Confidence-Governed Actuation: Graduated Modes for Physical Systems

1. Problem and Architectural Premise

The dominant functional-safety lineage—ISO 26262 for road vehicles, IEC 61508 for industrial process control, ISO 13849 for machinery, DO-178C and ARP4761 for civil aviation, IEC 62304 for medical devices—shares one structural assumption: the output of a safety architecture is a binary. A command either passes the integrity-level checks for its target actuator and is committed, or it fails and is suppressed. The standards differ in process rigor, fault-tree depth, and probabilistic targets (FIT rates, PFH ranges, ASIL/SIL bands), but they agree on the shape of the output.

Binary permit/suppress is well-matched to the decision space of a fixed industrial cell, a flight control loop with a defined envelope, or an interlocked machine guard. It is not well-matched to the decision space of a Level 4 driverless vehicle approaching an unprotected pedestrian crossing, an autonomous mobile manipulator handing a workpiece to a human operator, a delivery robot at a loading-dock interface, or a port crane lifting a container with an uncertain spreader latch. In every one of these cases the architecture has more than two reasonable answers. It can commit fully. It can commit partially while signaling intent. It can stage commitment over a sequence of bounded reversible decisions. It can defer until a downstream observation arrives. It can refuse the commanded actuation and execute a harm-minimizing alternative. It can render the contemplated action visible to a remote operator without commanding the actuator at all.

When the architecture is forced to collapse this richer decision space into a single bit, two failure modes are observed in production fleets. The conservative collapse suppresses too aggressively: legitimate actuations get refused at decision boundaries because the architecture cannot express partial commitment, and the operating unit becomes brittle in exactly the long-tail conditions for which it most needs flexibility. The permissive collapse approves too readily: unsafe actuations are committed because the only alternative was a refusal that would itself be unsafe (a hard brake on an icy on-ramp, a refusal to merge into traffic when stopping is worse). Both collapses appear in current L4 fleet telemetry, in surgical robot incident reports, and in industrial mobile-manipulator near-miss logs.

The architectural premise of confidence-governed actuation is that the binary is the wrong shape. The output of a safety architecture for an autonomous physical system must be a graduated mode drawn from a structured set, selected deterministically from a composite admissibility computation, recorded in tamper-evident lineage, and broadcast to every governance-credentialed observer in the operating environment. Once the output shape is correct, the rest of the architecture—preemption, reversibility, harm minimization, post-actuation verification—becomes expressible as deterministic functions over the same admissibility computation rather than as ad-hoc layers bolted onto a binary core.

2. The Core Architectural Primitive: A Graduated Mode Set Under Composite Admissibility

Confidence-governed actuation produces, for every actuation request, a selection from a graduated mode set. The disclosed embodiment defines eleven canonical modes—simulated, advisory, consultative, shadowed, partial, constrained, stage-gated, deferred, full, emergency-accelerated, and emergency-overridden—but the primitive is defined by the structure of the set rather than by the specific count. The defining structural properties are that (a) the set is totally ordered with respect to authority committed to the physical actuator, (b) each mode is a structurally distinct outcome with its own lineage record and its own broadcast class, and (c) selection is a deterministic function of the admissibility computation against a signed governance policy.

Simulated mode runs the contemplated command against a forward model with no physical commit. Advisory mode renders the contemplated command to a human operator without commanding the actuator. Consultative mode requests explicit human or peer authority before commit. Shadowed mode logs the contemplated command and runs verification in parallel with continued fallback control. Partial mode commits a fraction of the requested authority—a portion of brake pressure, a portion of steering angle, a fraction of crane hoist—bounded by a policy-defined ratio. Constrained mode commits within a tightened envelope (lower velocity, narrower lateral excursion, reduced payload). Stage-gated mode commits in successive bounded stages with intermediate evaluations between stages. Deferred mode holds commitment pending arrival of a named downstream observation or peer attestation. Full mode commits as requested. Emergency-accelerated mode commits with reduced gating latency under an explicit time-criticality flag. Emergency-overridden mode commits despite a normal-mode refusal under a credentialed override authority and rate-limited budget.

The composite admissibility evaluator that selects among these modes is a deterministic computation over five named factors. Authority is the credential chain that originates the actuation request and the credentials of every relay along the chain. Evidential weighting is the aggregated confidence over the observations supporting the request, computed under a published weighting function that accounts for sensor class, attestation freshness, and corroboration depth. Capability assessment is the operating unit's instantaneous envelope—available friction, available torque, available payload, available compute budget for verification. Temporal scope is the time window over which the request is admissible and the time-to-commitment for any irreversible portion. Disposition is the governance policy's prior on the requested actuation class within the current jurisdiction, marker context, and operational design domain.

