Notice of Pre-AIA or AIA Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
DETAILED ACTION
Amendments to the claims have been recorded.
Response to Arguments
Applicant’s arguments have been fully considered but they are not persuasive.
Applicant’s Arguments
Applicant argues are fully addressed with the new rejections made to the newly provided amendments and with the withdrawal of the 101 rejections.
Nonstatutory Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory obviousness-type double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the conflicting application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement.
Effective January 1, 1994, a registered attorney or agent of record may sign a terminal disclaimer. A terminal disclaimer signed by the assignee must fully comply with 37 CFR 3.73(b).
The claim of this instant application are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claim of co-pending Application. Although the conflicting claims are not identical, they are not patentably distinct from each other.
This is a provisional obviousness-type double patenting rejection because the conflicting claims have not in fact been patented.
Double Patenting Rejections will not be revisited and be held in abeyance until allowable subject matter is to be found.
Instant Application
US20250298381
Claims:
1. A system comprising: one or more subsystems of a vehicle, each of the one or more subsystems configured to perform an operation of the vehicle; and a central control unit of the vehicle, the central control unit comprising: a first processor configured to execute applications associated with the vehicle; and a second processor configured to maintain an operating state of the vehicle within a safe operating envelope of the vehicle, wherein the second processor receives requests from the applications executed by the first processor to perform operations and outputs commands to actuate the one or more subsystems of the vehicle to perform the operations based on the requests satisfying safety rules for the vehicle.
2. The system of claim 1, wherein the second processor prevents requests for operations that fail to satisfy the safety rules from being communicated to the one or more subsystems of the vehicle.
3. The system of claim 1, wherein the second processor provides an application programming interface for the applications which prevents access by the applications to the one or more subsystems unless the requests satisfy the safety rules.
4. The system of claim 1, wherein the first processor is partitioned from the second processor such that the second processor maintains safe operation of the vehicle when execution of the applications by the first processor causes a malfunction with the first processor.
5. The system of claim 1, wherein the central control unit further comprises a third processor configured to operate redundantly with the second processor to maintain the operating state of the vehicle within the safe operating envelope of the vehicle.
6. The system of claim 5, wherein: the third processor is configured to maintain the operating state of the vehicle within the safe operating envelope of the vehicle when a malfunction occurs with the second processor; and the second processor is configured to maintain the operating state of the vehicle within the safe operating envelope of the vehicle when a malfunction occurs with the third processor.
7. The system of claim 1, wherein satisfying the safety rules comprises satisfying Automotive Safety Integrity Level D (ASIL-D) operation of the vehicle.
8. An electronic control unit for controlling operation of a vehicle, the electronic control unit comprising: a first processor configured to execute applications associated with the vehicle; and a second processor communicably coupled to the first processor, the second processor configured to: actuate subsystems of the vehicle to operate the vehicle based on a safety standard; receive requests for the subsystems to perform operations from the first processor, the requests received in connection with executing the applications; and filter the requests by permitting the requests that satisfy the safety standard and actuating the subsystems to perform the operations of the permitted requests.
9. The electronic control unit of claim 8, wherein the second processor is further configured to filter the requests by denying the requests that fail to satisfy the safety standard.
10. The electronic control unit of claim 9, wherein the second processor does not actuate the subsystems to perform the operations of the denied requests.
11. The electronic control unit of claim 8, wherein the first processor is physically partitioned from the subsystems of the vehicle and the requests for the subsystems to perform the operations from the first processor are routed to the second processor via a communicative coupling.
12. The electronic control unit of claim 8, wherein the second processor is configured to actuate the subsystems of the vehicle to control motion of the vehicle based on the safety standard.
13. The electronic control unit of claim 8, further comprising a third processor communicably coupled to the first processor, the third processor configured, redundantly with the second processor, to: actuate the subsystems of the vehicle to operate the vehicle based on the safety standard; receive the requests for the subsystems to perform the operations from the first processor; and filter the requests by permitting the requests that satisfy the safety standard and actuating the subsystems to perform the operations of the permitted requests.
14. The electronic control unit of claim 13, wherein the first processor is physically partitioned from the subsystems of the vehicle and the requests for the subsystems to perform the operations from the first processor are routed to only the second processor and the third processor via communicative couplings.
15. The electronic control unit of claim 8, wherein the safety standard is Automotive Safety Integrity Level D (ASIL-D).
16. The electronic control unit of claim 8, wherein the first processor is partitioned from the second processor such that the applications are limited to being executed by the first processor.
