Post-Actuation Verification Through Discrepancy Classification

Mechanism

The verification stage is invoked at the conclusion of every actuator commit, including commits in full, partial, stage-gated, and emergency-overridden modes. Two inputs are gathered. The first is the sensed effect, drawn from the available readback channels: encoder or position feedback at the actuator itself, downstream sensor response from systems that observe the actuator's environment, and indirect telemetry from cooperating units that observed the action's downstream consequences. The second is the expected effect, drawn from the planning and control trajectory that produced the command, expressed as a time-indexed envelope rather than a single scalar so that the comparison can accommodate normal physical settling times.

The comparison produces a residual: the difference between sensed and expected, evaluated point-by-point across the readback window. The residual is passed to the discrepancy classifier, which assigns it to one of five structural categories. Nominal means the residual stays within the expected envelope across the entire window. Expected-noise means the residual exceeds the envelope but stays within the sensor and environmental noise floors documented for the readback channels. Anomaly means the residual exceeds noise but matches no known fault or adversarial pattern. Fault means the residual matches a signature in the fault library — a stuck actuator, a saturated control loop, a degraded sensor, a calibration drift. Adversarial-interference means the residual matches a signature in the disruption-modeling library — a spoofed sensor, a jammed channel, an injected command, a coordinated displacement of multiple readbacks.

The classifier is not a single black-box estimator; it is a structured pipeline. The first stage is a noise-floor test that admits expected-noise classifications quickly and cheaply. The second stage is a fault-signature match against the fault library, which is maintained as a versioned, lineage-recorded artifact rather than as opaque model weights. The third stage is an adversarial-signature match against the disruption-modeling library, with the same versioning and lineage requirements. The fourth stage is the residual category — anomaly — which is reserved for residuals that pass through the prior stages without matching a known pattern. The structure ensures that every classification is explainable, auditable, and tied to a specific library version.

Each classification is itself a credentialed observation. The verifying agent signs the classification with the credentials that authorized it to operate the actuator, attaches the sensed and expected values that supported the classification, and records the entry in the actuation lineage. The classification then propagates through the structural mesh, where neighboring units, infrastructure agents, and regulatory observers consume it as a first-class observation rather than as a log entry to be reconstructed later. A remediation policy keyed to the classification selects the next response: nominal and expected-noise classifications produce no action; anomaly classifications reduce the unit's contribution weight in subsequent admissibility computations; fault classifications trigger the mode-specific fault-handling subsystem; adversarial-interference classifications broadcast a structural alert across the mesh and may revoke the unit's actuation credential pending review.

The credentialed-observation framing is what allows the classification to cross trust boundaries without losing its meaning. A regulator that reads a verification entry recorded by a vehicle's on-board agent does not need to trust the vehicle's internal logging convention; it verifies the credential, confirms that the credential was authorized to operate the actuator at the time of the commit, and inspects the supporting sensed and expected values directly. A peer vehicle that consumes an adversarial-interference broadcast through the mesh does not need to interpret an opaque alert code; it inspects the classification, the residual signature that matched the adversarial library, and the library version that was active at the time, and decides whether to act on the broadcast based on its own policy. The verification entry is self-contained evidence rather than a pointer to evidence held elsewhere, which is what makes it usable for cross-system coordination and after-the-fact incident reconstruction at scale.

The five classification categories are deliberately ordered by remediation severity rather than by detection difficulty, so that the policy layer can be expressed as a monotone mapping from category to response. Nominal and expected-noise classifications converge on no-action because the system is operating within its modeled tolerances. Anomaly classifications produce a soft response — confidence reweighting — because the residual is unexplained but not yet attributable to a known failure mode; reweighting is reversible once subsequent classifications return to nominal. Fault classifications produce a structured response — invocation of the mode-specific fault handler — because the residual matches a known mechanical or computational failure and the appropriate recovery is part of the system's designed behavior. Adversarial-interference classifications produce the strongest response — credential review and mesh-wide alerting — because the residual matches a pattern of deliberate disruption and the appropriate response includes both protecting the affected unit and warning peers that may be similarly targeted.

Operating Parameters

The readback window length determines how much post-commit time is observed before the verification stage produces a classification. A short window produces a fast classification but may miss settling-related residuals; a long window captures settling fully but delays the next admissibility cycle. The window is configured per actuator class and reflects the physical time constants of the system — short for direct-drive electrical actuators, longer for hydraulic or thermal actuators where the effect emerges over seconds.

The expected-effect envelope width is parameterized by the planning model's confidence at the time the command was issued. A high-confidence plan produces a narrow envelope, so even small residuals raise their classification level; a low-confidence plan produces a wider envelope and tolerates larger residuals before escalating. The noise-floor configuration is per readback channel and is calibrated against the sensor's documented characteristics, the environmental conditions at the time of the commit, and any known degradation history recorded in the channel's lineage.

