Eleven Graduated Execution Modes

Mechanism

The gate sits between the action-proposing layer of an autonomous system and the actuator surface. A proposed action is presented to the gate as a tuple comprising the action class, the requested authority envelope, the confidence descriptor under which the proposal was generated, and the credential of the proposing component. The gate evaluates this tuple against three live inputs: the prevailing governance state (the policy currently bound to the operating jurisdiction and vehicle class), the current threat estimate (a structured descriptor of hazards in the operating environment), and a confidence floor derived from the proposing component's recent calibration record. The evaluation produces a regime classification — permissive, standard, restrictive, or lockout — which in turn selects a mode within that regime.

In the permissive regime, full and emergency-accelerated modes are admissible; the gate commits proposed actions at the requested authority and may elevate priority under credentialed preemption. In the standard regime, full, partial, stage-gated, and shadowed modes are admissible; the gate commits at requested authority where confidence and threat permit, reduces authority where they do not, and runs shadowed verification where reversibility considerations require it. In the restrictive regime, partial, constrained, consultative, deferred, advisory, and simulated modes are admissible; the gate either commits a fraction of requested authority within a tightened envelope, requires operator ratification, holds the action pending additional evidence, or computes the action without committing it. In the lockout regime, only simulated and emergency-overridden modes are admissible; ordinary actions are computed but not committed, and only credentialed override traffic reaches the actuator.

Mode selection within a regime is deterministic. The gate applies a fixed selection function to the proposal tuple and the live inputs; the same inputs produce the same mode at every evaluation. Determinism is a structural property of the gate, not a statistical observation; the selection function is configured at credential install time and is not subject to runtime drift. Every selection, including selections that result in suppression, emits a lineage record capturing the inputs, the selected regime, the selected mode, and the resulting commit token (if any).

Operating Parameters

The governance state is loaded into the gate as a credentialed policy descriptor expressing, per action class, the regime mapping as a function of threat and confidence. Representative deployments specify regime boundaries as piecewise-constant functions over a low-dimensional threat-confidence space; more elaborate deployments admit policy-defined predicates whose decidability is verified at install time. Threat estimates are produced by an upstream threat-assessment component and are presented to the gate as a structured descriptor; the gate does not estimate threat itself.

Confidence floors are configured per action class and per credential. An action class with high reversibility may carry a low floor, admitting commit under modest confidence; an action class with low reversibility carries a high floor, forcing the gate into restrictive or lockout regimes when confidence is inadequate. Confidence descriptors include both a point estimate and a calibration record indicating recent agreement between predicted and observed outcomes; the gate consults the calibration record to discount overconfident proposing components.

Per-mode envelope parameters specify the authority bounds that apply within each mode. Full mode commits at requested authority bounded only by the credentialed maximum. Partial mode commits at a configured fraction of the requested authority. Constrained mode applies a tightened envelope on speed, lane, headway, and turn discipline. Stage-gated mode decomposes the action into a configured sequence of bounded sub-actions, each of which is committed only after the prior sub-action's outcome has been observed. Deferred mode holds the action for a configured maximum duration during which additional evidence may resolve the deferral. Simulated mode runs the action through the actuator model without commanding the physical actuator.

Emergency modes carry their own parameters. Emergency-accelerated commits draw from a credentialed preemption budget whose depletion forces the gate back to ordinary modes; the budget refills under a configured policy. Emergency-overridden requires a credentialed override whose validity window, action class scope, and lineage requirements are specified at credential issuance.

Alternative Embodiments

The gate may be realized as a dedicated component in the actuation pipeline, as a library linked into the proposing component, or as a distributed evaluation in which different facets of the selection function execute on different nodes. The distributed embodiment is appropriate for deployments where governance evaluation, threat assessment, and confidence estimation are performed by separate certified subsystems; the gate aggregates their outputs and applies the selection function locally to preserve determinism.

The mode set itself admits variation. Embodiments deployed in low-reversibility domains (medical actuation, industrial-control actuation) may extend the mode set with additional stage-gated variants reflecting domain-specific staging discipline. Embodiments deployed in high-reversibility domains (display advisories, simulation environments) may collapse the restrictive-regime modes into a smaller set. The architecture does not prescribe a fixed cardinality; it prescribes a structural decomposition over commit authority, verification requirement, reversibility envelope, and operator involvement, and admits any mode set obtained by enumerating combinations of these axes that the deployment requires.

