What You Are Building
You are building a governor: a stage that sits between your robot's planner and its actuators, so that no physical action reaches a motor, valve, brake, or manipulator without first being evaluated. When the evaluation says conditions are good, the action executes normally. When confidence is marginal, the action executes in a reduced form. When confidence is insufficient, the action does not execute at all and the robot holds a safe idle. Every one of those outcomes is written to a durable record.
This is the problem a searcher means by "how do I add a safety governor that pauses an autonomous robot's actions." The naive version of that request is an emergency stop. The version you actually want is a graduated decision that can pause, but can also permit at reduced magnitude, defer, or ask a human, and that leaves an auditable trail of why. That is what the disclosed architecture provides.
Who needs this: teams shipping mobile robots, manipulator arms, autonomous vehicles, dosing or dispensing devices, or any actuated effector where "just run the plan" is not safe when the world stops matching the plan's assumptions.
Why the Obvious Approaches Fall Short
The common approaches are real and useful, but each leaves a structural gap.
An emergency stop or hardware interlock is binary: the actuator either runs or is cut. That is correct for a guard door or a light curtain, but it has no middle. A robot that can only choose between full speed and dead stop cannot slow down, cannot finish a reversible sub-step, and cannot degrade gracefully when confidence is merely low rather than zero.
A confidence threshold bolted onto the planner also tends to be binary: above the line, act; below it, do not. It rarely accounts for the consequence of the specific action, whether that action is reversible, or whether the sensor evidence behind the decision was itself trustworthy. And when it fires, it usually leaves nothing behind to reconstruct the decision.
Functional-safety interlocks and e-stops, accurately described, provide the cut but no budget or expiration semantics on overrides, and limited audit of what tripped and why. They are typically domain-specific to one machine class.
The structural gap common to all three: the decision to act is treated as a fixed algorithm over raw sensor readings, terminating at the actuator command, with no graduated response, no reversibility awareness, and no recorded provenance. The disclosed architecture closes that gap by making every actuation a governed decision with a spectrum of outcomes and a lineage record.
The Architecture
The disclosed approach, in the terms of the filing, is a confidence-governed execution primitive: every physical actuation of the environment by an autonomous, semi-autonomous, or operator-assisted unit is evaluated through a composite admissibility evaluator before execution, and the result selects among a graduated set of actuation modes rather than a binary permit-or-deny.
The core pieces:
An actuation chain, not a call. The filing structures execution as an ordered chain: consume the governed observations relevant to the action context; generate a proposed actuation (which specifies an actuator, a command, and parameters); evaluate that proposed actuation jointly with the surrounding evidence; select a mode; record the selected mode and the evaluation inputs to lineage before the actuator moves; command the actuator at the selected mode; observe the effect; verify the effect against what was expected; broadcast the executed action; and record the outcome. The action is a governed step, and every step is written down.
A composite admissibility evaluator gates the action. Rather than thresholding a single confidence number, the proposed actuation is evaluated jointly against consumed observations and further cognitive inputs described elsewhere in the filing (a dispositional field, forecasting observations, and a capability envelope). The point for your build is that admissibility is a composite of consequence, evidence quality, and capability, not a lone scalar.
A graduated actuation mode selector is where "pause" lives. The filing enumerates a plurality of modes and states the mapping from admissibility to mode is continuous and bounded, not binary. The enumerated modes include, among others: a disabled mode where the actuator does not execute and the non-execution is recorded; a simulated (dry-run) mode; an advisory mode that records what would have been done without doing it; a consultative mode that asks a human or higher authority and waits; a partial mode at fractional magnitude, reduced rate, or reduced scope; a constrained mode subject to added limits; a stage-gated mode that executes in stages with re-evaluation between stages; a deferred mode; and a full mode at nominal execution. As admissibility rises the selector moves toward more autonomous modes; as it falls, toward less autonomous ones. Your "pause" is the disabled mode; your "slow down" is partial or constrained; your "ask first" is consultative.
A safe idle is the default when readiness is insufficient. The filing states that a harm-minimization path exceeding governance-defined risk thresholds proceeds in the disabled mode with the disabled decision recorded and the agent transitioned to a confidence-degraded operating mode. In the broader confidence-governor discussion, loss of governance-credentialed evidence reduces execution readiness, and the governor restores readiness only as corroborating observations accumulate. The design intent is: when the governor cannot justify motion, it does not move, and it says so in the record.
