DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of the Claims
This Office Action is in response to the claims filed on May 23, 2022. 
Claims 1-20 are currently pending.
Claims 1-20 are currently rejected.

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on May 23, 2022 has been entered.
 
Response to Amendments
35 U.S.C. § 101
	The claims have been amended to overcome the 35 U.S.C. § 101 rejection. Accordingly, the rejection has been withdrawn.

Response to Arguments
35 U.S.C. § 103
Applicant's arguments filed on May 23, 2022 have been fully considered but they are not persuasive. The Applicant argues:
“Independent Claim 1 recites (inter alia) "a security companion subsystem of an automated driving system of a vehicle [comprising]... a safety monitor, executed by the first processor  device, to: access data generated at the compute subsystem, wherein the data corresponds to a determination by the compute subsystem associated with an automated driving task to be performed by the vehicle as directed by the automated driving system, wherein the determination is made by an automated driving application executed by a different, second processor device on the compute subsystem; detect a fault in the compute subsystem based on the data; and trigger an action, based on the fault, to cause the automated driving task to be safely performed.” Applicant asserts that the Ditty reference fails to at least teach or suggest these features.”

	The Examiner has considered the Applicant’s arguments and respectfully traverses. Ditty discloses a Safety Cluster Engine (security companion subsystem) that performs safety management for automotive applications (see Ditty in at least [0243]) and an actuation controller (compute subsystem) for allowing control of throttle, brake, steering, and shifting (see Ditty in at least 0123]). These systems are coupled over a CAN bus interface (see Ditty in at least [0122] and Fig. 16). Ditty [0425] further teaches detection of a fault in the compute subsystem, and triggering an action based on a fault for an automated driving task to be performed (see Ditty [0025]). Ditty [0011] further discloses that in a condition that the car can no longer drive automatically, the car will pull over safely. For these reasons, the Examiner maintains the previous 35 U.S.C. § 102 rejection. The citations of Ditty have been reorganized to provide additional clarity.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claim 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Ditty et al. (U.S. Patent Application Publication No. 20190258251 and hereinafter, “Ditty”).

Regarding claim 1, Ditty teaches the apparatus comprising: a security companion subsystem of an automated driving system of a vehicle, the security companion subsystem comprising:
a first processor device
Ditty [0024] discloses “Typical FCW ADAS systems use front-facing camera or RADAR sensors, coupled to a dedicated processor, DSP, FPGA, or ASIC that is electrically coupled to driver feedback, such as a display, speaker, or vibrating component.”
first memory
Ditty [0198] discloses “Furthermore, [streaming multiprocessors] SMs (301) preferably include a combined L1 data cache and shared memory unit, significantly improves performance while also simplifying programming.”
one or more interfaces to couple the security companion subsystem to a compute subsystem of the automated driving system
Ditty [0122] discloses “Actuation is performed by methods known to persons of ordinary skill in the art, with signals typically sent via the Controller Area Network data interface (“CAN bus”)—a network inside modern cars used to control brakes, acceleration, steering, windshield wipers, etc.”
Ditty [0243] discloses “The SoC preferably includes a Safety Cluster Engine (“SCE”) (704), a dedicated processor subsystem to handle safety management for automotive applications. In a preferred embodiment, SCE (704) consists of two or more processor cores with a tightly coupled RAM, support peripherals (e.g., timers, an interrupt controller), and routing logic.”
Ditty Figure 16 (annotated and provided below) depicts the SoC architecture for controlling an autonomous vehicle, which illustrates how the SoC (100) is communicatively coupled with the network bus interface (322).

