Autonomous Aviation Execution Under Governed Actuation

1. Regulatory and Domain Context

Aviation has, for nearly a century, decomposed flight into discrete phases: preflight, taxi, takeoff, climb, cruise, descent, approach, landing, and rollout. Each phase carries its own admissibility envelope under the relevant aviation-authority framework. Preflight admissibility derives from airworthiness directives, weight-and-balance computations, and operator dispatch release. Cruise admissibility derives from filed flight plans, ATC clearances, and the operator's continued ability to maintain assigned altitude and route. Approach admissibility derives from instrument procedure validity, runway-environment conditions, and the crew's continued situational picture. Governed actuation supports phase-by-phase autonomy operating against the same composite admissibility - operator authority, regulatory authority, and air-traffic authority composed at each transition - that human crews already navigate.

Stage-gated commitment maps cleanly to flight-phase progression. Each phase transition admits through composite admissibility evaluation: the autopilot does not simply advance, it evaluates whether the conditions that were declared admissible for the next phase are in fact present. Emergency phases - go-around, emergency descent, forced-landing site selection - gain elevated admissibility under emergency authority, mirroring the way FAR 91.3 already grants pilot-in-command authority to deviate from any rule in an in-flight emergency. The architecture supports the structurally distinct decisions that aviation already practices, and gives drone operators, eVTOL builders, and certified-autopilot vendors a common vocabulary for describing them.

2. Architectural Requirement

Current autonomous-aviation development faces what is essentially a binary certification problem. Full autonomy certification - the ability to operate a transport-category aircraft with no pilot on board, or a delivery drone over populated areas without a remote pilot in command - is genuinely distant; the FAA's Part 108 NPRM proposes a framework, but the underlying detect-and-avoid (DAA) certification basis under RTCA DO-365 and the broader sense-and-avoid certification environment are still maturing. Pilot-monitored automation, the C-level autopilot mode flying most commercial cruise segments today, is the operational state of the art. Between these two poles, structured intermediate autonomy - the kind that would let an eVTOL self-position on final, or a BVLOS inspection drone autonomously divert around weather - is architecturally underspecified.

The JARUS SORA process is the closest the industry has come to a structured intermediate, but it is fundamentally a pre-flight risk assessment, not an in-flight architectural primitive. Operators emerge from a SORA with an assigned Specific Assurance and Integrity Level (SAIL), but the runtime architecture that should enforce that SAIL during the flight is left to each operator and each manufacturer. Governed actuation produces the missing structural intermediate. Cruise-phase autonomy proceeds under operator-declared admissibility consistent with the SAIL; takeoff, landing, and any phase that crosses controlled airspace boundaries retain elevated authority and require ATC composition; emergency operations gain structurally supported escalation that mirrors the pilot-in-command escalation regulators already recognize. The architecture supports the gradual autonomy that Part 108, EASA Easy Access Rules, and ICAO Annex 2 RPAS amendments all converge toward.

3. Why Procedural Compliance Fails

Aviation has historically managed autonomy growth through procedural layering: a new automation capability is certified by demonstrating that the existing crew procedures, dispatch procedures, and air-traffic-control procedures still close the loop. The layering worked when automation supplemented a human pilot in command. It begins to break when automation is asked to be the pilot in command, because the closing procedures presuppose a human whose authority composes with regulatory and air-traffic authority in real time. Procedural compliance posture for autonomous aviation rests on three assumptions that fail under operational examination.

The first assumption is that an operator's flight-operations manual, validated against FAR Part 121 / Part 135 / Part 91 and certified by the relevant authority, can be transcribed into autopilot logic by adding ever-richer mode logic. The assumption fails because the manual encodes pilot judgment - "in conditions X, the pilot will Y" - and judgment is not a mode. Transcribing it as a mode either over-generalizes (Y in conditions adjacent to X, where the pilot would have done something else) or under-generalizes (no Y in conditions slightly outside X, where the pilot would still have done Y). The certification basis grows brittle in a way the procedural review does not surface, because the review consults the manual rather than the runtime.

