What You Are Building

You are building a decision layer that sits between an autonomous vehicle's perception and planning stack and its actuators, and answers one question on every cycle: given how much the system currently trusts its own picture of the world, is it allowed to keep driving the way it is driving?

The failure this addresses is familiar to anyone who has watched a self-driving stack in an edge case. Confidence in the environment drops (rain fouls a sensor, a prediction about another road user stops matching the evidence, localization drifts), and the safety fallback is a single hard rule: stop now. An abrupt stop is sometimes correct, but making it the only response turns every moment of uncertainty into a hazard of its own. What you want instead is a system that treats degradation as a spectrum, matches its response to how bad things actually are, and leaves an auditable trail of why it did what it did.

This guide describes that decision layer as an architecture disclosed in United States Patent Application 19/647,395. You will implement it yourself; there is no package to install.

Why the Obvious Approaches Fall Short

The two common approaches each leave a structural gap.

The first is the binary fallback: define a "minimal risk maneuver" and trigger it when a monitor trips. This is real and widely used, and an emergency stop is a legitimate minimal risk maneuver. The gap is granularity. A binary monitor has one output, so a mild, recoverable degradation and a catastrophic one produce the same response. You cannot express "reduce speed and widen following distance" as a distinct action from "pull over" or "stop now" if the only lever is a single boolean.

The second is advisory confidence scoring: compute a confidence number, surface it, and let the planner weigh it as one input among many. The gap here is that advice can be overridden. If the confidence signal is just another term the planner balances against schedule or comfort, then under pressure the planner can rationalize proceeding on a picture of the world it does not actually trust. Nothing structurally prevents action when confidence is insufficient.

The architecture below closes both gaps: it makes the response graduated rather than binary, and it makes the gate a hard structural constraint rather than advice the planner may discount.

The Architecture

The center of the design is a confidence governor: a subsystem that continuously evaluates whether the vehicle should proceed with, modify, or suspend driving operations. Per the disclosure, it is a hard gate, not a priority hint. When it withdraws execution authorization, the execution pathway is structurally prohibited from committing actions or producing externally observable effects; the prohibition is implemented as a decoupling of the execution subsystem's output pathway, not as a flag the execution subsystem may choose to respect. There is no alternate route to action that bypasses the gate.

Confidence is computed from structured, domain-specific inputs. In the vehicle domain the disclosure names four: perception confidence (how consistent and complete the environment model is), prediction confidence (how well trajectory predictions for other road users are supported by consistent behavioral evidence), planning confidence (how well the planned trajectory holds safety margins under predicted environmental evolution), and localization confidence (how accurate the position estimate is within tolerance). These are inputs to the governor, not a single opaque score.

The response is graduated across defined thresholds. This is what replaces the binary stop. The disclosure describes response protocols that escalate as confidence falls:

  • First threshold: the vehicle increases following distances, reduces speed, and expands sensor integration windows. It keeps driving, more conservatively.
  • Second threshold: the vehicle initiates a controlled transition to a minimal-risk condition, reducing speed further, activating hazard indicators, and beginning to seek a safe stopping location.
  • Third threshold: the vehicle executes an emergency stop using the safest available trajectory.

The abrupt stop still exists. It is now the last rung of a ladder rather than the whole response.

Suspension is not cognitive shutdown. The disclosure separates execution from cognition at the substrate level. Authorization gating operates in three states: authorized, suspended (execution prohibited but reasoning, forecasting, and planning continue), and locked (reserved for severe integrity or resource failures pending external review). A suspended vehicle keeps evaluating the world and re-assessing; it has simply lost, for now, its authority to act. Recovery of authorization requires confidence to exceed the threshold by a configurable hysteresis margin, so the system does not oscillate at the boundary.

Two mechanisms feed the governor and matter directly for degradation. The capability envelope is a continuously recomputed model of what the vehicle can physically do right now, from sensor coverage, actuator status (steering, braking, propulsion), environmental conditions, and energy. A sensor degraded by rain spray produces a narrower envelope, and the narrower envelope reduces authorized speed and maneuver repertoire through a capability-to-confidence pathway. Separately, the forecasting engine generates multiple speculative trajectory branches, including emergency trajectories that provide immediate safe-state options, and each branch is evaluated through the governor and integrity checks before it can be promoted to motor execution. Speculative trajectories are structurally separated from committed motor commands; the vehicle does not begin executing a trajectory until it has passed the full gate.

