Prosecution Insights
Browse Companies Examiners Firms Draft Your Response
Office ActionsKodiak Robotics Inc. › 18228101
Last updated: April 19, 2026
Application No. 18/228,101

SYSTEMS AND METHODS FOR CONTROLLING A VEHICLE USING A REDUNDANT ACTUATOR CONTROL ENGINE SYSTEM

Non-Final OA §103§DP
Filed
Jul 31, 2023
Examiner
CULLEN, TANNER L
Art Unit
3656
Tech Center
3600 — Transportation & Electronic Commerce
Assignee
Kodiak Robotics Inc.
OA Round
3 (Non-Final)
71%
Grant Probability
Favorable
3-4
OA Rounds
3y 0m
To Grant
87%
With Interview

Interview Optional

+16.6% interview lift. This examiner has a relatively high allow rate; a written response may suffice.
Based on 161 resolved cases, 2023–2026

Examiner Intelligence

CULLEN, TANNER L View full profile →
Grants 71% — above average
71%
Career Allow Rate
114 granted / 161 resolved
+18.8% vs TC avg
Strong +17% interview lift
Without
With
+16.6%
Interview Lift
resolved cases with interview
Typical timeline
3y 0m
Avg Prosecution
35 currently pending
Career history
196
Total Applications
across all art units

Statute-Specific Performance

§101
8.5%
-31.5% vs TC avg
§103
57.2%
+17.2% vs TC avg
§102
19.3%
-20.7% vs TC avg
§112
11.7%
-28.3% vs TC avg
Black line = Tech Center average estimate • Based on career data from 161 resolved cases