Threat estimation may be embedded within the gate or sourced externally. In embedded embodiments the gate consumes raw perception outputs and produces its own threat descriptor under a certified estimator; in external embodiments the threat descriptor is supplied by a fleet-level safety service. The two embodiments are interchangeable at the gate's input boundary because the threat descriptor format is fixed by the policy schema.

Operator involvement modes (advisory, consultative) may be realized through onboard human-machine interfaces in driver-supervised deployments, through teleoperation links in remotely supervised deployments, or through asynchronous review queues in supervisory-fleet deployments. The gate treats these as variations in the latency and credentialing of the ratification path; the mode semantics are identical.

Composition

The gate composes with existing functional-safety logic as an additive layer. Functional-safety standards (ISO 26262, IEC 61508, IEC 61511, IEC 62304) specify hazard analyses, integrity levels, and bounded-fault behaviors that constitute an unconditional floor: actions violating the floor are suppressed regardless of governance regime. The gate operates above this floor. Where the certified safety logic permits an action, the gate selects a mode under which the action is committed; where the certified safety logic forbids an action, the gate has no admissible mode and the action does not reach the actuator. Existing safety certification is preserved because the gate does not relax any safety constraint; it only further constrains commit authority above the certified floor.

The gate composes with the upstream perception and planning layers through the proposal interface. Proposing components produce action proposals at their native cadence; the gate evaluates each proposal at the gate's epoch, which may differ from the proposing cadence. Proposals that arrive faster than the gate epoch are coalesced; proposals that arrive slower are evaluated against the most recent live inputs. The proposing component does not participate in mode selection beyond producing the confidence descriptor that accompanies its proposal.

The gate composes with downstream actuators through the commit-token interface. A commit token carries the selected mode, the bounded authority envelope, and a validity window; the actuator commits the action only within the envelope and only during the window. Tokens for stage-gated mode carry the staging schedule; tokens for partial mode carry the authority fraction; tokens for shadowed mode are consumed by a verification consumer rather than the primary actuator. Actuators do not re-evaluate governance; the gate is the sole governance authority in the actuation path.

The gate composes with cross-jurisdictional fleet operation through governance-credentialed policy swaps. As the vehicle crosses a jurisdictional boundary, a new policy descriptor is loaded under the appropriate credential; the gate's selection function is reconfigured at the swap epoch and all subsequent proposals are evaluated under the new policy. Pending stage-gated commitments either complete under the prior policy or are cancelled and re-proposed under the new policy, depending on the swap discipline configured for the action class.

Prior-Art Distinction

Prior art in autonomous-system safety treats commit authority as binary at the actuator boundary: an action either is or is not commanded. Graduated commit semantics, where they appear, are realized inside the planning or control layer rather than at a governance gate, and are coupled to a specific planner or controller architecture. The architecture disclosed here separates governance from planning: the gate evaluates governance independent of how the proposed action was generated, and produces graduated outcomes that any planner-controller stack can consume through the commit-token interface.

Functional-safety standards specify integrity levels and fault-handling regimes but do not specify graduated operational outcomes under varying governance state, threat, and confidence. The standards are silent on operator-collaborative modes (shadowed, advisory, consultative) and on staging disciplines (stage-gated, deferred). The gate fills this gap without altering the certified safety logic; it composes additively, providing graduated outcomes the standards cannot specify alone.

Policy-driven access control systems (RBAC, ABAC, capability systems) provide binary admissibility decisions over discrete operations. The gate generalizes this pattern to continuous-authority physical actuation by introducing the regime-mode decomposition; an action that would be a binary permit/deny under access-control semantics becomes a graduated commit under gate semantics, and the gate's selection function is the formal extension of an access-control predicate to a graduated codomain.

Risk-graded autonomy frameworks proposed in the research literature contemplate graduated authority but typically prescribe ad hoc mode sets without structural decomposition, without deterministic selection, and without lineage discipline. The gate prescribes all three: a structural decomposition over named axes, a deterministic selection function, and a lineage record sufficient to reconstruct the commit decision from recorded inputs.

Disclosure Scope

The disclosure encompasses the graduated mode-set gate independent of vehicle class, actuator technology, jurisdiction, and proposing-component architecture. The inventive contribution lies in the regime-mode decomposition driven by composite admissibility over governance state, threat, and confidence; in the deterministic selection function with full lineage capture; in the additive composition with certified functional-safety logic; and in the credentialed swap discipline that admits cross-jurisdictional operation without re-engineering. Embodiments described herein are illustrative; variations in mode cardinality, regime boundaries, threat-descriptor schema, confidence-floor configuration, and commit-token format fall within the scope of the disclosure provided they preserve the graduated-mode and deterministic-selection properties.