    PNG
    media_image1.png
    496
    839
    media_image1.png
    Greyscale

Ditty Fig. 16 (annotated)
a safety monitor, executed by the first processor device, to: access data generated at the compute subsystem
Ditty [0122] discloses “The bus can be read to find steering wheel angle, ground speed, engine RPM, button positions, and other vehicle status indicators. The functional safety level for a CAN bus interface is typically ASIL B.”
The Examiner notes that the vehicle status indicators provided by Ditty encompasses data generated at the compute subsystem, which is defined in [0047] of the instant specification as configured to perform automated driving tasks. The Examiner further notes that reading data involves accessing it.
Ditty [0243] discloses “The SoC preferably includes a Safety Cluster Engine (“SCE”) (704), a dedicated processor subsystem to handle safety management for automotive applications…In safety mode, the two cores operate in lockstep mode and function as a single core with comparison logic to detect any differences between their operations.”
Ditty [0245] discloses “As illustrated in FIG. 8, the Advanced SoC preferably includes a High-Dynamic Range Image Signal Processor (“HDR ISP”) 403. The Advanced SoC further preferably includes Image Signal Processor (712), a hardware engine that is part of the camera processing pipeline.”
wherein the data corresponds to a determination by the compute subsystem associated with an automated driving task to be performed by the vehicle as directed by the automated driving system
Ditty [0123] discloses “For embodiments using vehicle models, an actuation controller may be obtained with dedicated hardware and software, allowing control of throttle, brake, steering, and shifting. The hardware provides a bridge between the vehicle's CAN bus and the controller (100), forwarding vehicle data to controller (100) including the turn signal, wheel speed, acceleration, pitch, roll, yaw, Global Positioning System (“GPS”) data, tire pressure, fuel level, sonar, brake torque, and others.”
Ditty [0124] discloses “Controller (100) provides autonomous driving outputs in response to an array of sensor inputs including, for example: … one or more stereo cameras (74) (in preferred embodiments, at least one such stereo camera faces forward to provide depth-perception for object detection and object recognition in the vehicle path), one or more infrared cameras (75), GPS unit (76) that provides location coordinates, a steering sensor (78) that detects the steering angle, speed sensors (80) (one for each of the wheels (54))”
wherein the determination is made by an automated driving application executed by a different, second processor device on the compute subsystem
Ditty [0020] discloses “Rule-based longitudinal [automatic cruise control] ACC approaches use if-then rules, which may be executed on any processor, including an FPGA, CPU, or ASIC.”
The Examiner notes that these processors are different from the aforementioned image signal processor.
detect a fault in the compute subsystem based on the data; and
Ditty [0425] discloses “As an example, the safety watchdog monitor 5010 might perform a sensor data integrity check in the case of application processes 5002 that are processing sensor data from cameras, RADAR, LIDAR, etc. If the safety watchdog monitor 5010 detects an error or fault”
trigger an action, based on the fault, to cause the automated driving task to be safely performed
Ditty [0011] discloses “Level 4 functionality allows the driver to go to sleep, and if any condition such that the car can no longer drive automatically, and the driver does not take over, the car will pull over safely.”
Ditty [0025] discloses “Automatic emergency braking (“AEB”) ADAS systems detect an impending forward collision with another vehicle or other object, and may automatically apply the brakes if the driver does not take corrective action within a specified time or distance parameter.”
wherein the security companion subsystem is configured to realize a higher safety integrity level than the compute subsystem based on characteristics of hardware of the security companion subsystem.  
Ditty [0122] discloses “Controller (100) sends command signals to operate vehicle brakes (60) via one or more braking actuators (61), operate steering mechanism (58) via a steering actuator (62), and operate propulsion unit (56) which also receives an accelerator/throttle actuation signal (64)…The functional safety level for a CAN bus interface is typically ASIL B.”
Ditty [0190] discloses “The SoC preferably is designed to be meet critical automotive standards, such as the ISO 26262 functional safety specification. In a preferred embodiment, the Advanced SoC has at least an ASIL C functional safety level.”
The Examiner notes that ASIL C is a higher level of functional safety than the ASIL B level of the actuation controller.