Reversibility shapes the decision. A reversibility-aware commitment-point evaluator classifies each proposed action (reversible, partially reversible, irreversible, time-bounded, and so on), identifies the commitment point beyond which the action can no longer be undone, elevates thresholds for irreversible actions, and prefers reversible paths and late commitment points among admissible candidates. Practically, this lets a staged action be interrupted before its irreversible stage when new evidence lowers admissibility.
Overrides are budgeted, not free. An emergency-preemption mechanism lets an authority-credentialed observation override ordinary thresholds and compel elevated execution, but subject to a preemption budget and an expiration. The filing distinguishes this from a bare interlock precisely because the override is credentialed, rate-limited, time-bounded, and recorded.
Verification closes the loop. After execution, a post-actuation verification mechanism compares observed effects against an expected-effect specification, classifies any discrepancy, and feeds the result back: repeated clean verifications can lower thresholds, repeated discrepant ones raise them or reduce the actuator's published capability.
Lineage is not optional. The filing records every actuation evaluation, mode selection, preemption event, commitment-point transit, harm-minimization selection, and verification outcome in a lineage field. That record is what makes each decision reconstructible after the fact.
How to Approach the Build
Implement this yourself, in this order.
Interpose a governor between planner and drivers. No actuator call should originate anywhere but the governor. Give every proposed action an explicit shape:
{ actuator, command, parameters }. This one refactor is what makes the rest possible.Model the modes as an ordered enum, not a boolean. Start with a faithful subset:
disabled,partial,constrained,consultative,full. The selector's job is to map an admissibility result onto one of these.Build the admissibility check as a composite. Even a first version should combine more than one factor: the consequence class of the actuator, the quality or freshness of the evidence behind the action, and current capability. Return a determination, not just a pass or fail.
Set per-actuator thresholds by consequence. A high-consequence effector (a brake in traffic, a dosing pump, a life-safety actuator) should require elevated admissibility across multiple factors to reach full mode; a low-consequence effector (an indicator light) needs only baseline. The filing describes threshold sets defined per actuator class.
Make the safe idle the default outcome. When admissibility is below the lowest execution threshold, select
disabled, hold the safe state, mark the unit confidence-degraded, and record the non-execution. Insufficient readiness must resolve to not moving, by construction, not by a caught exception.Add reversibility as a modifier. Tag each actuator or command with a reversibility class. For irreversible actions, raise the threshold; for staged actions, define the commitment point and allow interruption before it.
An illustrative interface sketch (not shipping code; faithful to the chain above):
# ILLUSTRATIVE ONLY. You implement this.
def govern(proposed, evidence):
a = admissibility(proposed, evidence) # composite, not a scalar
a = apply_reversibility(a, proposed) # raise bar for irreversible
mode = select_mode(a, thresholds[proposed.actuator])
record_lineage(proposed, evidence, a, mode) # BEFORE the actuator moves
if mode == DISABLED:
hold_safe_idle(); return
effect = drive(proposed, mode) # partial/constrained/full
verify(effect, expected(proposed), mode) # feeds back into thresholds
Record before you move. Write the selected mode and the evaluation inputs to lineage prior to commanding the actuator, so a pause or an execution is reconstructible even if the actuator step fails.
Close the loop with verification. Predict the expected effect, observe the actual effect, and let sustained discrepancy raise thresholds or shrink the actuator's capability envelope.
Add budgeted preemption last. Only after the ordinary path is solid, add credentialed overrides with a rate budget and an expiration, and record every preemption.
What This Does Not Give You
This is an architecture, not a drop-in library. There is no package to install and nothing here "just works." You implement the evaluator, the mode selector, the thresholds, the lineage store, and the actuator drivers yourself, against your own hardware and your own safety case.
It is not benchmarked or productized here, and no performance or safety numbers are claimed; the filing describes the mechanisms, not measured outcomes. The admissibility evaluator, dispositional field, forecasting, and capability envelope are described in the filing at an architectural level, so quality depends entirely on how you realize them. The governor gates decisions; it does not replace the hardware interlocks, functional-safety measures, or certification your domain requires, and it does not by itself make an unsafe planner or unsafe sensors safe. If your effector is genuinely binary and single-purpose, a plain interlock may be the right tool and this layer may be more than you need.
Disclosure Scope
The confidence-governed actuation approach described here, including the graduated actuation modes, the composite admissibility gate, the safe-idle default under insufficient readiness, reversibility-aware commitment points, budgeted emergency preemption, post-actuation verification, and the lineage record of each decision, is disclosed in U.S. Provisional Application No. 64/049,409. This guide is educational: it explains an architecture you can build yourself. It is not a warranty, a safety certification, or an offer of software, and nothing here guarantees any particular safety outcome in your deployment.