The second assumption is that detect-and-avoid certification under RTCA DO-365 and the parallel EUROCAE WG-105 deliverables can be obtained as a system property and then trusted as a black box by the autopilot above it. The assumption fails because DAA certification is conditional - certified envelope, certified false-alarm rate, certified weather susceptibility - and the autopilot above does not, in current architectures, structurally consult the conditions of the certification at each decision. The DAA system issues an advisory and the autopilot acts; the autopilot does not check whether the advisory was issued inside or outside the conditions under which the advisory carries certification weight. The runtime gap is procedurally invisible until an incident exposes it.

The third assumption is that incident reconstruction can be performed adequately from flight-data-recorder traces and best-effort vendor narratives. NTSB and AAIB investigators have been explicit, in reports on autonomy-adjacent incidents over the past decade, that the assumption fails: traces show what the actuators did, vendor narratives explain what the logic was supposed to have done, and the gap between them - what the logic actually did, against what authority basis, with what confidence in the contributing observations - is reconstructed by inference rather than by reading the architecture's own record. As the autonomy share of any flight grows, the inferential reconstruction grows correspondingly weaker, until the investigation cannot resolve the question of authority composition that determines fault, liability, and the regulatory response.

4. What the AQ Governed-Actuation Primitive Provides (USPTO 64/049,409)

Each flight-control actuation - from a one-degree heading bug change to a full autoland engagement - admits through composite admissibility evaluation. Reversibility classification determines the autonomy posture: autopilot setting changes are fully reversible and admit under operator authority alone; control surface deflections are reversible within the flight envelope and admit under operator plus airworthiness authority; configuration changes such as gear and flap deployment are partially reversible and admit only when both the operational and the airworthiness envelope are simultaneously satisfied. Cross-system observations - inertial reference units, GPS receivers, radio altimeters, air-data computers, and increasingly LIDAR-based and camera-based DAA systems - support state confidence as a first-class architectural input rather than an opaque sensor-fusion output.

Sense-and-avoid certification gains a natural home in this structure. The DAA system is not a black box that issues advisories; it is a credentialed observer whose declared admissibility profile (range, false-alarm rate, response latency, weather susceptibility) composes with the operator profile and the regulatory profile at every avoidance decision. When the DAA system's declared admissibility cannot support an autonomous avoidance maneuver - say, in conditions outside its certified envelope - the architecture cleanly degrades the actuation authority rather than silently operating outside the certification basis.

Incident reconstruction gains structural support of the kind that accident investigators have wanted for decades. Post-incident audit traverses the same chain that the architecture maintains in flight: control inputs, admissibility evaluations at the moment of each input, the observation basis that supported each evaluation, and the outcome verification that closed each loop. NTSB and AAIB investigators no longer reconstruct an autonomy decision from flight-data-recorder traces and best-effort vendor narratives; they read it directly from architecturally supported records that map one-to-one onto the regulatory framework that authorized the operation in the first place.

Air traffic integration composes through the same primitive. ATC clearances, NOTAM-derived restrictions, dynamic Temporary Flight Restrictions, and the U-space service deliveries that EASA's UAS regulation contemplates each enter the architecture as credentialed authority declarations, scoped in space, time, and operational class. A clearance to climb to FL350 is not a free-text instruction; it is an authority declaration that composes with operator and airworthiness authorities to admit the climb actuation. When the clearance is amended, modified, or revoked, the composition rebalances at the next admissibility evaluation rather than requiring the autopilot to be disengaged and re-engaged. The same composition logic supports the Remote ID broadcast obligation that 14 CFR Part 89 already imposes on small UAS operators: the broadcast is itself a credentialed declaration that composes with the operator's authority to operate at the declared location, and any deviation surfaces as a structural inconsistency rather than a downstream enforcement question.

