This architecture extends concepts from fail-safe design (IEC 61508), graceful degradation, and safe control theory including Control Barrier Functions (CBF). CARA advances these foundations by providing a deterministic, phased recovery protocol with a non-compensatory terminal gate — structurally preventing utility-maximization override of safety constraints.
A Deterministic Authority Recovery Architecture for Human-Machine Authority-Gated Autonomous Systems
Patent SubmittedZenodo: Oktenli, B. (2026). Control Authority Regulation Architecture. Zenodo. 10.5281/zenodo.18917790
When autonomous systems experience authority lockout due to trust collapse, sensor failure, or adversarial interference, the system must recover safely rather than remain indefinitely in a degraded or inoperable state. Binary reset approaches (full restart or manual intervention) create dangerous gaps in operational capability, particularly in defense and critical infrastructure where continuous operation is essential.
The Simplex architecture (Sha, 2001) provides binary switching between a complex and a simple controller, but lacks graduated recovery phases. CARA extends this concept by implementing structured recovery through four GREP phases, enabling autonomous systems to restore authority incrementally while maintaining safety guarantees throughout the recovery process.
CARA implements deterministic recovery through four structured phases known as GREP (Guard, Reduce, Evaluate, Promote). When HMAA authority enters A0 (revoked), CARA activates automatically and manages the system through recovery:
CARA is activated by HMAA when authority enters A0 (revoked). It uses SATA trust readings to monitor recovery progress and determine when authority can be safely restored. In the rover testbed, CARA manages safe-stop and return-safe behaviors. In the UAV platform, CARA controls safe-land, hover-hold, and return-to-base protocols. CARA ensures that recovery is structured and deterministic rather than relying on binary reset or manual intervention.
All architectures (SATA, HMAA, CARA, MAIVA, FLAME, ADARA, ERAM) are components of a unified authority-governed autonomy framework. This architecture is validated through six physical research platforms (Rover Testbed, UAV Platform, BLADE-EDGE, BLADE-AV, BLADE-MARITIME, BLADE-INFRA) and thirteen interactive simulations.
Deployment flexibility: This architecture can operate as part of the full governance pipeline (SATA-HMAA-ADARA-MAIVA-FLAME-CARA) or independently as a single-layer module. CARA can operate as a standalone recovery module on resource-constrained edge devices, providing deterministic fail-safe behavior without the full governance stack.
When an autonomous system experiences authority lockout (trust collapse causing complete loss of operational authority), it must recover safely. Current approaches implement one of two strategies: full system restart (losing operational context and creating dangerous gaps in capability) or manual intervention (requiring human operator availability that may not exist in contested environments).
The Simplex architecture (Sha, 2001) provides a foundational approach to runtime safety through binary switching between a complex controller and a verified simple controller. However, Simplex operates as a binary switch without graduated recovery phases, making it insufficient for systems that must regain full capability incrementally while maintaining safety guarantees at each stage.
Knight (2002) identifies that safety-critical systems require predictable failure modes with well-defined recovery paths. CARA implements this principle through structured, deterministic recovery that never allows an unsafe state transition regardless of the recovery scenario. Each GREP phase has formally specified entry and exit conditions, ensuring that recovery progress is monotonic and verifiable.
The four GREP phases execute sequentially with strict ordering guarantees. No phase can be skipped, and backward transitions occur only if trust deteriorates during recovery:
Immediate safe-stop upon A0 lockout. All autonomous commands are disabled. The system enters a protected state where only safety-critical monitoring continues.
Entry condition: HMAA authority reaches A0 (τ < 0.30). Exit condition: Minimum dwell time elapsed AND at least one sensor showing trust recovery. Behaviors: Safe-stop (rover), hover-hold or safe-land (UAV).
Minimal safe behaviors using only highest-trust sensors. The system can execute limited protective actions but not mission objectives.
Entry condition: Guard phase complete, trust trend positive. Exit condition: Fused trust sustained above 0.35 for configurable period. Behaviors: Return-safe (rover), return-to-base (UAV).
Active monitoring of trust recovery with sustained improvement required before authority restoration. The system tests sensor reliability through controlled self-diagnostic maneuvers.
Entry condition: Reduce complete, fused trust above 0.35. Exit condition: Trust sustained above 0.55 for dwell period AND no trust regression. Behaviors: Crawl-mode (rover), constrained loiter (UAV).
Gradual authority restoration with constrained operation. Authority returns to A1 first, then A2, then A3 only after sustained high trust.