17. The electronic control unit of claim 8, wherein the second processor includes one or more I/O ports for at least one of communicative couplings with the subsystems of the vehicle, control signals with the subsystems of the vehicle, or I/O signals with the subsystems of the vehicle.
18. The electronic control unit of claim 8, wherein the first processor includes a memory, the second processor includes a memory, the memory of the first processor is isolated from the memory of the second processor, and the first processor is further configured to execute the applications using only the memory of the first processor.
19. The electronic control unit of claim 18, wherein the applications are prevented from using at least one of the memory of the second processor or peripheral signal I/O of the second processor.
20. A method implemented by an electronic control unit for controlling operation of a vehicle, the method comprising: actuating, by a first processor of an electronic control unit, subsystems of a vehicle to operate the vehicle based on a safety standard; receiving, by the first processor, requests for the subsystems to perform operations, the requests received from a second processor of the electronic control unit in connection with the second processor executing applications associated with the vehicle; and filtering, by the first processor, the requests by permitting the requests that satisfy the safety standard and actuating the subsystems to perform the operations of the permitted requests.
1. A system comprising: one or more subsystems of a vehicle, each of the one or more subsystems configured to perform an operation of the vehicle; a first processor configured to execute applications associated with the vehicle; a safety and control interface configured to: receive a request for a service from an application executed by the first processor; determine whether the application has an application permission to access the service; and determine whether executing the service would maintain a safety goal established for the vehicle; and a second processor configured to execute the service requested by the application based on the safety and control interface determining that the application has the application permission to access the service and that executing the service responsive to the request would maintain the safety goal established for the vehicle.
2. The system of claim 1, wherein the second processor, in being configured to execute the service, is configured to cause actuation of at least one of the one or more subsystems of the vehicle.
5. The system of claim 1, wherein the safety and control interface is further configured to receive the safety goal as part of a commissioning process.
6. The system of claim 5, wherein the safety goal is defined by a manufacturer of the vehicle during the commissioning process.
7. The system of claim 1, wherein the application permission is implemented to satisfy, at least in part, a safety rule applied to the vehicle.
8. The system of claim 7, wherein the safety rule is implemented to satisfy Automotive Safety Integrity Level D (ASIL-D) operation of the vehicle.
9. The system of claim 1, wherein the safety and control interface is configured to intercept the request sent from a connection between the first processor and the second processor.
10. The system of claim 1, wherein the safety and control interface is configured as part of a connection between the first processor and the second processor.
11. The system of claim 1, wherein the safety and control interface includes one or more application programming interfaces and exposes the one or more application programming interfaces to the application.
12. An electronic control unit for controlling operation of a vehicle, the electronic control unit comprising: a first processor configured to execute applications associated with the vehicle; a safety and control interface configured to: receive a request for a service from an application executed by the first processor; and perform a safety check to determine whether the application is allowed to utilize the service; and a second processor configured to execute the service or deny the service based on the safety check.
13. The electronic control unit of claim 12, wherein, in being configured to perform the safety check, the safety and control interface is configured to determine whether the application has an application permission required to access the service.
14. The electronic control unit of claim 13, wherein, in being configured to perform the safety check, the safety and control interface is configured to, responsive to determining that the application does not have the application permission required to access the service, discard the request and instruct the second processor to deny the service.
15. The electronic control unit of claim 13, wherein, in being configured to perform the safety check, the safety and control interface is configured to, responsive to determining that the application does have the application permission required to access the service, determine whether the service is associated with one or more safety goals.
16. The electronic control unit of claim 15, wherein, in being configured to perform the safety check, the safety and control interface is configured to, responsive to determining that the service is not associated with the one or more safety goals, instruct the second processor to execute the service.
17. The electronic control unit of claim 15, wherein, in being configured to perform the safety check, the safety and control interface is configured to, responsive to determining that the service is associated with the one or more safety goals, instruct the second processor to determine whether the one or more safety goals would be maintained if the service is executed.
18. The electronic control unit of claim 17, wherein, in being configured to perform the safety check, the safety and control interface is configured to, responsive to determining that the one or more safety goals would be maintained if the service is executed, instruct the second processor to execute the service.
19. The electronic control unit of claim 17, wherein, in being configured to perform the safety check, the safety and control interface is configured to, responsive to determining that the one or more safety goals would not be maintained if the service is executed, discard the request and instruct the second processor not to execute the service.