Office Action

§103 §DP
DETAILED CORRESPONDENCE This non-final office action is in response to the Amendments filed on 17 December 2025, regarding application number 18/228,101. Continued Examination Under 37 CFR 1.114 A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection. Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114. Applicant's submission filed on 02 February 2026 has been entered. Notice of Pre-AIA or AIA Status The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA . In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status. Response to Amendment Claims 1, 3-11 and 13-20 remain pending in the application, while claims 2 and 12 were previously cancelled. Claims 1, 3, 11 and 13 were amended in the Amendments to the Claims on 17 December 2025. Response to Arguments Applicant’s arguments, see Pages 7-8, filed 17 December 2025, with respect to the rejections of claims 1, 3-11 and 13-20 on the ground of nonstatutory double patenting have been fully considered and are persuasive due to the approved Terminal Disclaimer on file. Therefore, the rejections have been withdrawn. Applicant’s arguments, see Page 8, with respect to the claim interpretation under 35 U.S.C. 112(f) have been fully considered but they are not persuasive because the claim limitations meet the three-prong test as discussed in the prior office action and below. Applicant made the following remark, “While not necessarily agreeing with the interpretation set forth in the Office Action and solely to expedite prosecution of the present application, Applicant acknowledges the Examiner's position.”. Accordingly, the claim interpretation under 35 U.S.C. 112(f) has been maintained. Applicant’s arguments, see Page 8, with respect to the rejections of claims 3-9 and 13-19 under 35 U.S.C. 112(b) have been fully considered and are persuasive. Therefore, the rejections have been withdrawn. Applicant’s arguments, see Pages 8-9, with respect to the rejections of claims 1, 3-11 and 13-20 under 35 U.S.C. 103 have been fully considered and are persuasive. Therefore, the rejections have been withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of newly cited references Vaccaro (US 20150261704 A1) and Ueda (US 20080229320 A1). See full details below. Claim Interpretation The following is a quotation of 35 U.S.C. 112(f): (f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph: An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof. The claims in this application are given their broadest reasonable interpretation using the plain meaning of the claim language in light of the specification as it would be understood by one of ordinary skill in the art. The broadest reasonable interpretation of a claim element (also commonly referred to as a claim limitation) is limited by the description in the specification when 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is invoked. As explained in MPEP § 2181, subsection I, claim limitations that meet the following three-prong test will be interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph: (A) the claim limitation uses the term “means” or “step” or a term used as a substitute for “means” that is a generic placeholder (also called a nonce term or a non-structural term having no specific structural meaning) for performing the claimed function; (B) the term “means” or “step” or the generic placeholder is modified by functional language, typically, but not always linked by the transition word “for” (e.g., “means for”) or another linking word or phrase, such as “configured to” or “so that”; and (C) the term “means” or “step” or the generic placeholder is not modified by sufficient structure, material, or acts for performing the claimed function. Use of the word “means” (or “step”) in a claim with functional language creates a rebuttable presumption that the claim limitation is to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites sufficient structure, material, or acts to entirely perform the recited function. Absence of the word “means” (or “step”) in a claim creates a rebuttable presumption that the claim limitation is not to be treated in accordance with 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. The presumption that the claim limitation is not interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, is rebutted when the claim limitation recites function without reciting sufficient structure, material or acts to entirely perform the recited function. Claim limitations in this application that use the word “means” (or “step”) are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. Conversely, claim limitations in this application that do not use the word “means” (or “step”) are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, except as otherwise indicated in an Office action. This application includes one or more claim limitations that do not use the word “means,” but are nonetheless being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, because the claim limitations use a generic placeholder that is coupled with functional language without reciting sufficient structure to perform the recited function and the generic placeholder is not preceded by a structural modifier. Such claim limitations are: a. “main computing system” in claims 11 and 20 b. “redundant ACE system” in claims 11 and 15-20 Because these claim limitations are being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, they are being interpreted to cover the corresponding structure described in the specification as performing the claimed function, and equivalents thereof. Regarding the limitations reciting the “main computing system”, the specification discloses a computer in Figure 2 and paragraph [0040] and an algorithm for performing the claimed functions in Figures 3-4, in the specification filed on 31 July 2023. Regarding the limitations reciting “redundant ACE system”, the specification discloses a computer in Figures 2 and 6 and paragraph [0040] and an algorithm for performing the claimed functions in Figures 3-4. If applicant does not intend to have these limitations interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitations to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph (e.g., by reciting sufficient structure to perform the claimed function); or (2) present a sufficient showing that the claim limitations recite sufficient structure to perform the claimed function so as to avoid them being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph. Claim Rejections - 35 USC § 103 The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows: 1. Determining the scope and contents of the prior art. 2. Ascertaining the differences between the prior art and the claims at issue. 3. Resolving the level of ordinary skill in the pertinent art. 4. Considering objective evidence present in the application indicating obviousness or nonobviousness. This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary. Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention. Claims 1, 3-5, 10-11, 13-15 and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Barton-Sweeney et al. (US 20170199523 A1 and Barton-Sweeney hereinafter), in view of Samii et al. (US 20170277607 A1 and Samii hereinafter), Vaccaro et al. (US 20150261704 A1 and Vaccaro hereinafter) and Ueda (US 20080229320 A1 and Ueda hereinafter). Regarding Claim 1 Barton-Sweeney teaches a method of controlling an autonomous vehicle in response to an abnormal condition (see all Figs.; [0003], [0020] and [0026]-[0030]), comprising: generating, by a main computing system, a nominal motion plan and a fallback motion plan for each predetermined interval from a location of the vehicle based on data received by the main computing system about environment of the vehicle (see Fig. 1, primary computing system 110 corresponds to the main computing system; s. 9-10, all; [0003], [0074]-[0075], [0078] and [0081]), wherein the fallback motion plan is generated to safely stop the vehicle; sending, by the main computing system, the nominal motion plan and the fallback motion plan for the each predetermined interval to a redundant actuator control engine (ACE) system comprising a first ACE and a second ACE (see Fig. 1, secondary computing system 210 and processors 220 corresponds to the redundant actuator control engine (ACE) system; [0003], [0026], [0036], [0072]-[0074] and [0081], especially [0003 "The nominal trajectory and the fall back trajectory are identical between the location and a divergent point and where the nominal trajectory and the fall back trajectory diverge after the divergent point. The method also includes sending, by the primary computing system, the fall back trajectory to a secondary computing system; receiving, by the secondary computing system, the fall back trajectory..."], [0026 "For example, where the primary computing system may send trajectories to the secondary computing system at some predetermined interval, the nominal and fall back trajectories should correspond for at least this predetermined interval or even double this predetermined interval. By doing so, the secondary computing system may control the vehicle according to the nominal trajectory until at least some amount of time has passed where the secondary computing system would expect to receive an updated trajectory from the primary computing system."], [0036 "Alternatively, the one or more processors may be a dedicated device such as an ASIC or other hardware-based processor. Although FIG. 1 functionally illustrates the processor, memory, and other elements of computing device 112 (and computing device 212) as being within the same block, the processor, computing device, or memory may actually include multiple processors, computing devices, or memories that may or may not be stored within the same physical housing"], [0074 "For example, where the computing system 110 may send trajectories to the computing system 210 approximately 10 times per second (or every 0.1 seconds), the nominal and fall back trajectories should correspond for at least this long or even double this amount of time. By doing so, the computing system 210 may control the vehicle according to the nominal trajectory and corresponding instructions until at least some amount of time has passed where the computing system 210 would expect to receive an updated trajectory from the computing system 110."]); updating an existing nominal motion plan and an existing fallback motion plan in the first ACE and the second ACE, by the redundant ACE system, with the nominal motion plan and the fallback motion plan, respectively, for the each predetermined interval (see [0003], [0026], [0074] and [0081]); controlling the vehicle, by one of the first ACE and the second ACE to control, according to the nominal motion plan (see [0003], [0026], [0074] and [0081]); detecting, by the redundant ACE system, an abnormal condition of the vehicle (see [0020], [0027]-[0030], [0075] and [0078]-[0079]); and in response to the abnormal condition, control the vehicle and perform a predetermined vehicle action comprising navigating the vehicle to a safe stop based on an output actuator command generated by the primary ACE according to the fallback motion plan that is received before detection of the abnormal condition (see Figs. 9-10, fall back trajectory 910; [0003], [0075], [0078] and [0081]). Barton-Sweeney additionally teaches the redundant actuator control engine (ACE) system comprising a first ACE (ACE) and a second ACE (ACE), as discussed above, for example in [0036 "Alternatively, the one or more processors may be a dedicated device such as an ASIC or other hardware-based processor. Although FIG. 1 functionally illustrates the processor, memory, and other elements of computing device 112 (and computing device 212) as being within the same block, the processor, computing device, or memory may actually include multiple processors, computing devices, or memories that may or may not be stored within the same physical housing"]. Barton-Sweeney; however, is silent regarding assigning by a redundancy arbitration logic one of the first ACE and the second ACE as a primary ACE, wherein the redundancy arbitration logic is separate and isolated from other control system application components, and wherein the redundancy arbitration logic comprises an arbitration interface between arbitration logic components on the first ACE and the second ACE, a role interface between an arbitration logic component and local application components, and an interface to a local application environment. Samii teaches a method of controlling an autonomous vehicle in response to an abnormal condition (see all Figs, especially Fig. 3; [0005]-[0007] and [0020]-[0021]), comprising: generating, by a main computing system, a nominal motion plan based on data received by the main computing system about environment of the vehicle (see the first controller 12 in Figs. 1-5; [0007], [0023] and [0026]); sending, the nominal motion plan to a redundant actuator control engine (ACE) system comprising a first ACE and a second ACE (see the second controller 14 and third controller 15 in Figs. 1-5; [0006]-[0007], [0023] and [0028]); updating an existing nominal motion plan the first ACE and the second ACE, by the redundant ACE system, with the nominal motion plan (see [0006]-[0007] and [0028]); controlling the vehicle, by one of the first ACE and the second ACE to control, according to the nominal motion plan (see Figs. 3-4, all; [0006]-[0008], [0023], [0026] and [0030]-[0031]); detecting, by the redundant ACE system, an abnormal condition of the vehicle (see Figs. 3-4, all; [0006]-[0008], [0026] and [0030]-[0031]); and in response to the abnormal condition, assigning by a redundancy arbitration logic one of the first ACE and the second ACE as a primary ACE to control the vehicle and perform a predetermined vehicle action (see [0006]-[0007], [0030]-[0031], [0045 "In the decentralized approach, each controller implements logic to detect failure of any other controller in the system and reconfigure to primary or hot standby status if necessary. In the centralized approach, a master controller detects failures of all other controllers in the system, and determines which controller should reconfigure to primary status and which controller should reconfigure to hot standby status. When this determination is made, the master controller notifies the respective controller to reconfigure and change their operating status to primary and hot standby, respectively."] and [0055]-[0126]), wherein the redundancy arbitration logic is separate and isolated from other control system application components (see Figs. 7-8, all; [0023 "The first controller 12 is designated as the primary controller and includes a dual-core processor that utilizes a first core 16 and a second core 18 for executing primary controls. The second controller 14 is a backup controller includes a dual-core processor that utilizes a first core 19 and a second core 20 that executes redundant functions as the first controller 12. The third controller 15 is also a backup controller that includes a dual-core processor that utilizes a first core 21 and a second core 22 that executes redundant functions as the first controller 12 ... However, certain devices in the architecture may utilize different devices such as different power supplies so that if an error occurs with a controller as a result of a power supply, it does not affect the other controller."], [0045 "In the decentralized approach, each controller implements logic to detect failure of any other controller in the system and reconfigure to primary or hot standby status if necessary. In the centralized approach, a master controller detects failures of all other controllers in the system, and determines which controller should reconfigure to primary status and which controller should reconfigure to hot standby status. When this determination is made, the master controller notifies the respective controller to reconfigure and change their operating status to primary and hot standby, respectively."], [0055]-[0064] and [0121]-[0126]). Vaccaro teaches a method of controlling an autonomous vehicle in response to an abnormal condition (see all Figs., especially Fig. 1 and 3; [0009]), comprising: controlling the vehicle, by one of a first ACE and a second ACE to control (see Fig. 1, controllers 120; [0009 "The controllers 120 may, for example, be responsible for controlling a safety system, such as an airbag or stability control system."], [0011] and [0023 "If, for example, multiple controllers 120 are coupled to the device which are designed to retrieve the identical data, the external interface 130 coupled to the controller designated as the primary