The same five-tuple of inputs produces the same mode selection. The selection, the input tuple, and the governance policy version under which the selection was computed are written together into the lineage record. Two operating units in identical states under the same policy will compute identical mode selections; this determinism is a verification surface for regulators and a compliance surface for operators.

3. Rate-Limited and Budget-Bounded Preemption

Emergency preemption authority—the capacity to override normal admissibility gating and commit despite a refusal mode—is itself rate-limited under a budget. A unit may invoke preemption no more than N times within a governance-policy-defined window W, and each invocation carries a bounded effective duration D after which it expires unless explicitly renewed by a fresh credentialed authority. The default disclosed envelope holds N in the range of 1 to 4 invocations per shift-equivalent window of 8 to 24 hours, with D in the range of 200 milliseconds to 30 seconds depending on actuator class; these bounds are policy-configurable rather than hardcoded.

Budget-bounded preemption solves a recurring failure mode in safety-critical systems: the gradual normalization of emergency overrides until they lose their structural meaning. Aviation has documented this in glass-cockpit envelope-protection overrides; medical robotics has documented it in surgeon-override telemetry; industrial safety has documented it in muting and bypass logs. Under a budget, every preemption invocation consumes a finite resource; consumption above a policy-defined threshold raises a governance-flagged event that propagates through the mesh in real time and is visible to the regulatory authority that issued the budget.

Budgets are stratified by authority class. A regulatory authority may grant a fleet operator a higher budget for safety-critical override than that operator may delegate to an individual unit. A peer authority (another operating unit in coordinated platoon, for example) may grant a still narrower budget bounded by both the peer's own remaining budget and the receiving unit's policy ceiling. Each invocation is recorded with the originating authority's signature, the consumed budget delta, the actuation class overridden, and the surviving budget; this produces tamper-evident audit of every override at the authority granularity rather than at the device granularity.

Budget exhaustion is itself an admissibility input. As remaining budget approaches zero, the evaluator shifts the operating unit toward more conservative modes (deferred, partial, constrained) for actuation classes that historically consumed budget under similar conditions. This is a structural rather than a heuristic shift: the budget state is a typed input to the deterministic selection function.

4. Reversibility-Aware Staged Commitment

Actuator commands differ in how much of their effect can be undone after commit. Steering angle is highly reversible within an envelope. Brake pressure is reversible up to the threshold at which kinetic energy is dissipated. Throttle commitment is reversible until tire-pavement slip exceeds recovery. Airbag deployment is irreversible. Pyrotechnic actuation, surgical incision, container release, and hazardous-material valve open are irreversible classes. The execution primitive evaluates a reversibility class for every contemplated commitment and structurally prefers reversible paths when feasible alternatives exist within the capability envelope.

Stage-gated mode is the architectural mechanism for committing irreversible authority safely. An irreversible commitment is decomposed into a sequence of bounded stages, each of which is reversible up to its own threshold, with a fresh admissibility evaluation between stages. A landing aircraft progresses through descent (reversible by go-around), approach (reversible until decision height), flare (reversible until late flare), and touchdown (committed). A surgical robot progresses through tool placement, contact, partial-depth incision, full-depth incision. A port crane progresses through approach, contact, partial lift, full lift, traverse. At each stage transition, the admissibility evaluator runs again with updated environmental observations, updated capability assessment, and updated peer attestations from the governed mesh; the unit may regress to a lower stage, hold at the current stage, or progress.

Reversibility classification is computed against a governance-policy-defined classification table per actuator type. The classification table is published, signed by the governing authority, and configurable; new actuator types receive classifications through governance-credentialed updates rather than through firmware revisions of the operating unit. This separates the actuator-physics question (how reversible is this command) from the operating-unit question (how should I behave given this classification), allowing regulators and standards bodies to update the physics-of-record without invalidating fielded firmware.

The disclosed envelope supports reversibility classes in the range of fully-reversible, bounded-reversible (with a named threshold), staged-reversible (with a named decomposition), and irreversible. Stage counts in the range of 2 to 8 are typical for staged-reversible commitments; inter-stage evaluation latencies in the range of 5 to 500 milliseconds are typical depending on actuator class and time-criticality.

5. Governance-Policy-Configurable Harm Ordering

When every available actuation in the capability envelope produces some harm, the primitive selects the actuation that minimizes harm under a governance-policy-configurable entity-class harm ordering. The ordering is a partial order over named entity classes—pedestrians, cyclists, motorcyclists, occupants of the operating unit, occupants of other vehicles, livestock, property, the operating unit itself, infrastructure—with weights that can be jurisdiction-specific, time-of-day-specific, or context-specific. The ordering is signed by the governing jurisdiction and propagated through the same governance-chain primitive that authenticates marker credentials.

