum, or the like, for example:” [0045]; here it shows a global estimator, shown on a separate piece of hardware 232 in figure 2, that receives real-time parameters from the 3 sensor modules 200, 204, and 208. Paragraph [0083]-[0088] teach a computer readable medium that can perform the method.)
wherein the ADV is driving in an autonomous driving mode using a primary autonomous driving system (ADS) that runs on a second ECU, wherein the redundant system program includes a backup ADS; (“FIG. 1 shows a car 100 driven, for example autonomously,…” [0026]; here it shows that a car 100 is driven autonomously. “Additionally or alternatively, data management system 236 or global estimator 232 may send one or more commands to vehicle network and control module 268 configured to adapt the behavior of the vehicle, for example instruct the relevant vehicle systems to reduce speed, increase speed, stop, change lane, blow the horn, start the wipers, or take any other action. The instructions may also be logged, together with indications from the vehicle systems or from sensors in logging system 256.” [0057]; here it shows two ADS systems, the data management system and the global estimator. Each run on their own hardware as shown in figure 2. Each can send driving commands to a control unit.)
determining that a malfunction has occurred in at least one of the plurality of components based on a comparison between the real-time value of the parameter and an expected value of the parameter for each of the plurality of components; (“The integrity level may be evaluated, for example, by comparing information received from one or more sensors, such as sensors measuring the same size or factor and associated with different cars, sensors associated with one or more cars vs. fixed sensors, using external information such as weather report to verify indications, or the like.” [0021]; here it shows that real-time sensor data is compared to expected data to determine if the real-time data is not faulty data. For example, real-time sensed weather data can be compared to external information such as a weather report to verify indications.)
determining a level of failure risk for the malfunction based on a predetermined algorithm; (“The overall hostility level as computed by global estimator 232 may be provided to data management system 236 and examined there. For example, it may be determined whether the hostility level is acceptable, e.g. exceeds a predetermined threshold, in which case one or more actions need to be taken.” [0048]; here it shows that when a failure risk is determined it can be assigned a hostility level and it can be determined whether or not the risk is above or below a predetermined threshold)
and driving the ADV using the backup ADS, including issuing one or more driving commands directly to a controller area network (CAN bus) in the ADV to control the ADV in response to the level of failure risk of the malfunction. (“Data management system 236 or global estimator 232 may determine, optionally using any of the computing devices detailed above, upon the hostility level and the integrity levels associated with different sensors, one or more commands to be provided to different components in the system, in order to change their behavior. For example, one or more commands may be provided to configurator 216 of sensor 1 module 200 (or the other sensor modules) to change the operational parameters of sensor 212, the sensor behavior, or the like. Additionally or alternatively, data management system 236 or global estimator 232 may change the algorithm or the parameters of computing the hostility levels, the hostility threshold, the algorithm or the parameters of determining the integrity level, for example determining to ignore certain sensors or sensor types. Additionally or alternatively, data management system 236 or global estimator 232 may send one or more commands to vehicle network and control module 268 configured to adapt the behavior of the vehicle, for example instruct the relevant vehicle systems to reduce speed, increase speed, stop, change lane, blow the horn, start the wipers, or take any other action. The instructions may also be logged, together with indications from the vehicle systems or from sensors in logging system 256.” [0057]; here it shows that the global estimator or the data management system may send one or more commands to a vehicle network and control module to change the vehicle behavior such as changing speed and steering angles to change lanes based on the sensor data and its reliability. Paragraph’s [0085] and [0086]; show a communication network for sending and receiving information in the vehicle that could include a CAN bus.)