Regarding claim 2, Ditty teaches the apparatus of Claim 1, wherein:
the safety monitor is further to trigger an action to comprises autonomous control of the automated driving task based on a safety determination by the safety monitor that the determination is unsafe.  
Ditty [0025] discloses “Automatic emergency braking (“AEB”) ADAS systems detect an impending forward collision with another vehicle or other object, and may automatically apply the brakes if the driver does not take corrective action within a specified time or distance parameter.”
Ditty [0420] discloses “a safety framework that continually monitors the operation of software and/or hardware functions that control driving and other system or mission critical tasks. The safety framework collects information on how the driving control functions are operating, can run diagnostic processes to ensure system components are operating properly, and reports exceptions to separate safety dedicated hardware (e.g., one or more safety microcontroller(s))”

Regarding claim 3, Ditty teaches the apparatus of Claim 2, wherein:
the action replaces the automated driving task with a different automated driving task, and the security companion subsystem is to send a signal to one or more actuators of the vehicle to cause the different automated driving task to be performed based on the safety determination.  
Ditty [0122] discloses “Controller (100) sends command signals to operate vehicle brakes (60) via one or more braking actuators (61)”
Ditty [0491] discloses “A traffic light rule insists that the ego-vehicle stop and wait at a certain point until a certain condition becomes true (i.e., the traffic light turns green).”
The Examiner notes that the triggered action of braking as described in [0025] is replaced with instructing the vehicle to stop and wait, which is a different automated driving task than the previous forward-moving conditions.
Ditty [0531] describes “In non-limiting embodiments, green means the wait condition is not present or active, red means that the wait condition forbids motion from the ego-vehicle through its interval at higher than the recommended speed (which could be zero), while yellow means the ego-vehicle should lower the speed before the onset of the interval but only if it is possible to do so comfortably and safely.”

Regarding claim 4, Ditty teaches the apparatus of Claim 2, wherein:
the action comprises passing control of automated driving tasks from the compute subsystem to different automated driving functionality on the automated driving system
Ditty [0009] discloses “Many vehicles today include Advanced Driver Assistance Systems (“ADAS”), such as automatic lane keeping systems and smart cruise control systems. These systems rely on a human driver to take control of the vehicle in the event of a significant mechanical failures, such as tire blow-outs, brake malfunctions, or unexpected behavior by other drivers.”
The Examiner notes that manual takeover is a different automated driving functionality.
wherein the different automated driving functionality is to be executed to bring the vehicle to a safe physical state.  
Ditty [0014] discloses “Basic ADAS systems (Level 1 or 2) can be easily designed to meet automotive industry functional safety standards, including the ISO 26262 standard, because they rely on the human driver to take over and assert control over the vehicle. For example, if an ADAS system fails, resulting in a dangerous condition, the driver may take command of the vehicle and override that software function and recover to a safe state.”
The Examiner notes that the driver-only autonomous driving level is a different automated driving functionality compared to fully-autonomous.

Regarding claim 5, Ditty teaches the apparatus of Claim 4, wherein:
the safety companion subsystem comprises the different automated driving functionality and the different automated driving functionality is executed by the first processor device.  
Ditty [0012] discloses “Very large amounts of data from cameras, RADAR, LIDAR, and HD-Maps must be processed to generate commands to control the car safely and comfortably in real-time.”
The Examiner notes that processing data from cameras involves the previously cited first processor device (image signal processor).

Regarding claim 6, Ditty teaches the apparatus of Claim 4, wherein:
the different automated driving functionality is provided on a failover automated driving subsystem separate from the security companion subsystem and compute subsystem of the automated driving system.  
Ditty [0009] discloses “Many vehicles today include Advanced Driver Assistance Systems (“ADAS”), such as automatic lane keeping systems and smart cruise control systems. These systems rely on a human driver to take control of the vehicle in the event of a significant mechanical failures, such as tire blow-outs, brake malfunctions, or unexpected behavior by other drivers.”
Ditty [0011] discloses “A human driver is required to be in the control loop for automation levels 0-2 but is not required for automation levels 3-5. The ADAS system must provide for a human driver to take control within about one second for levels 1 and 2”
The Examiner notes that the ADAS system is coupled to a dedicated processor; therefore, the human driver is integrated in the processed system.