controller (rather than a backup controller) may be assigned a higher priority."]); and assigning by a redundancy arbitration logic one of the first ACE and the second ACE as a primary ACE to control the vehicle and perform a predetermined vehicle action (see Figs. 1 and 3, device 110, especially arbitrator 330; [0002], [0011] and [0023 "In one embodiment, for example, the arbitrator 330 may assign bus priority based upon a ranking ... If, for example, multiple controllers 120 are coupled to the device which are designed to retrieve the identical data, the external interface 130 coupled to the controller designated as the primary controller (rather than a backup controller) may be assigned a higher priority."]), wherein the redundancy arbitration logic is separate and isolated from other control system application components (see Figs. 1 and 3, all; [0009]-[0011 "As discussed in further detail below, each external interface 130 of the device 110 may independently and simultaneously receive a data access request from one of the controllers 120. Likewise, the external interfaces 130 can simultaneously transmit data to the respective controllers 120."] and [0014]-[0015]), and wherein the redundancy arbitration logic comprises an arbitration interface between arbitration logic components on the first ACE and the second ACE (see Figs. 1 and 3, external interface 130; [0011 "Each external interface 130 is configured to connect to an interface 140 of a controller 120. As discussed in further detail below, each external interface 130 of the device 110 may independently and simultaneously receive a data access request from one of the controllers 120. Likewise, the external interfaces 130 can simultaneously transmit data to the respective controllers 120. In some instances the controllers 120 may request identical data (e.g., data stored within one particular register). Accordingly, by allowing both controllers 120 to simultaneously send data access requests and simultaneously receive data from the device 110, the controllers 120 can independently verify the data, adding a redundancy check, and respond to the data with minimal delay."]-[0013], [0015]-[0023] and [0025 "According to an embodiment, a data access request may be a read request or a write request. A read request essentially is a request from a controller 120 to read data (e.g., sensor measurement data) from a register 320, and a write request is a request from a controller 120 to write data (e.g., sensor trim data) to a register 320."]), a role interface between an arbitration logic component and local application components (see Fig. 3, interface bus 300; [0008], [0015 "In other words, the arbitrator 330 has control over the time at which an external interface 130 or other internal or external interface has access to the interface bus 300 to perform a function, such as a read request to a data register 320, a write request to a data register 320, or any other bus command. For example, other internal or test interfaces 340 or an error detection system 350 such as a cyclic redundancy checker (CRC) may also be coupled to the arbitrated interface bus 300 through the arbitrator 330. A CRC checker may, for example, periodically or occasionally perform CRC checks on trim data stored in registers 320 to ensure that the trim data is correct."], [0027] and [0030]), and an interface to a local application environment (see Fig. 3, internal/test interface 340; [0015]-[0016], [0019]-[0021 "The test interface 340 may be used to test the device 110 while the device 110 is operating. A tester, such as another controller 120 in the system or a separate tester (not illustrated), may couple to a test interface 340 of the device 110. The tester may request the same data as the other controllers 120 in a safety system to monitor the data coming from the device 110. As discussed in further detail below, the test interface 340 may be assigned a lower priority than the external interfaces 130. As such, the tester can monitor the data coming from the device 110 without adding any delay into the system."] and [0027]). Vaccaro teaches a role interface between an arbitration logic component and local application components, as discussed above. For the purpose of compact prosecution and for the possible argument that "Vaccaro is silent regarding a role interface between an arbitration logic component and local application components", Ueda teaches the claim limitation. That is, Ueda teaches a method (see Fig. 9, all; [0002]) comprising: a redundancy arbitration logic is separate and isolated from other control system application components (see Fig. 9, arbitrator ARB; [0115 "In addition, the arbitrator ARB is a module of the resource brokering subsystem 902. The arbitrator ARB receives a request to add or release resource nodes 103 from the life cycle manager LM and then allocates the resource nodes 103 to each service. Moreover, the arbitrator ARB performs accommodation on the basis of the priority levels of services and concentrates the computational power of the grid on the services having higher priority levels."]-[0117], [0126]-[0127] and [0133]-[0149]), and wherein the redundancy arbitration logic comprises a role interface between an arbitration logic component and local application components (see Fig. 9, resource role switcher RRS; [0117 "In addition, a resource role switcher RRS is a module of the resource brokering subsystem 902. The resource role switcher RRS executes switching of services (applications) executed by the resource nodes 103."]-[0118] and [0127]). It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the process of Barton-Sweeney to further include a step of assigning by a redundancy arbitration logic one of the first ACE and the second ACE as a primary ACE, wherein the redundancy arbitration logic is separate and isolated from other control system application components and comprises an arbitration interface between arbitration logic components on the first ACE and the second ACE and an interface to a local application environment, as taught by Samii and Vaccaro, in order to allow a safety system to introduce redundancy while minimizing latency in the system. It further would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the redundancy arbitration logic of the process of Barton-Sweeney to include a role interface between an arbitration logic component and local application components, as taught by Ueda, in order to switch the services executed by the local application components. Regarding Claim 11 Barton-Sweeney teaches a system of controlling an autonomous vehicle in response to an abnormal condition (see all Figs.; [0005], [0020] and [0026]-[0030]), comprising a main computing system (see Fig. 1, primary computing system 110; [0032]), a redundant actuator control engine (ACE) system comprising a first ACE and a second ACE (see Fig. 1, secondary computing system 210 and processors 220; [0032] and [0036], especially [0036 "Alternatively, the one or more processors may be a dedicated device such as an ASIC or other hardware-based processor. Although FIG. 1 functionally illustrates the processor, memory, and other elements of computing device 112 (and computing device 212) as being within the same block, the processor, computing device, or memory may actually include multiple processors, computing devices, or memories that may or may not be stored within the same physical housing"]), wherein the main computing system is configured to: generate a nominal motion plan and a fallback motion plan for each predetermined interval from a location of the vehicle based on data received by the main computing system about environment of the vehicle, wherein the fallback motion plan is generated to safely stop the vehicle (see Figs. 9-10, all; [0003], [0074]-[0075], [0078] and [0081]); and send the nominal motion plan and the fallback motion plan for the each predetermined interval to the first ACE and the second ACE of the redundant ACE system (see Fig. 1, secondary computing system 210 and processors 220 corresponds to the redundant actuator control engine (ACE) system; [0003], [0026], [0036], [0072]-[0074] and [0081], especially [0003 "The nominal trajectory and the fall back trajectory are identical between the location and a divergent point and where the nominal trajectory and the fall back trajectory diverge