Reversibility Classifier

Mechanism

The reversibility classifier sits between the policy layer that contemplates an action and the actuator layer that effects it. When the policy proposes a candidate command, the classifier consumes the command together with the actuator descriptor and the current operating context, and emits two outputs: a tier label drawn from a small enumerated lattice (instant, bounded, costly, irreversible), and a commitment-point descriptor that identifies, in the command's own execution timeline, the moment after which the tier no longer holds. The two outputs together specify the gate that the command must pass before execution.

Tier assignment is not heuristic. Each actuator type, in each operating context, carries a credentialed classification record signed by an authority appropriate to the actuator class. Vehicle actuators are classified under records signed by the relevant transport-regulatory authority; surgical actuators under records signed by the relevant surgical-procedure authority; energy-distribution actuators under records signed by the relevant grid authority; defense actuators under records signed by the relevant command authority. The classifier does not invent classifications; it consumes them and applies them. New actuator types acquire classifications by the same credentialed-governance flow that maintains every other policy artefact in the system.

The commitment-point descriptor is the structural innovation. Many commands appear monolithic at the policy level but are in fact decomposable into a sequence of sub-commitments. A surgical incision is contemplable, then planned, then approached, then breached — and only at the breach is the tissue irreversibly opened. A weapon engagement is contemplable, then targeted, then armed, then released — and only at release is the kinetic chain irreversibly initiated. A grid switch closure is contemplable, then aligned, then enabled, then closed — and only at closure is the circuit irreversibly energised. The commitment-point descriptor identifies the breach moment, the release moment, the closure moment in each case, and forces the gate to sit immediately before that moment rather than at the start of the contemplation.

Once the tier and commitment-point are known, the gate enforces tier-matched requirements. An instant-tier command passes through with the same admissibility check that applies to any nominal action. A bounded-tier command requires that an undo or compensation pathway be enrolled and ready before the commit. A costly-tier command requires that the policy and the operator (where present) jointly ratify the commit and that the evidentiary record carry enough state to support post-hoc review. An irreversible-tier command additionally requires that a higher authority credential — one that the contemplating policy does not itself hold — be presented at the commitment-point, and that an independent evidence channel corroborate the conditions under which the commit is being made. The classifier does not authorise the irreversible action; it forces the system to assemble the authority and evidence needed for the irreversible action to be authorised by some other component.

Operating Parameters

The classifier's operating envelope is defined by the credentialed classification records and by a small set of system-level parameters. Latency from candidate-command receipt to gate decision is bounded; in practice this bound is on the order of milliseconds for instant-tier commands and may extend to seconds for irreversible-tier commands where the higher-authority credential must be solicited synchronously. The classifier never silently deferred a decision: a candidate command for which the tier cannot be established within the latency bound is rejected as unclassifiable, and the policy must either re-pose the command with sufficient context or accept the rejection.

Tier promotion is asymmetric. The classifier may promote a command to a higher tier (more restrictive) when contextual factors warrant — for example, classifying an ordinarily-bounded grid switch closure as costly when the downstream substation is in maintenance — but it may not demote a command to a lower tier than the credentialed classification specifies. Demotion requires a credentialed override carrying authority equal to or greater than the authority that signed the classification record, and the override is itself recorded in the evidentiary trail.

The commitment-point is parameterised by actuator dynamics. For a fast actuator (a solenoid release, a pyrotechnic deployment) the commitment-point is essentially the command instant and the gate must be cleared synchronously. For a slow actuator (a surgical instrument advance, a mechanical valve transit) the commitment-point lies in the future relative to the command instant, and the gate may admit the command into a staged advance with a hold immediately before the commitment-point. The staged-advance embodiment converts a single irreversible command into a sequence of bounded-tier sub-commands terminating at a final irreversible step, and this conversion is itself the principal cost-reduction lever of the classifier.

Alternative Embodiments

The classifier admits several embodiments differing in where the classification record is held, how the commitment-point is specified, and how the higher-authority requirement is satisfied. In a fully on-vehicle embodiment, classification records are pre-provisioned and travel with the vehicle; the classifier consults a local store and the higher-authority credential is held by the human operator when present and by a remote-supervisor link when not. In a fleet-supervised embodiment, classification records live in a fleet-side authority and are streamed to the vehicle as actuator inventories change; the higher-authority credential is held by a fleet supervisor and is solicited synchronously for irreversible-tier commands. In a fully cloud-anchored embodiment the classification records and higher-authority credential both reside in the cloud; this embodiment is appropriate where connectivity is reliable and where the additional latency is acceptable.