Regarding claim 7, Ditty teaches the apparatus of claim 1, wherein:
the determination comprises at least one of an object detection determination, an object classification determination, a path planning determination, a vehicle state determination, a localization determination, or a motion planning determination made by the automated driving application
Ditty [0025] “Automatic emergency braking (“AEB”) ADAS systems detect an impending forward collision with another vehicle or other object, and may automatically apply the brakes if the driver does not take corrective action within a specified time or distance parameter.”
wherein the automated driving task is based on the determination.  
Ditty [0025] “Automatic emergency braking (“AEB”) ADAS systems detect an impending forward collision with another vehicle or other object, and may automatically apply the brakes if the driver does not take corrective action within a specified time or distance parameter.”

Regarding claim 8, Ditty teaches the apparatus of Claim 1, wherein:
the safety monitor is further to: receive hardware monitoring data, wherein the hardware monitoring data identifies events detected on hardware of the compute subsystem associated with automated driving tasks to be determined by the compute subsystem
Ditty [0009] discloses “These systems rely on a human driver to take control of the vehicle in the event of a significant mechanical failures, such as tire blow-outs, brake malfunctions”
The Examiner notes that the brakes are a hardware component of the compute subsystem associated with automated driving tasks.
detect the fault in the hardware of the compute subsystem based on the hardware monitoring data
Ditty [0275] discloses “vehicle (50) typically includes additional processors, ASICs, and SoCs controlling other essential and desired functions (e.g., brake actuation, electronic ignition, climate control, infotainment system, GPS, RADAR and LIDAR processing, etc.). The vehicle's functional safety may be enhanced by using a monitor/actuator architecture and redundancy. A monitor/actuator architecture would perform the primary function using one module (the actuator) monitor that actuator with an independent monitoring module. If the actuator malfunctions, the monitor module enters a fail-safe mode, overriding the actuator.”
perform an action to control effects associated with the failure.  
Ditty [0009] “These systems rely on a human driver to take control of the vehicle in the event of a significant mechanical failures, such as tire blow-outs, brake malfunctions”

Regarding claim 9, Ditty teaches the apparatus of Claim 8, wherein:
the safety companion subsystem further comprises a safety companion hardware monitor to monitor operation of hardware of the safety companion subsystem comprising the first processor device
Ditty [0420] discloses “a safety framework that continually monitors the operation of software and/or hardware functions that control driving and other system or mission critical tasks. The safety framework collects information on how the driving control functions are operating, can run diagnostic processes to ensure system components are operating properly, and reports exceptions to separate safety dedicated hardware (e.g., one or more safety microcontroller(s))”
wherein the safety companion hardware monitor is to generate second hardware monitoring data to describe attributes of the hardware of the safety companion subsystem
Ditty [0298] discloses “SOCs 2002 communicate and interact with one or more microcontroller units (MCUs) 2003…Microcontroller units 2003 in the example architecture may be used for particular purpose(s) such as e.g., fault monitoring, communications, etc.”
the safety monitor is further to: detect faults of the hardware of the safety companion subsystem based on the second hardware monitoring data
Ditty [0421] discloses “multiple hardware-independent levels of watching/monitoring, the multilevel/multilayered safety framework structure distributes monitoring functions throughout multiple layers and multiple hardware processors so failure of some part(s) of the safety framework itself does not disable the overall safety framework from operating”
The Examiner notes that multilevel safety monitoring involves at least two levels of safety monitoring.
disable at least a portion of the automated driving system based on a detected fault of the hardware of the safety companion subsystem.  
Ditty [0452] discloses “the safety system is designed so that if a failed process or component cannot be successfully recovered within a certain safety time interval (e.g., 100 ms), the failed process or component is taken offline and disconnected from the vehicle bus so it cannot cause an unsafe condition.”

Regarding claim 10, Ditty teaches the apparatus of Claim 1, wherein:
the safety monitor is further to detect faults associated with interfaces used to communicate signals associated with automated driving tasks determined by the compute subsystem.  
Ditty [0452] discloses “If L2SS safety supervisor 5014(2) does not respond to the request from L3SS safety supervisor 5014(3), L3SS safety supervisor will consider that L2SS safety supervisor has failed and will take corrective action.”