after the divergent point. The method also includes sending, by the primary computing system, the fall back trajectory to a secondary computing system; receiving, by the secondary computing system, the fall back trajectory..."], [0026 "For example, where the primary computing system may send trajectories to the secondary computing system at some predetermined interval, the nominal and fall back trajectories should correspond for at least this predetermined interval or even double this predetermined interval. By doing so, the secondary computing system may control the vehicle according to the nominal trajectory until at least some amount of time has passed where the secondary computing system would expect to receive an updated trajectory from the primary computing system."], [0074 "For example, where the computing system 110 may send trajectories to the computing system 210 approximately 10 times per second (or every 0.1 seconds), the nominal and fall back trajectories should correspond for at least this long or even double this amount of time. By doing so, the computing system 210 may control the vehicle according to the nominal trajectory and corresponding instructions until at least some amount of time has passed where the computing system 210 would expect to receive an updated trajectory from the computing system 110."]); and wherein the redundant ACE system is configured to: update an existing nominal motion plan and an existing fallback motion plan in the first ACE and the second ACE with the nominal motion plan and the fallback motion plan, respectively, for the each predetermined interval (see [0003], [0026], [0074] and [0081]); control the vehicle according to the nominal motion plan (see [0003], [0026], [0074] and [0081]); detect an abnormal condition of the vehicle (see [0020], [0027]-[0030], [0075] and [0078]-[0079]); and in response to the abnormal condition, control the vehicle to perform a predetermined vehicle action comprising navigating the vehicle to a safe stop based on an output actuator command generated by the primary ACE according to the fallback motion plan that is received before detection of the abnormal condition (see Figs. 9-10, fall back trajectory 910; [0003], [0075], [0078] and [0081]). Barton-Sweeney additionally teaches the redundant actuator control engine (ACE) system comprising a first actuator control engine (ACE) and a second actuator control engine (ACE), as discussed above, for example in [0036 "Alternatively, the one or more processors may be a dedicated device such as an ASIC or other hardware-based processor. Although FIG. 1 functionally illustrates the processor, memory, and other elements of computing device 112 (and computing device 212) as being within the same block, the processor, computing device, or memory may actually include multiple processors, computing devices, or memories that may or may not be stored within the same physical housing"]. Barton-Sweeney; however, is silent regarding a redundancy arbitration logic, and cause the redundancy arbitration logic to assign one of the first ACE and the second ACE as a primary ACE, wherein the redundancy arbitration logic is separate and isolated from other control system application components, wherein the redundancy arbitration logic comprises an arbitration interface between arbitration logic components on the first ACE and the second ACE, a role interface between an arbitration logic component and local application components, and an interface to a local application environment. Samii teaches a system of controlling an autonomous vehicle in response to an abnormal condition (see all Figs, especially Fig. 3; [0005]-[0007] and [0020]-[0021]), comprising a main computing system (see the first controller 12 in Figs. 1-5; [0023]), a redundant actuator control engine (ACE) system comprising a first ACE and a second ACE (see the second controller 14 and third controller 15 in Figs. 1-5; [0023]), and a redundancy arbitration logic (see [0030]-[0031], [0045] and [0055]-[0064]), wherein the main computing system is configured to: generate a nominal motion plan based on data received by the main computing system about environment of the vehicle (see [0007], [0023] and [0026]); and send the nominal motion plan to the first ACE and the second ACE of the redundant ACE system (see [0006]-[0007], [0023] and [0028]); and wherein the redundant ACE system is configured to: update an existing nominal motion plan in the first ACE and the second ACE with the nominal motion plan (see [0006]-[0007] and [0028]); control the vehicle according to the nominal motion plan (see Figs. 3-4, all; [0006]-[0008], [0023], [0026] and [0030]-[0031]); detect an abnormal condition of the vehicle (see Figs. 3-4, all; [0006]-[0008], [0026] and [0030]-[0031]); and in response to the abnormal condition, cause the redundancy arbitration logic to assign one of the first ACE and the second ACE as a primary ACE to control the vehicle to perform a predetermined vehicle action (see [0006]-[0007], [0030]-[0031], [0045 "In the decentralized approach, each controller implements logic to detect failure of any other controller in the system and reconfigure to primary or hot standby status if necessary. In the centralized approach, a master controller detects failures of all other controllers in the system, and determines which controller should reconfigure to primary status and which controller should reconfigure to hot standby status. When this determination is made, the master controller notifies the respective controller to reconfigure and change their operating status to primary and hot standby, respectively."] and [0055]-[0126]), wherein the redundancy arbitration logic is separate and isolated from other control system application components (see Figs. 7-8, all; [0023 "The first controller 12 is designated as the primary controller and includes a dual-core processor that utilizes a first core 16 and a second core 18 for executing primary controls. The second controller 14 is a backup controller includes a dual-core processor that utilizes a first core 19 and a second core 20 that executes redundant functions as the first controller 12. The third controller 15 is also a backup controller that includes a dual-core processor that utilizes a first core 21 and a second core 22 that executes redundant functions as the first controller 12 ... However, certain devices in the architecture may utilize different devices such as different power supplies so that if an error occurs with a controller as a result of a power supply, it does not affect the other controller."], [0045 "In the decentralized approach, each controller implements logic to detect failure of any other controller in the system and reconfigure to primary or hot standby status if necessary. In the centralized approach, a master controller detects failures of all other controllers in the system, and determines which controller should reconfigure to primary status and which controller should reconfigure to hot standby status. When this determination is made, the master controller notifies the respective controller to reconfigure and change their operating status to primary and hot standby, respectively."], [0055]-[0064] and [0121]-[0126]). Vaccaro teaches a system of controlling an autonomous vehicle in response to an abnormal condition (see all Figs., especially Fig. 1 and 3; [0009]), comprising a redundant actuator control engine (ACE) system comprising a first actuator control engine (ACE) and a second actuator control engine (ACE), and a redundancy arbitration logic (see Figs. 1 and 3, device 110, especially arbitrator 330, and controllers 120; [0002], [0011] and [0023 "In one embodiment, for example, the arbitrator 330 may assign bus priority based upon a ranking ... If, for example, multiple controllers 120 are coupled to the device which are designed to retrieve the identical data, the external interface 130 coupled to the controller designated as the primary controller (rather than a backup controller) may be assigned a higher priority."]), wherein the redundant ACE system is configured to: cause the redundancy arbitration logic to assign one of the first ACE and the second ACE as a primary ACE to control the vehicle to perform a predetermined vehicle action (see Figs. 1 and 3, device 110, especially arbitrator 330; [0002], [0011] and [0023 "In one