Ben-Ezra does not explicitly teach that the first ADS is a primary ADS and second ADS is a backup ADS or that both are fully redundant in that they can both plan trajectories, however,
Egnor teaches:
wherein each of the primary ADS and the backup ADS includes a plurality of autonomous driving modules for operating the ADV, including planning trajectories for the ADV, (“For example, a variety of functions may be executed by the primary controller, such as functions pertaining to the control of operations of the vehicle including vehicle propulsion, braking and steering. In order to execute the functions, a primary controller or other microprocessors of a vehicle may execute sets of logic to control the functions, which may vary within other examples.” [Column 3 lines 27-34]; here it shows a primary controller with a plurality of driving modules to control propulsion, braking, and steering trajectories of an autonomous vehicle.)
wherein the backup ADS is configured to monitor one or more output parameters of each of the plurality of autonomous driving modules in the primary ADS: (“the system of the vehicle may also include additional microprocessors, such as a secondary controller configured in a redundant configuration as the primary controller. In some examples, the primary controller and the secondary controller may be configured to perform cross-checks of each other. The primary controller and secondary controller may also be configured to reset based on detecting a fault or other error at one of the primary controller and the secondary controller. For example, the controllers may be configured to reset based on detecting the primary controller and/or secondary controller outputting an error. The system may include additional controllers configured to check the operation of the primary controller or secondary controller. Additionally, the different microprocessors (e.g., controllers) may be configured to perform self-checks, which may include determining whether or not the microprocessor is functioning properly internally. The microprocessors may output an error signal or reset based on internal self-checks as well as during any executed cross-checks performed with the assistance of at least one other microprocessor.” [Column 3 lines 36-56]; here it shows the secondary controller is configured in a redundant configuration as the primary and therefore also has the ability to plan propulsion, braking, and steering trajectories for a vehicle. Here it also shows that the secondary controller can monitor operations of the primary controller for faults.)
Ben-Ezra and Egnor are analogous art because they are in the same field of art, redundant systems for vehicle controls. It would have been obvious to one of ordinary skill in the art, at the time of filing, to modify the method of Ben-Ezra to include the functionality of Egnor in order for the backup system to also be an ADS that can plan trajectories and monitor the primary system. The teaching suggestion/motivation to combine is that this would greatly increase the safety and reliability of the autonomous control of the vehicle. 

Regarding claim 10:
Ben-Ezra teaches:
A memory coupled to the first ECU and store program instructions of the backup ADS wherein the program instructions, when executed by the first ECU cause the backup ADS to perform operations, the operations comprising: receiving a real-time value of each of one or more parameters of each of a plurality of components in the ADV, wherein the ADV is driving in an autonomous driving mode using the primary ADS (“Information from all sensor modules 200, 204, 208 may be provided to global estimator 232. Global estimator 232 may combine the partial hostility levels as provided by the sensor modules into a general hostility level. The combination may be a defined as a sum of the separate hostility levels, a weighted sum, or the like, for example:” [0045]; here it shows a global estimator, shown on a separate piece of hardware 232 in figure 2, that receives real-time parameters from the 3 sensor modules 200, 204, and 208. Paragraph [0083]-[0088] teach a computer readable medium that can perform the method.)
determining that a malfunction has occurred in at least one of the plurality of components based on a comparison between the real-time value of the parameter and an expected value of the parameter for each of the plurality of components; (“The integrity level may be evaluated, for example, by comparing information received from one or more sensors, such as sensors measuring the same size or factor and associated with different cars, sensors associated with one or more cars vs. fixed sensors, using external information such as weather report to verify indications, or the like.” [0021]; here it shows that real-time sensor data is compared to expected data to determine if the real-time data is not faulty data. For example, real-time sensed weather data can be compared to external information such as a weather report to verify indications.)