20. A method comprising: receiving, by a safety and control interface of an electronic control unit of a vehicle, a request for a service from an application; determining, by the safety and control interface, whether the application has a permission to access the service; responsive to determining that the application has the permission to access the service, determining, by the safety and control interface, whether the service is associated with a safety goal; responsive to determining that the service is associated with the safety goal, determining, by the safety and control interface, whether the safety goal would be maintained if the service is executed; and responsive to determining that the safety goal would be maintained if the service is executed, instructing, by the safety and control interface, a processor of the electronic control unit, to execute the service, at least in part, by actuating one or more subsystems of the vehicle.
A patentee or applicant may disclaim or dedicated to the public the entire term, or any terminal part of the term of a patent. 35 U.S.C. 253. The statue does not provide for a terminal disclaimer of only a specified claim or claims. The terminal disclaimer must operate with respect to all claims in the patent. MPEP 804.02.
Also, WO 2025/193998 Claims 1-15.
Claim Interpretation
The following is a quotation of 35 U.S.C. 112(f):
(f) Element in Claim for a Combination. – An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
The following is a quotation of pre-AIA 35 U.S.C. 112, sixth paragraph:
An element in a claim for a combination may be expressed as a means or step for performing a specified function without the recital of structure, material, or acts in support thereof, and such claim shall be construed to cover the corresponding structure, material, or acts described in the specification and equivalents thereof.
This application includes one or more claim limitations that use the word “means” or “step” but are nonetheless not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph because the claim limitation(s) recite(s) sufficient structure, materials, or acts to entirely perform the recited function. Such claim limitation(s) is/are: “electronic control unit for controlling operation of a vehicle” in claims 8 and 20.
Because this/these claim limitation(s) is/are not being interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, it/they is/are not being interpreted to cover only the corresponding structure, material, or acts described in the specification as performing the claimed function, and equivalents thereof.
If applicant intends to have this/these limitation(s) interpreted under 35 U.S.C. 112(f) or pre-AIA 35 U.S.C. 112, sixth paragraph, applicant may: (1) amend the claim limitation(s) to remove the structure, materials, or acts that performs the claimed function; or (2) present a sufficient showing that the claim limitation(s) does/do not recite sufficient structure, materials, or acts to perform the claimed function.
The limitation of “electronic control unit for controlling operation of a vehicle” has been interpreted as “a device” and as such does not invoke 112(f).
Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA 35 U.S.C. 102 and 103 (or as subject to pre-AIA 35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.
(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale or otherwise available to the public before the effective filing date of the claimed invention.
Claims 1-20 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Yousuf US 20220080992.
1. A system comprising:
one or more subsystems of a vehicle, each of the one or more subsystems configured to perform an operation of the vehicle; Fig.1 GPS, navigation
a central control unit of the vehicle, the central control unit comprising: Fig.1 controller
a first processor configured to execute applications associated with the vehicle Fig.7A GPU A
and
that outputs request to perform operations using the one or more subsystems; Fig.6 request from GPU is outputted to subsystems 64 from 206.
a second processor configured to maintain an operating state of the vehicle within a safe operating envelope of the vehicle, wherein the second processor receives the requests from the applications executed by the first processor to perform the operations and Fig.7A GPU B; e.g. parking (safe operating envelope, collation avoidance and maneuver into a spot) Also para 118; processing subsystems 302 include two parallel-processing cores 306
outputs commands to the one or more subsystems of the vehicle to perform the operations based on the requests satisfying safety rules for the vehicle, Fig.7A GPU B output to 206
and
the second processor Fig.6 202 is communicatively disposed between the first processor 206 and the one or more subsystems 84, 64, 86…
such that the requests are prevented from being transmitted to the one or more subsystems without passing through the second processor;33; When one of the processors detects that another processor has failed, the detecting processor sends out a message indicating the failure which allows the overall system to adapt to the failure, 199; An alert is sent to the driver; if the system does not have confidence to continue autonomous operation, it may execute a chauffeur to safe stop or request the driver to take over [automatous control is prevented]. Also to replace the corresponding functions lost when processor 202 failed. [if replaced requests are prevented from being transmitted without passing through the second processor]
It is also noted that 202 can be the first processor and 206 be the second processor in Fig.6 As such para 201 Also applies; to compensate for the failure of processor 206 and direct the outputs of this blocks to the external interfaces instead of providing them for/through now-failed processor 206. The driver receives a warning and as above, if the system does not have confidence to continue autonomous operation,
and
a vehicle subsystem actuator of a subsystem of the one or more subsystems configured to actuate responsive to receiving at least one of the commands to cause the subsystem to perform at least one of the operations. Fig. 6 #80 Brake actuators
2. The system of claim 1, wherein the second processor prevents requests for operations that fail to satisfy the safety rules from being communicated to the one or more subsystems of the vehicle. Para 176; If the driver does not take control within the specified time, the system should conclude the trip safely and as quickly as possible.