Externalizing the harm ordering resolves a long-standing structural gap in autonomous-system ethics. Current production stacks either hardcode a harm ordering (which transfers the ethical authority from elected jurisdictional bodies to a private manufacturer) or refuse to articulate one (which leaves liability unallocated and produces inconsistent behavior across the fleet). The governed primitive externalizes the ordering: state DOTs, transportation authorities, and insurers configure it through their normal rule-making processes; the operating unit executes the configured ordering deterministically; and the lineage records every harm-minimization deviation together with the policy version under which it was evaluated. A litigant or regulator inspecting an incident sees not just what the unit did but which ordering it was operating under and which authority had signed that ordering at the moment of decision.

The same mechanism extends to non-vehicular contexts without architectural change. Industrial robotics with multiple object classes (worker, supervisor, untrained visitor, equipment, workpiece) carries an ordering signed by the facility safety authority. Medical autonomy with patient, staff, and bystander classes carries an ordering signed by the hospital ethics board and the regulatory body. Defense systems carry orderings signed by the relevant rules-of-engagement authority with classes for combatants, noncombatants, allied personnel, and protected sites. The mechanism is constant across these domains; only the entity classes, the weights, and the signing authority change.

Harm-minimization deviation is itself a mode selection within the graduated set—it is a partial or constrained commit to an alternative trajectory rather than a refusal. The deviation is recorded with the alternatives that were considered, the harm scores computed under the active ordering, and the threshold by which the selected alternative dominated.

6. Operating Parameters and Engineering Envelope

Composite admissibility evaluation runs at a per-actuation-request cadence with disclosed latency budgets in the range of 1 to 50 milliseconds for reflexive actuator classes (steering, brake, throttle, signaling), 10 to 200 milliseconds for deliberative classes (lane change, merge commit, intersection traversal), and 100 milliseconds to several seconds for staged irreversible classes (port-crane lift, surgical incision, deployment of pyrotechnic restraints).

Lineage records carry, at minimum, the input five-tuple (authority, evidence, capability, temporal scope, disposition), the selected mode, the policy version, the governance-chain root, the post-actuation verification result, and the cryptographic signature of the evaluating unit. Record sizes in the range of 256 to 8,192 bytes per record are typical depending on evidence depth; storage budgets in the range of 10 to 500 megabytes per operating shift accommodate full lineage retention without selective recording.

Mesh broadcast of actuation state runs over the governed-coordinates broadcast plane with broadcast classes ordered by criticality: emergency-accelerated and emergency-overridden propagate at the highest priority with hop budgets in the range of 4 to 16 mesh peers, full and stage-gated commits propagate at standard priority, and advisory or simulated modes propagate at low priority or are scoped to local observers only. Broadcast latency budgets target end-to-end sub-100-millisecond delivery to credentialed peers within a defined geographic envelope.

Preemption budgets, harm orderings, reversibility classifications, and broadcast class assignments are all governance-policy-configurable through signed updates that propagate through the governance-chain primitive. The operating unit applies updates atomically at named transition points (idle, parked, end-of-shift) rather than mid-actuation; updates carry effective-time fields and prior-version pointers so that lineage written under an older policy remains interpretable indefinitely.

7. Alternative Embodiments

The primitive is disclosed for road-vehicle actuators (steering, brake, throttle, transmission, signaling, lighting, restraint) but applies without architectural change to a broad class of physical systems. In aviation, the primitive gates flight-control surface commands, throttle, landing-gear deployment, flap and slat actuation, and emergency-parachute deployment in eVTOL and small unmanned platforms. In maritime systems, it gates rudder, propeller pitch, dynamic-positioning thruster commands, anchor release, and cargo-handling actuators. In industrial and warehouse robotics, it gates manipulator joints, gripper actuation, AMR drive commands, and conveyor interlocks. In medical robotics, it gates tool advance, electrosurgical activation, suture deployment, and stapler firing. In energy and process industries, it gates valve actuation for hazardous fluids, breaker operation in substations, and reactor control-rod drive.

The graduated mode set is configurable per deployment. A constrained embodiment for a low-speed campus shuttle may collapse to seven modes by omitting simulated, consultative, shadowed, and emergency-accelerated; a high-criticality embodiment for a cargo aircraft may extend to fifteen modes by decomposing stage-gated into named per-segment stages. The composite admissibility evaluator's input set is similarly configurable: a deployment without peer-attestation infrastructure may operate with a four-factor evaluator omitting peer evidence; a deployment in a heavily instrumented marker corridor may extend the input set to include marker-bound traversal admissibility as a sixth factor.

Reversibility classification embodiments include hardcoded per-actuator tables, jurisdictional-policy tables signed by transportation or industrial authorities, manufacturer-published tables registered with the governance-chain root, and learned classifications constrained by published bounds. Harm-ordering embodiments include single-jurisdiction static orderings, multi-jurisdiction orderings selected by current marker context, time-of-day variants (school-zone weighting during arrival and dismissal windows), and event-driven variants (emergency-vehicle-present weighting).