Regarding claim 11, Ditty teaches the apparatus of Claim 1, wherein:
the compute subsystem is responsible for consuming sensor data from the vehicle to determine automated driving tasks for the vehicle and the safety companion subsystem is responsible for maintaining safety of the automated driving system by detecting faults of the compute subsystem.  
Ditty [0025] discloses “Automatic emergency braking (“AEB”) ADAS systems detect an impending forward collision with another vehicle or other object, and may automatically apply the brakes if the driver does not take corrective action within a specified time or distance parameter.”
Ditty [0275] discloses “The vehicle's functional safety may be enhanced by using a monitor/actuator architecture and redundancy. A monitor/actuator architecture would perform the primary function using one module (the actuator) monitor that actuator with an independent monitoring module. If the actuator malfunctions, the monitor module enters a fail-safe mode, overriding the actuator.”

Regarding claim 12, Ditty teaches the apparatus of Claim 1, wherein:
the higher safety integrity level comprises an automotive safety integrity level (ASIL).  
Ditty [0190] discloses “The SoC preferably is designed to be meet critical automotive standards, such as the ISO 26262 functional safety specification. In a preferred embodiment, the Advanced SoC has at least an ASIL C functional safety level.”

Regarding claim 13, Ditty teaches the apparatus of Claim 1, wherein:
the safety companion subsystem further comprises a safety proxy to: receive safety event data from the compute subsystem, wherein the data comprises safety event data
Ditty [0327] discloses “As an example, when vehicle cameras indicate that a vehicle ahead is slowing down so that braking needs to be applied, two independent computers (100), (200) and/or processes independently processing the incoming sensor data may each determine that braking should be applied”
Ditty [0425] discloses “As an example, the safety watchdog monitor 5010 might perform a sensor data integrity check in the case of application processes 5002 that are processing sensor data from cameras, RADAR, LIDAR, etc. If the safety watchdog monitor 5010 detects an error or fault”
determine integrity of the safety event data
Ditty [0425] discloses “As an example, the safety watchdog monitor 5010 might perform a sensor data integrity check in the case of application processes 5002 that are processing sensor data from cameras, RADAR, LIDAR, etc. If the safety watchdog monitor 5010 detects an error or fault, it may propagate an error notification up to a higher level in the safety framework”
provide a subset of the safety event data on demand to the safety monitor in association with consumption of the subset of the safety event data by the safety monitor to determine malfunctions of the compute subsystem.  
Ditty [0421] discloses “the multilevel/multilayered safety framework structure distributes monitoring functions throughout multiple layers and multiple hardware processors so failure of some part(s) of the safety framework itself does not disable the overall safety framework from operating”
Ditty [0422] discloses “the multilevel safety framework is capable of providing high levels of resiliency and redundancy while also providing processing capabilities to timely and effectively monitor many complicated high-performance real-time drive control (and other) control functions through a complicated system without becoming overwhelmed.”

Regarding claim 14, Ditty teaches the apparatus of Claim 1, wherein:
the first processor device comprises a first automotive microcontroller and the second processor device comprises a separate, second automotive microcontroller.  
Ditty [0298] discloses “SOCs 2002 communicate and interact with one or more microcontroller units (MCUs) 2003. In non-limiting examples, MCUs 2003 may comprise processors and associated memories that store instructions those processors execute.”
The Examiner notes that plural “microcontrollers” indicates at least a first and second microcontroller, with their associated processors.