Entry condition: Evaluate complete, trust above 0.55. Exit condition: Full authority restoration (A3) when τ > 0.80 sustained. Behaviors: Degraded-teleop → supervised autonomy → full autonomy.
CARA includes a terminal safety mechanism: the non-compensatory policy gate. This gate blocks authority restoration if any single policy condition fails, regardless of how well other conditions are met. High trust in most sensors cannot compensate for a critical sensor remaining in a failed state. This prevents the system from resuming full autonomy when a known-compromised sensor remains in the loop.
Only one CARA recovery behavior is active at any time. This prevents conflicting commands (e.g., return-to-base and hover-hold simultaneously) and ensures the system always has a single, unambiguous operational mode during recovery.
CARA recovery has been validated across the full range of fault scenarios in both simulation environments:
Key validation results: no A0-to-A3 single-step recovery possible (hysteresis enforced), Guard phase activates within one control cycle of lockout detection, Reduce phase correctly selects highest-trust sensors for minimal operations, non-compensatory gate correctly blocks restoration with any failed sensor, and all GREP transitions logged with timestamps for post-incident reconstruction.
The CARA simulation demonstrates the complete GREP recovery protocol in real-time. Users can inject faults to trigger A0 lockout, then observe the structured recovery process as CARA progresses through Guard, Reduce, Evaluate, and Promote phases.
Color-coded phase indicators showing current recovery stage, dwell timers, and transition conditions in real-time.
Visual display of active recovery behavior (safe-stop, return-safe, crawl-mode, degraded-teleop) with mutual exclusivity enforcement.
Live trust trend visualization showing whether recovery is progressing (trust improving) or regressing (trust deteriorating), with automatic phase adjustment.
Shows the non-compensatory gate evaluation: which policy conditions are met and which are blocking authority restoration.
CARA manages safe-stop (immediate motor halt), return-safe (autonomous return to start position using trusted sensors), and crawl-mode (reduced speed operation). The ESP32 safety controller enforces CARA Guard phase independently of the main autonomy computer.
CARA manages safe-land (immediate controlled descent), hover-hold (position maintenance using GPS/IMU), and return-to-base (autonomous RTB on ArduPilot failsafe). CARA triggers the Cube Orange+ hardware failsafe as a backup for Guard phase.
POST /recovery/evaluate
{
"authority_level": "A0",
"fused_trust": 0.18,
"trust_trend": "rising",
"current_phase": "GUARD",
"dwell_elapsed_s": 8.2,
"sensor_status": {
"camera": "degraded",
"lidar": "failed",
"imu": "healthy",
"gps": "healthy"
}
}
{
"phase": "REDUCE",
"behavior": "return-safe",
"can_promote": false,
"blocking_conditions": [
"lidar: trust < 0.30"
],
"trusted_sensors": ["imu", "gps"],
"recovery_progress": 0.22,
"estimated_restore_s": 42
}
def cara_evaluate(state):
if state.authority == "A0" and state.phase == None:
return activate_guard() # Immediate safe-stop
if state.phase == "GUARD" and trust_rising(state):
return transition("REDUCE") # Minimal safe behaviors
if state.phase == "REDUCE" and state.tau > 0.35:
return transition("EVALUATE") # Monitor recovery
if state.phase == "EVALUATE" and state.tau > 0.55 and policy_gate_passes(state):
return transition("PROMOTE") # Restore authority
return hold_current_phase(state)
The simulation supports single-architecture mode (CARA recovery only) and full pipeline mode (CARA integrated with SATA, HMAA, ADARA, MAIVA, and FLAME). Both configurations demonstrate CARA behavior under authority lockout conditions.
Deterministic Guarantee: All published results use fixed seeds. Math.random() is not used in benchmark-critical paths. The governance pipeline contains zero stochastic components. See Evaluation Protocol for full methodology.
If you reference this architecture in your research, please use one of the following citation formats:
@misc{oktenli2026cara,
author = {Oktenli, Burak},
title = {Control Authority Regulation Architecture},
year = {2026},
publisher = {Zenodo},
doi = {10.5281/zenodo.18917790},
url = {https://doi.org/10.5281/zenodo.18917790},
note = {Georgetown University}
}
This architecture is part of the authority-governed autonomy research program by Burak Oktenli at Georgetown University (M.P.S. Applied Intelligence). It is published on Zenodo with DOI 10.5281/zenodo.18917790 under CC BY 4.0.
Related: Full Research Portfolio · All Repositories · Rover Testbed · UAV Platform · Evaluation Protocol