embodiment, for example, the arbitrator 330 may assign bus priority based upon a ranking ... If, for example, multiple controllers 120 are coupled to the device which are designed to retrieve the identical data, the external interface 130 coupled to the controller designated as the primary controller (rather than a backup controller) may be assigned a higher priority."]), wherein the redundancy arbitration logic is separate and isolated from other control system application components (see Figs. 1 and 3, all; [0009]-[0011 "As discussed in further detail below, each external interface 130 of the device 110 may independently and simultaneously receive a data access request from one of the controllers 120. Likewise, the external interfaces 130 can simultaneously transmit data to the respective controllers 120."] and [0014]-[0015]), and wherein the redundancy arbitration logic comprises an arbitration interface between arbitration logic components on the first ACE and the second ACE (see Figs. 1 and 3, external interface 130; [0011 "Each external interface 130 is configured to connect to an interface 140 of a controller 120. As discussed in further detail below, each external interface 130 of the device 110 may independently and simultaneously receive a data access request from one of the controllers 120. Likewise, the external interfaces 130 can simultaneously transmit data to the respective controllers 120. In some instances the controllers 120 may request identical data (e.g., data stored within one particular register). Accordingly, by allowing both controllers 120 to simultaneously send data access requests and simultaneously receive data from the device 110, the controllers 120 can independently verify the data, adding a redundancy check, and respond to the data with minimal delay."]-[0013], [0015]-[0023] and [0025 "According to an embodiment, a data access request may be a read request or a write request. A read request essentially is a request from a controller 120 to read data (e.g., sensor measurement data) from a register 320, and a write request is a request from a controller 120 to write data (e.g., sensor trim data) to a register 320."]), a role interface between an arbitration logic component and local application components (see Fig. 3, interface bus 300; [0008], [0015 "In other words, the arbitrator 330 has control over the time at which an external interface 130 or other internal or external interface has access to the interface bus 300 to perform a function, such as a read request to a data register 320, a write request to a data register 320, or any other bus command. For example, other internal or test interfaces 340 or an error detection system 350 such as a cyclic redundancy checker (CRC) may also be coupled to the arbitrated interface bus 300 through the arbitrator 330. A CRC checker may, for example, periodically or occasionally perform CRC checks on trim data stored in registers 320 to ensure that the trim data is correct."], [0027] and [0030]), and an interface to a local application environment (see Fig. 3, internal/test interface 340; [0015]-[0016], [0019]-[0021 "The test interface 340 may be used to test the device 110 while the device 110 is operating. A tester, such as another controller 120 in the system or a separate tester (not illustrated), may couple to a test interface 340 of the device 110. The tester may request the same data as the other controllers 120 in a safety system to monitor the data coming from the device 110. As discussed in further detail below, the test interface 340 may be assigned a lower priority than the external interfaces 130. As such, the tester can monitor the data coming from the device 110 without adding any delay into the system."] and [0027]). Vaccaro teaches a role interface between an arbitration logic component and local application components, as discussed above. For the purpose of compact prosecution and for the possible argument that "Vaccaro is silent regarding a role interface between an arbitration logic component and local application components", Ueda teaches the claim limitation. That is, Ueda teaches a system (see Fig. 9, all; [0002]) comprising: a redundancy arbitration logic, wherein the redundancy arbitration logic is separate and isolated from other control system application components (see Fig. 9, arbitrator ARB; [0115 "In addition, the arbitrator ARB is a module of the resource brokering subsystem 902. The arbitrator ARB receives a request to add or release resource nodes 103 from the life cycle manager LM and then allocates the resource nodes 103 to each service. Moreover, the arbitrator ARB performs accommodation on the basis of the priority levels of services and concentrates the computational power of the grid on the services having higher priority levels."]-[0117], [0126]-[0127] and [0133]-[0149]), and wherein the redundancy arbitration logic comprises a role interface between an arbitration logic component and local application components (see Fig. 9, resource role switcher RRS; [0117 "In addition, a resource role switcher RRS is a module of the resource brokering subsystem 902. The resource role switcher RRS executes switching of services (applications) executed by the resource nodes 103."]-[0118] and [0127]). It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the system of Barton-Sweeney to further include a redundancy arbitration logic that is separate and isolated from other control system application components and includes an arbitration interface between arbitration logic components on the first ACE and the second ACE and an interface to a local application environment and in response to the abnormal condition, cause the redundancy arbitration logic to assign one of the first ACE and the second ACE as a primary ACE, as taught by Samii and Vaccaro, in order to allow a safety system to introduce redundancy while minimizing latency in the system. It further would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to modify the redundancy arbitration logic of the system of Barton-Sweeney to include a role interface between an arbitration logic component and local application components, as taught by Ueda, in order to switch the services executed by the local application components. Regarding Claims 3 and 13 Modified Barton-Sweeney teaches the method of claim 1 and the system of claim 11 (as discussed above in claims 1 and 11), Barton-Sweeney is silent regarding wherein the redundancy arbitration logic determines roles of the other control system application components. Samii teaches wherein the redundancy arbitration logic determines roles of the other control system application components (see Figs. 7-8, all; [0045] and [0055]-[0064]). Vaccaro additionally teaches wherein the redundancy arbitration logic determines roles of the other control system application components (see [0015 "The arbitrator 330 controls which external interface 130 or other bus communicator has control of the arbitrated interface bus 300. In other words, the arbitrator 330 has control over the time at which an external interface 130 or other internal or external interface has access to the interface bus 300 to perform a function, such as a read request to a data register 320, a write request to a data register 320, or any other bus command. For example, other internal or test interfaces 340 or an error detection system 350 such as a cyclic redundancy checker (CRC) may also be coupled to the arbitrated interface bus 300 through the arbitrator 330."]