determining a level of failure risk for the malfunction based on a predetermined algorithm; (“The overall hostility level as computed by global estimator 232 may be provided to data management system 236 and examined there. For example, it may be determined whether the hostility level is acceptable, e.g. exceeds a predetermined threshold, in which case one or more actions need to be taken.” [0048]; here it shows that when a failure risk is determined it can be assigned a hostility level and it can be determined whether or not the risk is above or below a predetermined threshold)
and driving the ADV using the backup ADS, including issuing one or more driving commands directly to a controller area network (CAN bus) in the ADV to control the ADV in response to the level of failure risk of the malfunction. (“Data management system 236 or global estimator 232 may determine, optionally using any of the computing devices detailed above, upon the hostility level and the integrity levels associated with different sensors, one or more commands to be provided to different components in the system, in order to change their behavior. For example, one or more commands may be provided to configurator 216 of sensor 1 module 200 (or the other sensor modules) to change the operational parameters of sensor 212, the sensor behavior, or the like. Additionally or alternatively, data management system 236 or global estimator 232 may change the algorithm or the parameters of computing the hostility levels, the hostility threshold, the algorithm or the parameters of determining the integrity level, for example determining to ignore certain sensors or sensor types. Additionally or alternatively, data management system 236 or global estimator 232 may send one or more commands to vehicle network and control module 268 configured to adapt the behavior of the vehicle, for example instruct the relevant vehicle systems to reduce speed, increase speed, stop, change lane, blow the horn, start the wipers, or take any other action. The instructions may also be logged, together with indications from the vehicle systems or from sensors in logging system 256.” [0057]; here it shows that the global estimator or the data management system may send one or more commands to a vehicle network and control module to change the vehicle behavior such as changing speed and steering angles to change lanes based on the sensor data and its reliability. Paragraph’s [0085] and [0086]; show a communication network for sending and receiving information in the vehicle that could include a CAN bus.)
Ben-Ezra does not explicitly teach that the first ADS is a primary ADS and second ADS is a backup ADS or that both are fully redundant in that they can both plan trajectories, however,
Egnor teaches:
A first electronic control unit (ECU) with a redundant system running thereon, wherein the redundant system includes a backup autonomous driving system (ADS) a second ECU with a primary ADS running thereon, wherein each of the primary ADS and the back up ADS includes a plurality of autonomous driving modules for operating the ADV, including planning trajectories for an autonomous driving vehicle (ADV), (“For example, a variety of functions may be executed by the primary controller, such as functions pertaining to the control of operations of the vehicle including vehicle propulsion, braking and steering. In order to execute the functions, a primary controller or other microprocessors of a vehicle may execute sets of logic to control the functions, which may vary within other examples.” [Column 3 lines 27-34]; here it shows a primary controller with a plurality of driving modules to control propulsion, braking, and steering trajectories of an autonomous vehicle.)
wherein the backup ADS is configured to monitor one or more output parameters of each of the plurality of autonomous driving modules in the primary ADS: (“the system of the vehicle may also include additional microprocessors, such as a secondary controller configured in a redundant configuration as the primary controller. In some examples, the primary controller and the secondary controller may be configured to perform cross-checks of each other. The primary controller and secondary controller may also be configured to reset based on detecting a fault or other error at one of the primary controller and the secondary controller. For example, the controllers may be configured to reset based on detecting the primary controller and/or secondary controller outputting an error. The system may include additional controllers configured to check the operation of the primary controller or secondary controller. Additionally, the different microprocessors (e.g., controllers) may be configured to perform self-checks, which may include determining whether or not the microprocessor is functioning properly internally. The microprocessors may output an error signal or reset based on internal self-checks as well as during any executed cross-checks performed with the assistance of at least one other microprocessor.” [Column 3 lines 36-56]; here it shows the secondary controller is configured in a redundant configuration as the primary and therefore also has the ability to plan propulsion, braking, and steering trajectories for a vehicle. Here it also shows that the secondary controller can monitor operations of the primary controller for faults.)
Ben-Ezra and Egnor are analogous art because they are in the same field of art, redundant systems for vehicle controls. It would have been obvious to one of ordinary skill in the art, at the time of filing, to modify the method of Ben-Ezra to include the functionality of Egnor in order for the backup system to also be an ADS that can plan trajectories and monitor the primary system. The teaching suggestion/motivation to combine is that this would greatly increase the safety and reliability of the autonomous control of the vehicle. 