Regarding claim 15, Ditty teaches the at least one non-transitory, machine readable storage medium with instructions stored thereon wherein:
the instructions are executable by a machine to cause the machine to: access event data at a safety companion subsystem of an automated driving system
Ditty [0285] discloses “In some example non-limiting implementations, both Advanced SoCs receive the same inputs or at least have access to the same inputs… a first Advanced SoC may make decisions based on RADAR input only, whereas another Advanced SoC may make similar decisions based on a fusion of both RADAR and LIDAR, or based on input from a stereo camera. In another possible implementation, the Advanced SoCs may each receive RADAR and LIDAR information.”
wherein the event data is generated at a compute subsystem of the automated driving system, and the event data indicates a determination by the compute subsystem associated to be used to autonomously perform an automated driving task
Ditty [0025] discloses “Automatic emergency braking (“AEB”) ADAS systems detect an impending forward collision with another vehicle or other object, and may automatically apply the brakes if the driver does not take corrective action within a specified time or distance parameter.”
access, at the safety companion subsystem, first hardware monitoring data captured at the compute subsystem to indicate attributes of hardware of the compute subsystem
Ditty [0171] discloses “The deep-learning infrastructure is capable of fast, real-time inferencing, and may use that capability to evaluate and verify the health of the processors, software, and associated hardware in Vehicle (50).”
Ditty [0452] discloses “the safety system is designed so that if a failed process or component cannot be successfully recovered within a certain safety time interval (e.g., 100 ms), the failed process or component is taken offline and disconnected from the vehicle bus so it cannot cause an unsafe condition.”
access second hardware monitoring data captured at the safety companion subsystem to indicate attributes of hardware of the safety companion subsystem, wherein the hardware of the safety companion subsystem is distinct from the hardware of the compute subsystem
Ditty [0243] discloses “The SoC preferably includes a Safety Cluster Engine (“SCE”) (704), a dedicated processor subsystem to handle safety management for automotive applications.”
determine, at the safety companion subsystem, one or more malfunctions of the compute subsystem capable of affecting safety of automated driving tasks of the automated driving system , wherein the malfunctions are determined based on one or more of the event data, first hardware monitoring data, or second hardware monitoring data
Ditty [0025] discloses “Automatic emergency braking (“AEB”) ADAS systems detect an impending forward collision with another vehicle or other object, and may automatically apply the brakes if the driver does not take corrective action within a specified time or distance parameter.”
Ditty [0275] discloses “The vehicle's functional safety may be enhanced by using a monitor/actuator architecture and redundancy. A monitor/actuator architecture would perform the primary function using one module (the actuator) monitor that actuator with an independent monitoring module. If the actuator malfunctions, the monitor module enters a fail-safe mode, overriding the actuator.”
Ditty [0452] discloses “the safety system is designed so that if a failed process or component cannot be successfully recovered within a certain safety time interval (e.g., 100 ms), the failed process or component is taken offline and disconnected from the vehicle bus so it cannot cause an unsafe condition.”
trigger an action to cause the automated driving task to be safely performed based on detection of the one or more malfunctions 
Ditty [0011] discloses “Level 4 functionality allows the driver to go to sleep, and if any condition such that the car can no longer drive automatically, and the driver does not take over, the car will pull over safely.”
Ditty [0275] discloses “vehicle (50) typically includes additional processors, ASICs, and SoCs controlling other essential and desired functions (e.g., brake actuation, electronic ignition, climate control, infotainment system, GPS, RADAR and LIDAR processing, etc.). The vehicle's functional safety may be enhanced by using a monitor/actuator architecture and redundancy. A monitor/actuator architecture would perform the primary function using one module (the actuator) monitor that actuator with an independent monitoring module. If the actuator malfunctions, the monitor module enters a fail-safe mode, overriding the actuator.”

Regarding claim 16, Ditty teaches the storage medium of Claim 15, wherein:
the compute subsystem determines the automated driving tasks
Ditty [0121] discloses “Each controller is essentially one or more onboard supercomputers that can operate in real-time to process sensor signals, and output autonomous operation commands to self-drive vehicle (50) and/or assist the human vehicle driver in driving. Each vehicle may have any number of distinct controllers for functional safety and additional features.”
the action to control the malfunction comprises handing control of automated driving tasks to another computing system of the automated driving system.  
Ditty [0275] discloses “vehicle (50) typically includes additional processors, ASICs, and SoCs controlling other essential and desired functions (e.g., brake actuation, electronic ignition, climate control, infotainment system, GPS, RADAR and LIDAR processing, etc.). The vehicle's functional safety may be enhanced by using a monitor/actuator architecture and redundancy. A monitor/actuator architecture would perform the primary function using one module (the actuator) monitor that actuator with an independent monitoring module. If the actuator malfunctions, the monitor module enters a fail-safe mode, overriding the actuator.”