-[0023]). It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to further modify the redundancy arbitration logic of the process/system of modified Barton-Sweeney to determine roles of the other control system application components, as taught by Samii, in order to have a centralized approach for detecting failures of other ACEs by a master ACE to assign them with a primary or standby status. Regarding Claims 4 and 14 Modified Barton-Sweeney teaches the method of claim 3 and the system of claim 13 (as discussed above in claims 3 and 13), Barton-Sweeney is silent regarding wherein the redundancy arbitration logic receives health scores from the other control system application components. Samii teaches wherein the redundancy arbitration logic receives health scores from the other control system application components (see [0008] and [0055]-[0064]). It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to further modify the redundancy arbitration logic of the process/system of modified Barton-Sweeney to receive health scores from the other control system application components, as taught by Samii, in order to assign backup ACEs with a priority ranking, with the healthy ACEs having a relatively higher priority ranking. Regarding Claims 5 and 15 Modified Barton-Sweeney teaches the method of claim 3 and the system of claim 13 (as discussed above in claims 3 and 13), Barton-Sweeney is silent regarding wherein the redundancy arbitration logic receives health scores from the first ACE and the second ACE. Samii teaches wherein the redundancy arbitration logic receives health scores from the first ACE and the second ACE (see [0008] and [0055]-[0064]). It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to further modify the redundancy arbitration logic of the process/system of modified Barton-Sweeney to receive health scores from the first ACE and the second ACE, as taught by Samii, in order to assign backup ACEs with a priority ranking, with the healthy ACEs having a relatively higher priority ranking. Regarding Claims 10 and 20 Modified Barton-Sweeney teaches the method of claim 1 and the system of claim 11 (as discussed above in claims 1 and 11), Barton-Sweeney further teaches wherein the redundant ACE system is configured to control the vehicle upon detection of the abnormal condition without further communicating with the main computing system (see [0003], [0075], [0078] and [0081]). Claims 6-9 and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Barton-Sweeney (as modified by Samii, Vaccaro and Ueda) as applied to claims 4-5 and 14-15 above, and further in view of Ruan et al. (US 20200406910 A1 and Ruan hereinafter). Regarding Claims 6 and 16 Modified Barton-Sweeney teaches the method of claim 4 and the system of claim 14 (as discussed above in claims 4 and 14), Barton-Sweeney is silent regarding wherein: a health score of 0-1 represents that an application component is malfunctioning or has failed; a health score of 2-7 represents that the application component is functioning but is not ready for use; a health score of 8-14 represents that the application component is functioning and producing output, but the output quality is degraded from nominal; and/or a health score of 15 represents that the application component is functioning normally. Ruan teaches a method of controlling an autonomous vehicle in response to an abnormal condition (see [0005] and [0015]), comprising: detecting, by a redundant ACE system, an abnormal condition of the vehicle (see [0005], [0015], [0042], [0056]); and wherein a redundancy arbitration logic receives health scores from the other control system application components (see [0006] and [0056]-[0058]), wherein: a health score of 0-1 represents that an application component is malfunctioning or has failed (see [0056]). It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to further modify the process/system of modified Barton-Sweeney to include a health score of 0-1 representing that an application component is malfunctioning or has failed, as taught by Ruan, in order to quantify the severity of the malfunctioning application component. Regarding Claims 7 and 17 Modified Barton-Sweeney teaches the method of claim 5 and the system of claim 15 (as discussed above in claims 5 and 15), Barton-Sweeney is silent regarding wherein: a health score of 0-1 represents that the first ACE or the second ACE is malfunctioning or has failed; a health score of 2-7 represents that the first ACE or the second ACE is functioning but is not ready for use; a health score of 8-14 represents that the first ACE or the second ACE is functioning and producing output, but the output quality is degraded from nominal; and/or a health score of 15 represents that the first ACE or the second ACE is functioning normally. Ruan teaches wherein the redundancy arbitration logic receives health scores from a first ACE and the second ACE (see [0006] and [0056]-[0058]), wherein: a health score of 0-1 represents that the first ACE or the second ACE is malfunctioning or has failed (see [0056]). It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to further modify the process/system of modified Barton-Sweeney to include a health score of 0-1 representing that an application component is malfunctioning or has failed, as taught by Ruan, in order to quantify the severity of the malfunctioning application component. Regarding Claims 8 and 18 Modified Barton-Sweeney teaches the method of claim 7 and the system of claim 17 (as discussed above in claims 7 and 17), Barton-Sweeney is silent regarding wherein the redundancy arbitration logic assigns one of the first ACE and the second ACE that has a higher health score is assigned as the primary ACE. Samii teaches wherein the redundancy arbitration logic assigns one of the first ACE and the second ACE that has a higher health score is assigned as the primary ACE (see "priority number" and/or "priority failure counter" in [0055]-[0064], for example, a priority number equal to 1 could correspond to a higher health score than a priority number equal to 2). It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to further modify the redundancy arbitration logic of the process/system of modified Barton-Sweeney to assign one of the first ACE and the second ACE that has a higher health score as the primary ACE, as taught by Samii, in order to assign the healthy ACEs as priority backup ACEs. Regarding Claims 9 and 19 Modified Barton-Sweeney teaches the method of claim 7 and the system of claim 17 (as discussed above in claims 7 and 17), Barton-Sweeney is silent regarding wherein the redundancy arbitration logic assigns one of the first ACE and the second ACE that has a lower health score is assigned as a backup ACE. Samii teaches wherein the redundancy arbitration logic assigns one of the first ACE and the second ACE that has a lower health score is assigned as a backup ACE (see "priority number" and/or "priority failure counter" in [0055]-[0064], for example, a priority number equal to 2 could correspond to a lower health score than a priority number equal to 1). It would have been obvious to a person having ordinary skill in the art before the effective filing date of the invention to further modify the redundancy arbitration logic of the process/system of modified Barton-Sweeney to assign one of the first ACE and the second ACE that has a lower health score as a backup ACE, as taught by Samii, in order to assign the healthy ACEs as priority backup ACEs. Conclusion The prior art made of record and not relied upon is considered pertinent to applicant's disclosure: Heutger et al. (US 20150018980 A1 and Heutger hereinafter). Heutger teaches at least a method of controlling an autonomous vehicle in response to an abnormal condition, comprising: assigning by a redundancy arbitration logic one of the first ACE and the second ACE as a primary ACE, wherein the redundancy arbitration logic is separate and isolated from other control system application components, and wherein the redundancy arbitration logic comprises an arbitration interface between arbitration logic components on the first ACE and the second ACE and an interface to a local application environment (see at least Fig. 1; [0031]-[0034], [0043 “In response to at least one of the read items of status information the arbitration logic 32 detects that the control device 40 is currently the main control device, whereas the control device 45 is currently the auxiliary control device is. On the basis of this knowledge the arbitration logic 32 of the OPC server 30 now only reads the status information of the auxiliary control device 45 cyclically and stores the status information for example in the memory 70.”] and [0048]). Any inquiry concerning this communication or earlier communications from the examiner should be directed to TANNER LUKE CULLEN whose telephone number is (303)297-4384. The examiner can normally be reached Monday-Friday 7:30-4:30 MT. Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Khoi Tran can be reached on (571)272-6919. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. /TANNER L CULLEN/Examiner, Art Unit 3656 /KHOI H TRAN/Supervisory Patent Examiner, Art Unit 3656
Read full office action