The commitment-point descriptor itself admits two principal embodiments. In the explicit embodiment the descriptor is a named instant in the command's execution timeline and the gate is implemented as a hold-and-release on that instant. In the implicit embodiment the descriptor is a function of the actuator state and the gate is implemented as a state-conditioned interlock that releases when the actuator's pre-commitment conditions are satisfied and rejects otherwise. The two embodiments are interchangeable from the policy's perspective; the choice is governed by the controllability of the underlying actuator.

The higher-authority requirement for irreversible-tier commands admits embodiments ranging from a local two-key interlock (where the second key is held by a co-located human operator) through a remote-supervisor sign-off (where the second key is a remote credential) to a multi-party threshold credential (where the second key is constructed only when several distributed authorities concur). The classifier is agnostic to which embodiment is used; it requires only that the credential presented at the commitment-point carry authority strictly greater than the credential under which the policy is operating.

Composition

The classifier composes upward with the policy layer and downward with the actuator layer, and its value is realised only when both compositions are present. Upward, the classifier exposes a contemplation interface: the policy may pose a candidate command and receive the tier and commitment-point without committing to execution. This permits the policy to consider the cost of a contemplated action — particularly an irreversible one — before assembling the authority and evidence needed to commit it, and it permits the policy to substitute a lower-tier alternative when one exists. A policy that is offered an irreversible-tier classification for one candidate may, on receiving that classification, search for a bounded-tier alternative that achieves substantially the same effect and re-pose the command in that alternative.

Downward, the classifier composes with the actuator's own staging machinery. Where the actuator supports staged advance, the classifier issues sub-commands that map to the actuator's stages and holds the actuator at the stage immediately before the commitment-point until the gate is cleared. Where the actuator does not support staged advance, the classifier holds the command at the policy interface and releases it only when the gate is cleared. The composition preserves the actuator's own safety envelope: the classifier never bypasses an actuator-level interlock and never commits a command that the actuator itself would reject.

Laterally, the classifier composes with the evidentiary record. Every gate decision — admit, reject, promote, override — is recorded with the credentialed classification record that supported it, the contextual factors that drove any promotion, and the credentials under which the gate was cleared. The evidentiary record is the substrate of post-hoc review and the means by which credentialed governance updates the classification records themselves over time.

Cross-Domain Application

The classifier is intended to operate uniformly across domains in which actuator commands carry differential reversibility, with only the credentialed classification records and the higher-authority credentials varying by domain. In aviation autonomous flight the lattice maps cleanly onto the descent-flare-touchdown phase structure: descent input is bounded, flare is costly, touchdown is irreversible, and the commitment-point at flare initiation is the natural site of the higher-authority gate. In autonomous surgery the lattice maps onto the retraction-dissection-resection-closure phase structure: retraction is instant, dissection is bounded, resection is costly, and the irreversible-tier sites are the specific incisions that breach tissue planes. In autonomous grid operation the lattice maps onto the alignment-enable-close-energise phase structure: alignment is instant, enable is bounded, close is costly, and energisation onto a sealed substation is irreversible.

In each domain the structural mechanism is invariant. The classifier consumes a credentialed classification record, identifies the commitment-point, gates the command behind the tier-matched authority requirement, and records the gate decision in the evidentiary trail. The domain-specific component is the classification record itself, which is signed by the authority appropriate to the domain and which encodes the domain's own understanding of where reversibility ends. This separation of invariant mechanism from domain-specific record is the principal reuse lever of the disclosure: a deployment in a new domain acquires the classifier without re-engineering the gating discipline, and it imports its domain-specific reversibility classification through the same credentialed-governance flow that maintains every other policy artefact.

Prior-Art Distinction

Conventional autonomous-actuator architectures treat actuator commands as a uniform stream and apply a single admissibility check to all of them. The check is appropriate for reversible commands and is the source of the well-known failure mode in which an irreversible command is committed under the same architectural assumptions that govern a reversible one. The literature has addressed this failure mode by case-by-case engineering — a special interlock here, a two-key procedure there — but the case-by-case approach does not generalise across actuators or across operating contexts.

The classifier described here generalises by abstracting the structure of the failure mode. The tier lattice is small and enumerated; the commitment-point is explicit and credentialed; the higher-authority requirement at the irreversible tier is structural rather than ad-hoc. The combination — credentialed classification, explicit commitment-point, tier-matched gating, asymmetric promotion, and evidentiary recording — is not present in the conventional architectures and is not present in the case-by-case literature.

Disclosure Scope

The disclosure covers the classifier as a pre-action gate operating on a tiered reversibility lattice, the credentialed-classification discipline by which tier assignment is sourced, the explicit commitment-point descriptor by which gating moments are located, and the asymmetric-promotion and higher-authority disciplines by which irreversible commits are constrained. It covers the embodiments above and any embodiment that preserves these disciplines together. It does not cover any embodiment that treats actuator commands uniformly across reversibility classes, that allows tier demotion without credentialed override, or that commits irreversible-tier commands under the same authority that contemplated them.