Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
The instant application having Application No. 17/491,210 filed on 09/30/2021 is presented for examination by the examiner.

Examiner Notes
Examiner cites particular columns and line numbers in the references as applied to the claims below for the convenience of the applicant. Although the specified citations are representative of the teachings in the art and are applied to the specific limitations within the individual claim, other passages and figures may apply as well. It is respectfully requested that, in preparing responses, the applicant fully consider the references in entirety as potentially teaching all or part of the claimed invention, as well as the context of the passage as taught by the prior art or disclosed by the examiner.

Priority
As required by M.P.E.P. 201.14(c), acknowledgement is made of applicant’s claim for priority based on applications filed on 06/10/2019.
Receipt is acknowledged of papers submitted under 35 U.S.C. 119(a)-(d), which papers have been placed of record in the file. 

Drawings

The applicant’s drawings submitted are acceptable for examination purposes.

Information Disclosure Statement
As required by M.P.E.P. 609, the applicant’s submissions of the Information Disclosure Statement dated 09/30/3021 is acknowledged by the examiner and the cited references have been considered in the examination of the claims now pending.

Specification Objections
The disclosure is objected to because of the following informalities: under ”Cross-reference to related Applications” section, the status of U.S Patent Application No. 15/931998 now is patented need to be updated.
Appropriate correction is required.

Double Patenting

The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.   A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and  In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. 
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
Initially, it should be noted that the present application and Application No. 12/427,090, have the same inventive entity.  The assignee for both applications is Fisher-rosemount system, inc.  
Claims 1 are provisionally rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1 and 9 of US patent #11249464.  Although the conflicting claims are not identical, they are not patentably distinct from each other.  Claims 1 is compared to claim 1 and 9 of US patent #11249464 in the following table:
Claim 1 is compared to claims 1 and 9 of US patent #11249464 in the following table:
Instant Application
US patent #11249464
1. A system of an industrial process plant, the system comprising: 
a process control system including:





a field device disposed in a physical environment of the industrial process plant, the field device performing a physical function;
an I/O switch communicatively disposed between the field device and a virtual node, the I/O switch being a subscriber to first data that is generated by the field device and that has been published, and the I/O switch being a publisher of second data indicative of the first data generated by the field device;

the virtual node, the virtual node being a subscriber to the second data corresponding to the field device and published by the I/O switch, the virtual node including a component behavior module that operates on the second data corresponding to the field device to thereby generate a control signal to modify a behavior of another node of the process control system, the virtual node disposed in a virtual environment of the industrial process plant, and 
the field device, the virtual node, and the another node operating in conjunction during run-time operations of the industrial process plant to control an industrial process; and















an edge gateway system communicatively connected to one or more applications, each of the one or more applications being a respective consumer of a respective at least a portion of one or more types of data published by the I/O switch, the edge gateway system being a subscriber to the one or more types of data published by the I/O switch, and the edge gateway system including one or more security mechanisms utilized in delivering the one or more types of the data between the I/O switch and the one or more applications.
1. A system of an industrial process plant, the system comprising:
a process control system including: 
a plurality of control loops operating to control an industrial process during run-time operations of the industrial process plant; 
a field device disposed in a physical environment of the industrial process plant, the field device performing a physical function; 
an I/O switch communicatively disposed between the field device and a virtual node, the I/O switch being a subscriber to first data that is generated by the field device and that has been published, and the I/O switch being a publisher of second data indicative of the first data generated by the field device; and 
the virtual node, the virtual node being a subscriber to the second data corresponding to the field device and published by the I/O switch, the virtual node including a component behavior module that operates on the second data corresponding to the field device to thereby generate a control signal to modify a behavior of another node of the process control system, and the virtual node disposed in a virtual environment of the industrial process plant, 
the field device, the virtual node, and the another node operating in conjunction during the run-time operations of the industrial process plant, 
the plurality of control loops including one or more control loops, each of which includes a respective field device disposed in the physical environment of the industrial process plant and a respective at least one other process control device disposed in the virtual environment of the industrial process plant; 
each control loop of the one or more control loops utilizing the I/O switch in lieu of any physical I/O device; and a first control loop of the one or more control loops includes the field device and the virtual node.
9. The system of claim 1, further comprising an edge gateway system communicatively connected to one or more applications, each of the one or more applications being a respective consumer of a respective at least a portion of one or more types of data published by the I/O switch, the edge gateway system being a subscriber to the one or more types of data published by the I/O switch, and the edge gateway system including one or more security mechanisms utilized in delivering the one or more types of the data between the I/O switch and the one or more applications. 