8. Composition with the Broader Spatial Architecture

Confidence-governed actuation is the terminal step of the five-property chain disclosed under the same provisional. Mesh-coordinates produce position; governance-chain produces authority over that position; marker-track produces route admissibility under that authority; observation-quorum produces evidential weighting over the observations supporting the contemplated commit; and confidence-governed actuation gates the commit. Every other primitive in the spatial portfolio terminates here before any physical actuator moves.

Cross-actuator composition is structural. Real autonomous systems coordinate multiple actuators under a single governance frame: a lane-change commit requires steering, throttle, brake, signaling, and attention-state actuators to commit consistently; a port-crane container-handling commit requires hoist, trolley, gantry, spreader, and twistlock actuators; a surgical commit requires tool advance, irrigation, suction, and electrosurgery. A single composite admissibility evaluation produces a vector of mode selections across the coupled actuator set with cross-actuator constraints (no brake commit without simultaneous signaling; no twistlock release without simultaneous hoist hold) enforced as structural admissibility predicates rather than as supervisory logic.

Cross-actuator constraints are themselves governance-policy-configurable. A regulatory authority can mandate that any lane-change actuation include simultaneous turn-signal actuation with a minimum lead time; a port authority can mandate that any container-handling actuation include simultaneous custody-transfer broadcast to the receiving carrier; a hospital authority can mandate that any electrosurgical activation include simultaneous suction. The constraint is signed by the issuing authority and propagated through the same governance-chain machinery that distributes credentials and harm orderings.

Composition with marker-track transport produces refuse-route mode: when the marker sequence ahead carries credentials the operating unit's policy does not admit, or when the route manifest fails verification, the actuation primitive returns refuse-route as a structurally distinct mode rather than as a generic refusal, enabling the upstream planner to seek an admissible alternative.

9. Prior-Art Distinctions

This primitive is distinct from ISO 26262 and the broader functional-safety lineage. ISO 26262 specifies safety integrity levels (ASIL A through D) and process requirements for binary safe-or-unsafe gating of automotive actuators. The governed primitive consumes ISO 26262-classified actuators and operates within their integrity envelopes, but produces graduated modes that the standard does not specify, applies governance-credentialed policy that the standard does not contemplate, and broadcasts actuation state across a governed mesh that the standard does not address.

It is distinct from Mobileye RSS and analogous formal-safety models. RSS encodes formal safety-distance constraints between road agents and produces a binary safe/unsafe classification. The governed primitive can integrate RSS as one factor within its evidential weighting, but the output is mode-graduated rather than binary, the gating authority is governance-credentialed rather than implicit, and the constraint set is policy-configurable rather than fixed.

It is distinct from reinforcement-learning fail-safes and shielded RL. Those mechanisms wrap a learned controller with a runtime monitor that intervenes on unsafe action sequences. The governed primitive does not wrap a controller; it gates actuator commits regardless of the upstream planner's nature, applies deterministic admissibility rather than learned shielding, and produces lineage suitable for regulatory audit rather than statistical assurance.

It is distinct from hardware interlocks, light curtains, e-stops, and safety cages. Those mechanisms produce a binary cut-off at a physical layer. The governed primitive operates at the command-arbitration layer above any such interlock, can produce partial or staged commits that an interlock cannot represent, and survives composition across coupled actuators and across coordinated multi-unit operation in ways an interlock cannot.

It is distinct from Model Predictive Control. MPC computes optimal actuator trajectories within a constraint set. The governed primitive evaluates whether and how to commit to whatever trajectory is requested by upstream planning, including MPC; the two compose, with MPC producing a trajectory request and the governed primitive selecting the mode of commit.

10. Disclosure Scope

This primitive is disclosed under USPTO provisional 64/049,409 as the governed-actuation step of the five-property spatial chain. The disclosure encompasses the graduated mode set as a structural primitive, the composite admissibility evaluator as a deterministic five-factor function, rate-limited and budget-bounded preemption with stratified authority classes, reversibility-aware staged commitment with governance-published classification tables, governance-policy-configurable entity-class harm ordering, post-actuation verification with discrepancy classification, mesh broadcast of actuation state with stratified broadcast classes, and cross-actuator composition with signed structural constraints.

The disclosure is independent of actuator domain. Embodiments in road vehicles, aviation platforms, maritime systems, industrial robotics, medical robotics, and energy and process control are within scope. The disclosure is independent of sensor stack, planning architecture, and machine-learning content of upstream components; it gates whatever is presented at the actuator-commit boundary.

The disclosure composes with and depends on the other primitives of the same provisional: mesh-coordinates, governance-chain, marker-track transport, observation-quorum, and the broader five-property chain. Practitioners implementing only the actuation primitive without the supporting chain will obtain partial benefit; full benefit requires integrated implementation.