The fault and adversarial libraries are versioned and carry per-signature confidence thresholds. A high threshold reduces false positives at the cost of missing weakly matching signatures; a low threshold increases sensitivity at the cost of misclassification. The remediation policy is keyed to the classification and to the operational context: a unit operating in safety-critical mode escalates more aggressively on anomaly classifications than the same unit operating in maintenance mode. The cooling interval prevents repeated remediation actions from compounding when a unit produces a sequence of similar classifications during a single transient event.

Alternative Embodiments

In the on-board embodiment, the verification stage runs entirely on the actuating unit, producing classifications without external coordination. This embodiment is suitable for vehicles and robots that must verify their own actuations even when disconnected from the mesh. In the cooperative embodiment, the verification stage incorporates readback contributions from neighboring units, allowing a vehicle to verify the effect of its lane change against observations from following vehicles. The cooperative embodiment improves classification accuracy in ambiguous cases but requires the mesh to be available at verification time.

In the centralized-library embodiment, the fault and adversarial signature libraries are held by a coordinating authority and are queried by units at verification time. This embodiment simplifies library maintenance but introduces a dependency on the authority's availability. In the distributed-library embodiment, each unit caches a recent version of the libraries and synchronizes asynchronously with peers; this embodiment tolerates connectivity loss at the cost of running occasionally on stale signatures.

In the synchronous-remediation embodiment, the remediation policy is applied before the next admissibility cycle proceeds, so that the unit cannot issue a new command until the verification of the previous command has completed. In the asynchronous-remediation embodiment, the next admissibility cycle proceeds in parallel with verification and the remediation, when triggered, applies to subsequent admissibility decisions. The synchronous form is preferred in safety-critical applications where the next command depends on the success of the previous one; the asynchronous form is preferred in throughput-critical applications where the unit must continue operating while verification completes.

Composition With Mode Selection And Confidence Governance

Verification composes with the mode-selection subsystem by running after every commit regardless of mode. In full mode, verification confirms the action proceeded as predicted across the entire commit. In partial mode, verification confirms the partial commit produced the proportional partial effect. In stage-gated mode, verification at each stage is the structural gate that admits progression to the next stage; a non-nominal classification at a stage halts progression and triggers the stage-specific remediation. In emergency-overridden mode, verification still runs and produces audit lineage of the override's actual effect, so that the override's consequences are observable to subsequent review even though they were not subject to admission.

Verification composes with the confidence-governance subsystem by feeding classifications into the unit's running confidence estimate. A unit that produces a sequence of nominal classifications gains confidence and contributes more strongly to composite admissibility. A unit that produces anomalies loses confidence proportionally; a unit that produces fault classifications loses confidence sharply and may be quarantined; a unit that produces adversarial-interference classifications has its credentials reviewed and may be revoked. The composite admissibility computation downstream of the unit weights the unit's contributions by the current confidence, so the structural effect of misbehavior propagates immediately through the mesh without requiring out-of-band intervention.

Prior-Art Distinction

Conventional control systems implement closed-loop feedback in which the next command is computed from the current sensor reading; the feedback is structural, but the verification of the previous command is implicit and does not produce an observable, classified, lineage-recorded record of how the previous command performed. Conventional fault-detection systems compare sensor readings against expected ranges and raise alarms; they do not classify the source of the deviation, do not bind the classification to a specific actuator commit, and do not propagate the classification as a credentialed observation through a structured mesh.

Conventional intrusion-detection systems classify network or sensor anomalies but operate at the system level rather than at the actuation level; they cannot tie a detected anomaly to a specific commit, cannot key remediation to the commit's mode, and do not produce a lineage entry that downstream coordination can consume structurally. The mechanism described here differs by binding verification to the specific actuator commit, classifying deviation by source against versioned libraries, recording the classification as a credentialed lineage event, propagating it through the mesh as a first-class observation, and keying remediation to both the classification and the commit's mode. The combination is the structural contribution.

Disclosure Scope

The disclosure, as supported by Provisional Application 64/049,409, covers the post-commit verification stage, the structured discrepancy classifier and its five categories, the credentialed-observation framing of each classification, the propagation of classifications through the structural mesh, and the remediation policy keyed to classification and commit mode. It covers the parameter surface that governs readback windows, envelope widths, library confidence thresholds, and remediation cooling at the unit and class level, and it covers the alternative embodiments in which verification runs on-board or cooperatively, libraries are centralized or distributed, and remediation is synchronous or asynchronous.

The disclosure does not depend on a specific actuator class, a specific sensor modality, or a specific signature-matching algorithm. Any actuator whose effect can be observed through one or more readback channels with bounded latency, any sensor modality that provides readings with documented noise characteristics, and any signature-matching algorithm that produces explainable classifications against a versioned library may be substituted without departing from the disclosed mechanism. The structural contribution is the binding of verification to the specific commit, the classification of deviation by source, the credentialed propagation of the classification through the mesh, and the policy-keyed remediation that closes the loop — not the choice of components within the verification machinery.