Prosecution Timeline

Jul 31, 2023
Application Filed
Jul 01, 2025
Non-Final Rejection — §103, §DP
Oct 02, 2025
Response Filed
Oct 29, 2025
Final Rejection — §103, §DP
Nov 11, 2025
Interview Requested
Nov 19, 2025
Applicant Interview (Telephonic)
Nov 19, 2025
Examiner Interview Summary
Dec 17, 2025
Response after Non-Final Action
Feb 02, 2026
Request for Continued Examination
Feb 25, 2026
Response after Non-Final Action
Mar 09, 2026
Non-Final Rejection — §103, §DP (current)

Precedent Cases

Applications granted by this same examiner with similar technology

17/875,700
Patent 12594966
REFERENCE TRAJECTORY VALIDATING AND COLLISION CHECKING MANAGEMENT
2y 5m to grant Granted Apr 07, 2026
18/080,797
Patent 12570002
TELEOPERATION ASSIST DEVICE, TELEOPERATION ASSIST METHOD, AND STORAGE MEDIUM
2y 5m to grant Granted Mar 10, 2026
18/601,659
Patent 12568883
METHOD AND SYSTEM FOR COMPUTER-ASSISTED HARVESTING
2y 5m to grant Granted Mar 10, 2026
17/994,718
Patent 12564969
EVENT-DRIVEN SELF-PROGRAMMABLE ROBOTS IN SMART HOMES AND SMART COMMUNITIES
2y 5m to grant Granted Mar 03, 2026
18/099,066
Patent 12539607
ROBOT PROGRAMMING
2y 5m to grant Granted Feb 03, 2026
Study what changed to get past this examiner. Based on 5 most recent grants.

AI Strategy Recommendation

Get an AI-powered prosecution strategy using examiner precedents, rejection analysis, and claim mapping.
Powered by AI — typically takes 5-10 seconds

Prosecution Projections

3-4
Expected OA Rounds
71%
Grant Probability
87%
With Interview (+16.6%)
3y 0m
Median Time to Grant
High
PTA Risk
Based on 161 resolved cases by this examiner. Grant probability derived from career allow rate.

Ready to respond to this office action?

IP Author drafts your complete OA response — amendments, arguments, and claim strategy — in minutes, not days.

Start Drafting Your Response →

Data sourced from USPTO Patent File Wrapper (daily) and Office Action Archive (weekly). Analysis generated by IP Author.

Data: USPTO Patent File Wrapper (daily) • Office Action Archive (weekly) • 89M+ prosecution events

© 2026 IP Author — Browse Office ActionsExaminersCompaniesFirms

Sign in with your work email

Enter your email to receive a magic link. No password needed.

Personal email addresses (Gmail, Yahoo, etc.) are not accepted.

Free tier: 3 strategy analyses per month