3. The system of claim 1, wherein the second processor provides an application programming interface for the applications which prevents access by the applications to the one or more subsystems unless the requests satisfy the safety rules. Para 176; If the driver does not take control within the specified time, the system should conclude the trip safely and as quickly as possible.
4. The system of claim 1, wherein the first processor is partitioned from the second processor such that the second processor maintains safe operation of the vehicle when execution of the applications by the first processor causes a malfunction with the first processor. para 118; processing subsystems 302 include two parallel-processing cores 306. Also 182; The FIG. 10 fault analysis shows that the system is redundant and each major element of the system is individually and physically separated from other elements.
5. The system of claim 1, wherein the central control unit further comprises a third processor configured to operate redundantly with the second processor to maintain the operating state of the vehicle within the safe operating envelope of the vehicle. Also 182; The FIG. 10 fault analysis shows that the system is redundant and each major element of the system is individually and physically separated from other elements. Also, para 108; a lower safety standard (ASIL-B/D) whereas the processes performed by the third processor 206 provide compliance with a higher safety standard (ASIL-D).
6. The system of claim 5, wherein: the third processor is configured to maintain the operating state of the vehicle within the safe operating envelope of the vehicle when a malfunction occurs with the second processor; and para 108; a lower safety standard (ASIL-B/D) whereas the processes performed by the third processor 206 provide compliance with a higher safety standard (ASIL-D).
the second processor is configured to maintain the operating state of the vehicle within the safe operating envelope of the vehicle when a malfunction occurs with the third processor. Also 182; The FIG. 10 fault analysis shows that the system is redundant and each major element of the system is individually and physically separated from other elements.
7. The system of claim 1, wherein satisfying the safety rules comprises satisfying Automotive Safety Integrity Level D (ASIL-D) operation of the vehicle. para 108; a lower safety standard (ASIL-B/D)
8. and 20 are rejected using the same rejections as made to claim 1.
9. are rejected using the same rejections as made to claim 2.
10. are rejected using the same rejections as made to claim 3.
11. are rejected using the same rejections as made to claim 4.
13. are rejected using the same rejections as made to claim 5.
14. are rejected using the same rejections as made to claim 6.
15. are rejected using the same rejections as made to claim 7.
12. The electronic control unit of claim 8, wherein the second processor is configured to actuate the subsystems of the vehicle to control motion of the vehicle based on the safety standard. Fig. 7B GPU B parking.
16. The electronic control unit of claim 8, wherein the first processor is partitioned from the second processor such that the applications are limited to being executed by the first processor. Fig. 7A GPU partitioned from GPU B, process ASIL is limited in 202 and not in ASIL 204.
17. The electronic control unit of claim 8, wherein the second processor includes one or more I/O ports for at least one of communicative couplings with the subsystems of the vehicle, control signals with the subsystems of the vehicle,
or
I/O signals with the subsystems of the vehicle. Fig. 7A I/O port from 210 to 204
18. The electronic control unit of claim 8, wherein the first processor includes a memory, Fig. 7A 312(A) the second processor includes a memory Fig. 7A 312(B), the memory of the first processor is isolated from the memory of the second processor, 202 vs 204 and the first processor is further configured to execute the applications using only the memory of the first processor. ASIL in 202
19. The electronic control unit of claim 18, wherein the applications are prevented from using at least one of the memory of the second processor or peripheral signal I/O of the second processor. Fig. 7A applications from 202 are prevented from using memory of 204
Conclusion
THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any nonprovisional extension fee (37 CFR 1.17(a)) pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SIHAR A KARWAN whose telephone number is (571)272-2747. The examiner can normally be reached on M-F 11am.-7pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ramon Mercado can be reached on 571-270-5744. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
/SIHAR A KARWAN/Examiner, Art Unit 3664