Allowable Subject Matter
Claims 1-33 would be allowable if rewritten to overcome the rejection(s) under 101, set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.
Prior arts:
US 2018/0260251 to Beveridge
[0149] FIGS. 30A-B illustrate a first security issue related to nested hypervisors and an approach that addresses the first security issue. Any of a variety of data-encryption technologies can be used to secure data transmitted through networks from interception or unintentional exposure to parties unauthorized to access the data. Certain hypervisor implementations support message-data encryption and encrypted-message-data decryption in order to secure data transmitted through networks on behalf of virtual machines executing within the execution environment provided by the hypervisor. Hypervisor-implemented message-data encryption and encrypted-message-data decryption both offloads encryption/decryption tasks from virtual machines, guest operating systems, and applications running within virtual machines as well as secures and simplifies key storage and key management. In addition, encryption and decryption may be more efficient when carried out at the hypervisor level. FIGS. 30A-B use the same illustration conventions previously used in FIGS. 26-27 and assume the two different management domains discussed above with reference to FIG. 27. FIG. 30A illustrates hypervisor-level message-data encryption and encrypted-message-data decryption. In the example shown in FIG. 30A, a hardware edge gateway appliance 3002 receives encrypted data from remote devices and systems and transmits encrypted data to remote devices and systems. A virtualized gateway appliance 3004 corresponding to the physical edge gateway appliance within the hypervisor uses a symmetric key or private key to decrypt incoming encrypted data that is then forwarded to a virtual switch 3006 from which the decrypted data is distributed to the target virtual machines. In the case of first-level virtual machines that do not include nested hypervisors, such as first-level virtual machine 3008, the decrypted data is directed to the guest operating system 3010 within the virtual machine. By contrast, in the case of a first-level virtual machine that does include a nested hypervisor, such as virtual machine 3012, the decrypted data flows to the virtual edge gateway appliance 3014 within the nested hypervisor 3016 for distribution through a virtual switch 3018 to second-level virtual machines, such as second-level virtual machine 3020. As indicated in FIG. 30A, once the data leaves the virtual edge gateway appliance 3004, the data is decrypted and in clear form. Data and messages directed to a second-level virtual-machine targets running within the execution environment provided by the nested hypervisor is thus internally exposed within the base hypervisor. In this sense, the first management domain corresponding to the computer system 3000 and the second management domain corresponding to the nested-hypervisor-hosting virtual machine 3012 overlap, since the management server that manages the base hypervisor 3022 can employ various tools and utilities to access decrypted message data directed to virtual machines within the second management domain. One approach to fully separating the two management domains, with respect to message-data encryption, is to configure the nested hypervisor to encrypt and decrypt message data using a nested-hypervisor-controlled key or key pair different from the key or key pair employed by the base hypervisor. However, this approach would result in significant inefficiency due to double encryption of all network traffic transmitted between virtual machines in the second management domain and remote computational entities.

US 2013/0245843 to Bhageria
[0043] The published messages containing the greenhouse gas emissions real-time measurements can also be made available to third party applications and systems via a computing device 100 that publishes the messages in a secure manner to an external network 105, such as a wireless/wirelane network, e.g., the Internet, etc. The computing device 100 may include or be included in computing device 14 described with respect to FIG. 1, and may comprise an edge gateway or other device that provides a secure communication link between the integration middleware 97 and the external network 105.

US 2019/0173934 to Beattie
[0017] As illustrated in FIG. 1, network 100 includes a core network 110. In one example, core network 110 may combine core network components of a cellular network with components of a triple play or n-play service network; where triple play services include telephone services, Internet services and television services to subscribers, and n-play services may include any one or more of the triple play services plus additional services (e.g., such as security monitoring, health monitoring, geo fencing, and the like). For example, core network 110 may functionally comprise a fixed mobile convergence (FMC) network, e.g., an IP Multimedia Subsystem (IMS) network. In addition, core network 110 may functionally comprise a telephony network, e.g., an Internet Protocol/Multi-Protocol Label Switching (IP/MPLS) backbone network utilizing Session Initiation Protocol (SIP) for circuit-switched and Voice over Internet Protocol (VoIP) telephony services. Core network 110 may also further comprise a broadcast television network, e.g., a traditional cable provider network or an Internet Protocol Television (IPTV) network, as well as an Internet Service Provider (ISP) network. The network elements 111A-111D may serve as gateway servers or edge routers to interconnect the core network 110 with other networks 140, Internet 145, wireless access network 150, access network 120, and so forth. In one example, the network elements 111A-111D comprise repositories of codecs that can be selected by and downloaded to the mobile devices 157A, 157B, 167A and 167B, and devices such as personal computer (PC) 166, tablet computer 162, home phone 164. As shown in FIG. 1, core network 110 may also include a plurality of television (TV) servers 112, a plurality of content servers 113, a plurality of application servers 114, an advertising server (AS) 117, and a repository of connection parameters 115. For ease of illustration, various additional elements of core network 110 are omitted from FIG. 1.