Regarding claim 17, Ditty teaches the system comprising: a compute subsystem comprising:
a first microcontroller
Ditty [0281] discloses “The MCU (803) operates as a master controller for the system.”
first memory
Ditty [0198] discloses “Furthermore, [streaming multiprocessors] SMs (301) preferably include a combined L1 data cache and shared memory unit, significantly improves performance while also simplifying programming.”
an automation engine executable by the first microcontroller to: receive sensor data
Ditty [0240]-[0241] discloses “Always-On Sensor Processing Engine. The Advanced SoC preferably includes an Always-On Sensor Processing Engine (“AON”/“SPE”) (702).”
determine an automated task to be performed by a machine based on the sensor data
Ditty [0011] discloses “Level 4 functionality allows the driver to go to sleep, and if any condition such that the car can no longer drive automatically, and the driver does not take over, the car will pull over safely.”
Ditty [0025] discloses “Automatic emergency braking (“AEB”) ADAS systems detect an impending forward collision with another vehicle or other object, and may automatically apply the brakes if the driver does not take corrective action within a specified time or distance parameter.”
a safety companion subsystem comprising: a second microcontroller
Ditty [0298] discloses “SOCs 2002 communicate and interact with one or more microcontroller units (MCUs) 2003. In non-limiting examples, MCUs 2003 may comprise processors and associated memories that store instructions those processors execute.”
The Examiner notes that plural “microcontrollers” indicates at least a first and second microcontroller, with their associated processors.
second memory
Ditty [0229] discloses two memories, elements 500 and 600 shown in Figure 8 (provided below).

    PNG
    media_image2.png
    686
    950
    media_image2.png
    Greyscale

a safety monitor executable by the second microcontroller to: access event data to identify attributes of the compute subsystem associated with determination of the automated task
Ditty [0122] discloses “The bus can be read to find steering wheel angle, ground speed, engine RPM, button positions, and other vehicle status indicators. The functional safety level for a CAN bus interface is typically ASIL B.”
The Examiner notes that the vehicle status indicators provided by Ditty encompasses data generated at the compute subsystem, which is defined in [0047] of the instant specification as configured to perform automated driving tasks. The Examiner further notes that reading data involves accessing it.
determine a malfunction of the compute subsystem based on the event data
Ditty [0275] discloses “The vehicle's functional safety may be enhanced by using a monitor/actuator architecture and redundancy. A monitor/actuator architecture would perform the primary function using one module (the actuator) monitor that actuator with an independent monitoring module. If the actuator malfunctions, the monitor module enters a fail-safe mode, overriding the actuator.”
cause an action to be performed, based on the malfunction, to cause the automated task to be safely performed by the machine
Ditty [0011] discloses “Level 4 functionality allows the driver to go to sleep, and if any condition such that the car can no longer drive automatically, and the driver does not take over, the car will pull over safely.”
Ditty [0275] discloses “vehicle (50) typically includes additional processors, ASICs, and SoCs controlling other essential and desired functions (e.g., brake actuation, electronic ignition, climate control, infotainment system, GPS, RADAR and LIDAR processing, etc.). The vehicle's functional safety may be enhanced by using a monitor/actuator architecture and redundancy. A monitor/actuator architecture would perform the primary function using one module (the actuator) monitor that actuator with an independent monitoring module. If the actuator malfunctions, the monitor module enters a fail-safe mode, overriding the actuator.”
wherein the security companion subsystem implements a higher safety integrity level than the compute subsystem based on characteristics of hardware of the security companion subsystem.
Ditty [0122] discloses “Controller (100) sends command signals to operate vehicle brakes (60) via one or more braking actuators (61), operate steering mechanism (58) via a steering actuator (62), and operate propulsion unit (56) which also receives an accelerator/throttle actuation signal (64)…The functional safety level for a CAN bus interface is typically ASIL B.”
Ditty [0190] discloses “The SoC preferably is designed to be meet critical automotive standards, such as the ISO 26262 functional safety specification. In a preferred embodiment, the Advanced SoC has at least an ASIL C functional safety level.”
The Examiner notes that ASIL C is a higher level of functional safety as defined in Ditty [0266].