Regarding claim 11:
Ben-Ezra in view of Egnor teaches all of the limitations of claim 10.
Ben-Ezra further teaches:
The data processing system of claim 10, wherein the real-time parameter is one of an output data channel frequency, central process unit (CPU) utilization, memory utilization, disk space, a data processing delay, or a total link delay timeout. (“the partial hostility estimation and sensor adaptation may repeat constantly, at a predetermined frequency. In addition, possibly at a lower frequency, the general hostility level may be determined, and the sensors behavior or data analysis may be changed accordingly.” [0080]; here it shows that the real-time parameter sensor data adaptation can occur at a specific predetermined output data channel frequency.)

Regarding claim 13:
Ben-Ezra in view of Egnor teaches all of the limitations of claim 10.
Ben-Ezra further teaches:
wherein when the level of failure risk of the malfunction is high, the one or more driving commands cause the ADV to perform an emergency braking. (“Data management system 236 or global estimator 232 may determine, optionally using any of the computing devices detailed above, upon the hostility level and the integrity levels associated with different sensors, one or more commands to be provided to different components in the system, in order to change their behavior. For example, one or more commands may be provided to configurator 216 of sensor 1 module 200 (or the other sensor modules) to change the operational parameters of sensor 212, the sensor behavior, or the like. Additionally or alternatively, data management system 236 or global estimator 232 may change the algorithm or the parameters of computing the hostility levels, the hostility threshold, the algorithm or the parameters of determining the integrity level, for example determining to ignore certain sensors or sensor types. Additionally or alternatively, data management system 236 or global estimator 232 may send one or more commands to vehicle network and control module 268 configured to adapt the behavior of the vehicle, for example instruct the relevant vehicle systems to reduce speed, increase speed, stop, change lane, blow the horn, start the wipers, or take any other action. The instructions may also be logged, together with indications from the vehicle systems or from sensors in logging system 256.” [0057]; here it shows that when a hostility or integrity level exceeds a certain threshold (high risk level), the car can be controlled to reduce speed or stop.)

Regarding claim 16:
Ben-Ezra in view of Egnor teaches all of the limitations of claim 10.
Ben-Ezra further teaches:
The data processing system of claim 10, wherein the predetermined algorithm includes of a plurality of factors associated with the malfunction, each factor having a weight. (“Information from all sensor modules 200, 204, 208 may be provided to global estimator 232. Global estimator 232 may combine the partial hostility levels as provided by the sensor modules into a general hostility level. The combination may be a defined as a sum of the separate hostility levels, a weighted sum, or the like,” [0045]; here it shows that method includes adding the partial hostility levels (plurality of factors) in a weighted sum to find the general hostility level associated with a specific malfunction.)

Regarding claim 17:
Ben-Ezra in view of Egnor teaches all of the limitations of claim 10. 
Ben-Ezra further teaches:
The data processing system of claim 10, wherein the plurality of components include one or more hardware sensors, the first ECU and the second ECU, and a plurality of autonomous driving modules in the primary ADS. (Figure 2 shows 3 hardware sensors 200, 204, and 208, a vehicle network and control system 268 on a second piece of hardware, and a plurality of autonomous driving modules 240, 244, 248, and 252.)

Regarding claim 18:
Ben-Ezra in view of Egnor teaches all of the limitations of claim 9.
Ben-Ezra further teaches:
wherein the parameter is one of an output data channel frequency, central process unit (CPU) utilization, memory utilization, disk space, a data processing delay, or a total link delay timeout. (“the partial hostility estimation and sensor adaptation may repeat constantly, at a predetermined frequency. In addition, possibly at a lower frequency, the general hostility level may be determined, and the sensors behavior or data analysis may be changed accordingly.” [0080]; here it shows that the real-time parameter sensor data adaptation can occur at a specific predetermined output data channel frequency.)