5. Compliance Mapping

FAR Part 121 commercial transport operations admit through composition of operator authority (the certificated air carrier), airworthiness authority (the type-certificate holder and the airworthiness directive corpus), and air-traffic authority (the controlling ATC facility), with each authority contributing credentialed observations and admissibility profiles into runtime decisions. Part 135 on-demand and commuter operations admit through the same composition with the appropriate authority subset. Part 91 general operations, including the in-development Part 91 frameworks for advanced air mobility, admit through the same primitive with the operator authority shifted to the pilot in command and the operator certificate where applicable.

FAA Part 108 BVLOS operations, when the rule reaches final form, admit through composition of the BVLOS operator authority, the UAS service supplier authority, and the relevant ATC or UTM authority for the operating volume. EASA Easy Access Rules for UAS admit through the SORA-derived SAIL composing with the U-space service provider authority and the competent authority. ICAO Annex 2 RPAS amendments, as they progress through the panel cycle, admit through the same primitive with state-of-registry, state-of-the-operator, and ANSP authorities composing at the relevant boundaries. The composition logic is the same primitive across the regulatory regimes; only the authority sets and admissibility profiles differ.

Incident-investigation regimes - the NTSB under 49 CFR Part 831, the AAIB under the UK Civil Aviation Act, BFU under German regulation, BEA under French regulation, JTSB under Japanese regulation - all admit the same lineage record as their primary investigative artifact. The record carries control inputs, admissibility evaluations at each input, the observation basis supporting each evaluation, the authority composition at each transition, and the outcome verification closing each loop. Investigators read the architecture's own record rather than reconstructing it from inference, and the regulatory response - airworthiness directive, operational directive, certificate action - composes back into the same chain that authorized the operation in the first place. The record is structurally cross-jurisdiction, so an operation that crossed multiple states' airspace produces a single coherent record admissible to each state's investigator under that state's authority recognition rules.

6. Adoption Pathway

Aviation autonomy gains a structurally coherent path between current automation and full autonomy - not a marketing roadmap, but an architectural one. Aviation regulators gain a framework that maps to the gradual-certification reality already embedded in Part 108, EASA Easy Access Rules, and the ICAO Annex 2 RPAS panel work. Urban air mobility, which has been forced to invent its own autonomy frameworks in the absence of a structured intermediate, gains a primitive that lets vertiport operators, eVTOL OEMs, and ATC service providers compose their authorities without bilateral integration agreements.

The architecture also supports aviation evolution on the timescales that aviation actually moves at. As autonomous-aviation certification frameworks mature - as Part 108 progresses from NPRM to final rule, as EASA's U-space regulation extends from urban environments to mixed airspace, as the ICAO RPAS panel publishes successive amendments - the architecture admits the changes through declared admissibility evolution rather than rip-and-replace re-engineering. As drone-airspace integration progresses past the current Remote ID baseline into full UTM participation, and as new aviation classes (high-altitude pseudo-satellites, supersonic civil transport, hydrogen-powered regional aircraft) emerge with their own authority compositions, the same primitive applies.

Operators that build against governed actuation today position themselves for the authority compositions that are still in regulatory drafting. The ASTM F38 committee work on UAS detect-and-avoid, the RTCA SC-228 minimum operational performance standards, and the parallel EUROCAE WG-105 deliverables converge on architectural requirements - declared performance envelopes, credentialed observation chains, composable authority transitions - that match the primitive directly. SORA 2.5 and the eventual SORA 3.0 will extend the same composition logic from pre-flight assessment into runtime enforcement. Governed actuation does not predict aviation's future; it gives aviation's future a place to land.

For the patent and standards record, the structurally novel claim is that the same primitive supports certified commercial autopilot operating under FAR Part 121, BVLOS drone operation operating under the eventual Part 108 final rule, urban air mobility operating under the in-development Part 135 / Part 91 hybrids that the FAA has begun to articulate, and emerging high-altitude operations operating under ICAO Annex 2 amendments still in draft. No prior architecture composes across that range without sector-specific re-engineering, and the composition is what gives operators, regulators, and air-traffic services a shared substrate to build the next decade of aviation autonomy on.