Regarding claim 18, Ditty teaches the system of Claim 17, wherein:
the compute subsystem further comprises a first hardware monitor to monitor hardware of the compute subsystem to detect malfunctions of the hardware of the compute subsystem and generate first status data based on monitoring of the hardware of the compute subsystem
Ditty [0275] discloses “The vehicle's functional safety may be enhanced by using a monitor/actuator architecture and redundancy. A monitor/actuator architecture would perform the primary function using one module (the actuator) monitor that actuator with an independent monitoring module. If the actuator malfunctions, the monitor module enters a fail-safe mode, overriding the actuator.”
wherein the safety monitor is further to: access the first status data
Ditty [0122] discloses “The bus can be read to find steering wheel angle, ground speed, engine RPM, button positions, and other vehicle status indicators. The functional safety level for a CAN bus interface is typically ASIL B.”
The Examiner notes that the vehicle status indicators provided by Ditty encompasses data generated at the compute subsystem, which is defined in [0047] of the instant specification as configured to perform automated driving tasks. The Examiner further notes that reading data involves accessing it.
determine that a hardware malfunction of the hardware of the compute subsystem affects safety of the machine based on the first status data.  
Ditty [0452] discloses “the safety system is designed so that if a failed process or component cannot be successfully recovered within a certain safety time interval (e.g., 100 ms), the failed process or component is taken offline and disconnected from the vehicle bus so it cannot cause an unsafe condition.”

Regarding claim 19, Ditty teaches the system of Claim 18, wherein
the safety companion subsystem further comprises a second hardware monitor to monitor hardware of the safety companion subsystem to detect malfunctions of the hardware of the safety companion subsystem and generate second status data based on monitoring of the hardware of the safety companion subsystem
Ditty [0275] discloses “The vehicle's functional safety may be enhanced by using a monitor/actuator architecture and redundancy. A monitor/actuator architecture would perform the primary function using one module (the actuator) monitor that actuator with an independent monitoring module. If the actuator malfunctions, the monitor module enters a fail-safe mode, overriding the actuator.”
wherein the safety monitor is further to: access the second status data
Ditty [0294] discloses “In the example shown, each SOC 2002 has an associated memory system 2004. In the example shown, SOC 2002(1) accesses a respective memory system 2004(1), and SOC 2002(2) accesses a respective memory system 2004(2).”
determine that a hardware malfunction of the hardware of the safety companion subsystem affects safety of the machine based on the second status data.  
Ditty [0452] discloses “the safety system is designed so that if a failed process or component cannot be successfully recovered within a certain safety time interval (e.g., 100 ms), the failed process or component is taken offline and disconnected from the vehicle bus so it cannot cause an unsafe condition.”

Regarding claim 20, Ditty teaches the system of Claim 17, further comprising the machine, wherein:
the machine comprises one of a vehicle or a robot. 
Ditty [0120] discloses “Vehicle (50) includes a vehicle body (52) suspended on a chassis, in this example comprised of four wheels (54) and associated axles… One or more Controllers (100(1)-100(3)) provide autonomous self-driving capabilities in response to signals continuously provided in real-time from an array of sensors”

Conclusion
Yousuf et al. (U.S. Patent Application Publication No. 20180370540) discloses a controller architecture with multiple processors that become active based on a detection that another processor has failed. The resulting fault-tolerant/fail-operational system meets ISO26262 ASIL D specifications.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to STEPHANIE T SU whose telephone number is (571)272-5326.  The examiner can normally be reached on Monday to Friday, 8:30AM - 5:00PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, ANISS CHAD can be reached on (571)270-3832.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/S.T.S./Patent Examiner, Art Unit 3662         

/IG T AN/Primary Examiner, Art Unit 3662