Regarding claim 20:
Ben-Ezra in view of Egnor teaches all of the limitations of claim 9.
Ben-Ezra further teaches:
wherein when the level of failure risk of the malfunction is high, the one or more driving commands cause the ADV to perform an emergency braking. (“Data management system 236 or global estimator 232 may determine, optionally using any of the computing devices detailed above, upon the hostility level and the integrity levels associated with different sensors, one or more commands to be provided to different components in the system, in order to change their behavior. For example, one or more commands may be provided to configurator 216 of sensor 1 module 200 (or the other sensor modules) to change the operational parameters of sensor 212, the sensor behavior, or the like. Additionally or alternatively, data management system 236 or global estimator 232 may change the algorithm or the parameters of computing the hostility levels, the hostility threshold, the algorithm or the parameters of determining the integrity level, for example determining to ignore certain sensors or sensor types. Additionally or alternatively, data management system 236 or global estimator 232 may send one or more commands to vehicle network and control module 268 configured to adapt the behavior of the vehicle, for example instruct the relevant vehicle systems to reduce speed, increase speed, stop, change lane, blow the horn, start the wipers, or take any other action. The instructions may also be logged, together with indications from the vehicle systems or from sensors in logging system 256.” [0057]; here it shows that when a hostility or integrity level exceeds a certain threshold (high risk level), the car can be controlled to reduce speed or stop.)

Claims 3, 12, and 19 are rejected under 35 U.S.C. 103 as being unpatentable over Ben-Ezra (U.S. Patent Publication 20210253116) in view of Egnor (U.S. Patent No. 9195232) in view of Konrardy (U.S. Patent No. 10824145).
Regarding claims 3, 12, and 19:
Ben-Ezra in view of Egnor teaches all of the limitations of claims 1, 9, and 10.
Konrardy further teaches:
wherein the level of failure risk of the malfunction is one of high, medium, or low. (“the external computing device 186 (such as a server 140) may calculate one or more scores for autonomous or semi-autonomous operation associated with the road segment (i.e., suitability scores). This may include determining a score representing a risk level category (e.g., a score of 5 indicating high risk, a score of 4 indicating medium-high risk, a score of 1 indicating low risk, a score of 0 indicating that the road segment has not been analyzed, etc.) based upon a risk level determined as discussed above.” [Column 37 lines 35-43]; here it shows that a malfunction can be of a high, medium, or low risk.)
Ben-Ezra, Egnor, and Konrardy are analogous art because they are in the same field of art, autonomous vehicle component maintenance and repair. It would have been obvious to one of ordinary skill in the art, at the time of filing, to modify the method as taught by Ben-Ezra in view of Egnor to include the different levels of failure risk as taught by Konrardy in order for the risk levels to consist of high, medium, or low. The teaching suggestion/motivation to combine is that by having different risk levels, the amount of mitigation control applied to the vehicle’s behavior can be more accurately applied. 

Claims 5, 6, 14, and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Ben-Ezra (U.S. Patent Publication 20210253116) in view Egnor (U.S. Patent No. 9195232) of Konrardy (U.S. Patent No. 10824145) in view of Lopez (U.S. Patent No. 11180156).
Regarding claims 5 and 14:
Ben-Ezra in view of Egnor teaches all of the limitations of claims 4 and 13.
Ben-Ezra teaches that a risk level can exceed a threshold (a high-level risk) or remain below it (a low-level risk) as shown in paragraph [0048]. Ben-Ezra does not explicitly teach that the risk-level can be at a medium level. However,
Konrardy teaches that a malfunction can have a risk level of high, medium, or low:
(“the external computing device 186 (such as a server 140) may calculate one or more scores for autonomous or semi-autonomous operation associated with the road segment (i.e., suitability scores). This may include determining a score representing a risk level category (e.g., a score of 5 indicating high risk, a score of 4 indicating medium-high risk, a score of 1 indicating low risk, a score of 0 indicating that the road segment has not been analyzed, etc.) based upon a risk level determined as discussed above.” [Column 37 lines 35-43]; here it shows that a malfunction can be of a high, medium, or low risk.)