Every transition is recorded in lineage. Each threshold crossing is written to the vehicle's lineage together with the confidence computation that triggered it, producing a deterministic record of every confidence-governed driving decision. Degradation is auditable after the fact, not a black box.

The disclosure also frames why an abrupt shutdown cannot be the universal answer: in embodied contexts an abrupt shutdown can itself be a safety hazard, so the system enters a governed degradation mode permitting the minimum operations necessary for safety rather than dropping dead.

How to Approach the Build

Work outward from the gate.

  1. Instrument confidence as separate signals. Do not start from one blended number. Produce perception, prediction, planning, and localization confidence as distinct, continuously updated values. Keeping them separate is what later lets you reason about which faculty degraded.

  2. Build the governor as a hard gate on the actuator pathway. The execution path to steering, braking, and propulsion must pass through the governor, and a withdrawal of authorization must physically prevent commands from reaching actuators, not merely advise against them. If a planner bug or an urgent goal could still push a command through, you have advice, not a gate. An illustrative interface sketch, faithful to the disclosed states (implement this yourself):

    # illustrative only, not a supplied library
    state = governor.evaluate(confidence, trajectory)   # -> AUTHORIZED | SUSPENDED | LOCKED
    if state != AUTHORIZED:
        execution.decouple()        # actuator commands cannot reach hardware
    
  3. Define your degradation ladder with explicit thresholds. Map the disclosed rungs to your platform: conservative-driving adjustments at the first threshold, controlled transition toward a minimal-risk condition at the second, emergency stop at the third. Pick concrete threshold values and safe behaviors per rung for your vehicle and operational design domain; the disclosure gives the structure, not your numbers.

  4. Add a capability envelope and wire it into confidence. Recompute, on each cycle, what the vehicle can do given sensor, actuator, environmental, and energy status, and let a narrowed envelope pull down authorized speed and maneuver set through the capability-to-confidence pathway. This is what makes a fouled sensor automatically shrink what the vehicle is allowed to attempt.

  5. Keep cognition alive under suspension. Ensure that entering the suspended state stops actuation but not perception, forecasting, and re-assessment, so the vehicle can recognize when conditions recover. Add hysteresis on the recovery transition to prevent chattering at the threshold.

  6. Record every transition to lineage. Log each threshold crossing with the confidence values that caused it. Treat this as load-bearing, not optional telemetry: it is what makes the degradation behavior reviewable and what supports post-incident forensics.

What This Does Not Give You

This is an architecture, not a drop-in library, and nothing here is benchmarked or productized. You implement every component yourself and are responsible for validating it in your own system.

The disclosure describes structure, not tuning. It does not give you the confidence-computation formulas, the threshold values, the safety margins, or the specific safe behaviors for each rung; those are yours to derive, test, and defend for your vehicle and its operational design domain. The disclosed graceful-degradation and confidence-governor design is distinct from an Operational Design Domain as used in autonomous vehicle standards, and it does not replace your obligations under whatever safety standards and regulations apply to you. It also does not certify sensors, verify actuators, or guarantee that any particular threshold produces a safe outcome in a given scenario. Graduated degradation only helps where a graduated response is physically available; a governor cannot manufacture a safe stopping location that does not exist, and in some situations an immediate stop remains the correct and only option.

Disclosure Scope

The confidence governor, the graduated threshold-based response protocol, the capability envelope, the execution-versus-cognition separation with authorized, suspended, and locked states, and the lineage recording of every transition are disclosed in United States Patent Application 19/647,395. This guide is educational: it explains an architectural approach so that a skilled engineer can build their own implementation. It is not a warranty, not a safety certification, and not an offer of software, and it does not grant any license. Claims here about how the approach works trace to that filing; the values, formulas, and safety validation required to field such a system are the implementer's responsibility.