US 2018/0112795 to Anderson
[0062] Generally speaking, the security architecture 200 provides end-to-end security from the field environment of the process plant 100 in which devices 202 are installed and operate, to the remote system 210 providing applications and/or services 208 that consume and operate on the data generated by the process plant 100. As such, data that is generated by the devices 202 and other components of the process plant 100 is able to be securely transported to the remote system 210 for use by the remote applications/services 208 while protecting the plant 100 from cyber-attacks, intrusions, and/or other malicious events. In particular, the security architecture 200 includes a field gateway 212, a data diode 215, and an edge gateway 218 disposed between the process plant 100 (e.g., between the wireless gateways 205A, 205B of the process plant 100) and the remote system 210. Typically, but not necessarily, the field gateway 212, the data diode 215, and the edge gateway 218 are included at Security Levels 2-5.

[0064] Accordingly, the data diode 215 includes at least one input port 220 that is communicatively connected to the field gateway 212 and at least one output port 222 that is communicatively connected to the edge gateway 218. The data diode 215 also includes a fiber optic or communication link of any other suitable technology that connects its input port 222 to its output port 222. To prevent data traffic from flowing to (e.g., ingressing into) the process control system 100, in an example implementation, the data diode 215 excludes or omits an input port to receive data from the edge gateway 218 (or other component at a higher security level), and/or excludes or omits an output port to transmit data to the field gateway 212 (or other component at a lower security level). In an additional or alternative implementation, the data diode 215 excludes, omits, and/or disables transceivers that otherwise would allow data to flow from the output port 222 to the input port 220, and/or excludes a physical communication path for data to flow from the output port 222 to the input port 220. Still additionally or alternatively, the data diode 215 may support only unidirectional data flow from the input port 220 to the output port 222 via software, e.g., by dropping or blocking any messages received at the output port 222 from the edge gateway 218 (or higher security level component), and/or by dropping or blocking any messages addressed to the field gateway 212 (or lower security level component).

US 2018/0115516 to Rotvold
[0088] Further, although the discussion of FIG. 5 above describes the message flow 400 occurring as if the sending gateway 402 is the field gateway 212 and the receiving device 405 is edge gateway 218, this is only one of many embodiments. For example, in other embodiments of the message flow 400, the sending device 402 may be a field gateway 212, a wireless gateway 205, a data source device 202, and/or any other component that provides data generated by one or more components or devices operating within the process plant 100, and the receiving device 405 may be an edge gateway 218, one or more of the devices comprising the remote system 210, and/or a client application that is a consumer of source data (e.g., one of the remote applications or services 208). For example, a first one of the client applications 208 may subscribe to data generated by a particular device 202 that is published across the data diode 215, and a second one of the client applications 28 may subscribe to data generated by another particular device 202. In this example, the edge gateway 218 may serve as a router to distribute received data to respective data subscribers. In another example, the edge gateway 218 publishes all data that it receives via the data diode 215, and various applications 208 subscribe to specific data published by the edge gateway 218. Other publisher/subscriber relationships are possible, and may be supported by any one or more of the secured communication techniques described herein.

The prior art of record (Beveridge in view of Bhageria, Beattie, Anderson and Rotvold) does not disclose and/or fairly suggest at least claimed limitations recited in such manners in independent claim 1 "... the virtual node, the virtual node being a subscriber to the second data corresponding to the field device and published by the I/O switch, the virtual node including a component behavior module that operates on the second data corresponding to the field device to thereby generate a control signal to modify a behavior of another node of the process control system, the virtual node disposed in a virtual environment of the industrial process plant, and the field device, the virtual node, and the another node operating in conjunction during run-time operations of the industrial process plant to control an industrial process; and an edge gateway system communicatively connected to one or more applications, each of the one or more applications being a respective consumer of a respective at least a portion of one or more types of data published by the I/O switch, the edge gateway system being a subscriber to the one or more types of data published by the I/O switch, and the edge gateway system including one or more security mechanisms utilized in delivering the one or more types of the data between the I/O switch and the one or more applications.” 

Conclusion
The following prior art made of record and not relied upon is cited to establish the level of skill in the applicant’s art and those arts considered reasonably pertinent to applicant’s disclosure. See MPEP 707.05(c).
Any inquiry concerning this communication should be directed to examiner Tuan Dao, whose telephone/fax numbers are (571) 270 3387 and (571) 270 4387, respectively. The examiner can normally be reached on every Monday-Thursday, and the second Friday of the bi-week from 7:30AM to 5:00PM.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Chat Do, can be reached at (571) 272 3721.
The fax phone number for the organization where this application or proceeding is assigned is (571) 273 8300.
Any inquiry of a general nature of relating to the status of this application or proceeding should be directed to the TC 2100 Group receptionist whose telephone number is (571) 272 2100.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).

/TUAN C DAO/            Primary Examiner, Art Unit 2193