Ben-Ezra, Egnor, and Konrardy are analogous art because they are in the same field of art, autonomous vehicle component maintenance and repair. It would have been obvious to one of ordinary skill in the art, at the time of filing, to modify the method as taught by Ben-Ezra in view of Egnor to include the different levels of failure risk as taught by Konrardy in order for the risk levels to consist of high, medium, or low. The teaching suggestion/motivation to combine is that by having different risk levels, the amount of mitigation control applied to the vehicle’s behavior can be more accurately applied. 
Ben-Ezra in view Egnor in view of of Konrardy doesn’t explicitly teach that the one or more commands to cause the ADV to perform a slow braking can consist of slow braking until a safe place to park is reached, however,
Lopez teaches:
The one or more commands causes the ADV to perform a slow braking, wherein performing the slow braking further includes driving the ADV to a closest safe place to park. (“The method of any of claims E-H, wherein the constraint comprises an alternate trajectory other than a nominal trajectory, the alternate trajectory comprising one or more of: a first trajectory that causes the vehicle to stop within a first time period; a second trajectory that causes the vehicle to stop within a second time period, the second time period being shorter than the first time period; or an emergency stop trajectory.” [Column 25 lines 33-40]; See also [Column 27 lines 20-23] and [Column 26 lines 61-65])
Ben-Ezra, Egnor, Konrardy, and Lopez are analogous art because they are in the same field of art, autonomous systems for fault monitoring and mitigation. It would have been obvious to one of ordinary skill in the art, at the time of filing, to modify the method taught by Ben-Ezra in view of Egnor in view of Konrardy to include the driving commands of slow braking and then parking as taught by Lopez in order for the ADV to perform a slow braking that further includes parking in a safe spot. The teaching suggestion/motivation to combine is that by parking the car under a malfunction, this can help prevent a collision or accident with an obstacle in the environment.
Regarding claim 6 and 15:
Ben-Ezra in view Egnor in view of Konrardy in view of Lopez teaches all of the limitations of claims 5 and 14.
Lopez further teaches:
wherein the redundant system uses sensor data and map data to locate the closest safe place and generate a trajectory to the closest safe place. (“the localization component 520 can include functionality to receive data from the sensor system(s) 506 to determine a position and/or orientation of the vehicle 502 (e.g., one or more of an x-, y-, z-position, roll, pitch, or yaw). For example, the localization component 520 can include and/or request/receive a map of an environment and can continuously determine a location and/or orientation of the autonomous vehicle within the map. In some instances, the localization component 520 can utilize SLAM (simultaneous localization and mapping), CLAMS (calibration, localization and mapping, simultaneously), relative SLAM, bundle adjustment, non-linear least squares optimization, or the like to receive image data, lidar data, radar data, time of flight data, IMU data, GPS data, wheel encoder data, and the like to accurately determine a location of the autonomous vehicle. In some instances, the localization component 520 can provide data to various components of the vehicle 502 to determine an initial position of an autonomous vehicle for generating a trajectory, for determining to retrieve map data, and so forth, as discussed herein.” [Column 13 lines 32-52]; here it shows that sensor and map data can be continuously detected to generate trajectories for the vehicle)

Response to Arguments
Applicant’s arguments with respect to claim(s) 1-20 have been considered but are moot because the new ground of rejection does not rely on any reference applied in the prior rejection of record for any teaching or matter specifically challenged in the argument.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JAMAL A SHAH whose telephone number is (571)272-5782. The examiner can normally be reached M-F 8 am-5 pm EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeff Burke can be reached on 4692959067. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/JAMAL A SHAH/Examiner, Art Unit 3664                                                                                                                                                                                                        
/Nicholas Kiswanto/Primary Examiner, Art Unit 3664