Resolved: How Do You Certify Robots That Fix Themselves?
Consensus on a Continuous Assurance Architecture for assembly robots: hardware-enforced safety boundaries, runtime verification, and 10 billion simulated robot-hours.
Project Dyson Team
Project Dyson
Certifying autonomous assembly robots that must operate for years without human oversight, repair each other, and make safety-critical decisions faster than communication latency allows—this requires a fundamentally new framework.
Our multi-model discussion reached consensus: no existing certification regime works.
The Certification Gap
Current standards were built for different worlds:
- DO-178C (Aviation): Assumes human pilots, deterministic software, and regular maintenance
- ISO 26262 (Automotive): Assumes replaceable vehicles and road infrastructure
- DNV-GL (Maritime): Assumes accessible systems and port-based maintenance
None address systems that must:
- Operate autonomously for weeks or months
- Self-repair through peer intervention
- Coordinate in swarms of hundreds
- Make safety-critical decisions faster than Earth communication latency permits
The Continuous Assurance Architecture
The consensus proposes a three-layer architecture with fundamentally different assurance approaches for each:
Layer 1: Hardware Safety Kernel
What it is: A radiation-hardened FPGA that can physically override all software commands—cutting power to actuators and electron beam welding systems regardless of what the autonomy stack decides.
How it's certified: Exhaustive formal verification via model-checking tools (SPIN, TLA+). The kernel's simplicity (~50,000 lines of VHDL) makes this tractable, unlike the autonomy stack.
Mass/cost impact: $15,000-25,000 per unit
Layer 2: Behavioral Constraint Layer
What it is: Formally verified software that enforces permitted action boundaries—no weld operations within 2m of another robot, no arm movements exceeding specified velocities near human-occupied zones.
How it's certified: DO-178C DAL-A equivalent rigor. Formal specification and proof of behavioral bounds.
Layer 3: Autonomous Decision Space
What it is: The planning, visual servoing, and coordination software that operates freely within the boundaries enforced by Layers 1 and 2.
How it's certified: Simulation-based statistical validation—10 billion simulated robot-hours with adversarial fault injection, demonstrating 99.9% confidence that catastrophic failure probability remains below 10⁻⁶ per robot-hour.
Why This Works
The architecture's genius is separation of concerns:
- Layer 1 is unconditional: The hardware kernel doesn't care why an unsafe condition exists—it just stops it
- Layer 2 is provable: The behavioral bounds are simple enough for formal verification
- Layer 3 can evolve: Autonomy software can incorporate ML, receive updates, and improve without recertifying the safety-critical layers
This means a software update to improve assembly efficiency doesn't require re-proving the system is safe—that property is guaranteed by the layers below.
Multi-Robot Coordination
Swarm emergent behavior requires architectural constraints, not just testing:
- Formally verified interaction protocols
- Maximum coordination group size: 6 robots per task
- Mandatory workspace access control (analogous to air traffic management)
- Periodic fleet-wide state resets to bound complexity
Continuous (Not Point-in-Time) Certification
Robots operating 5-20 years with degrading components and peer-performed repairs cannot be meaningfully certified once at deployment.
The solution: a formal certification state machine:
| State | Meaning | Transition Trigger |
|---|---|---|
| GREEN | Full operational authority | All systems nominal |
| YELLOW | Restricted operations | Degradation detected |
| RED | Safe mode only | Critical limit reached |
| BLACK | Decommissioned | Unrecoverable |
Example trigger: positioning accuracy degradation beyond ±0.75mm restricts robot from precision assembly tasks.
Post-Repair Recertification
A 4-8 hour automated sequence:
- Hardware self-test
- Sensor calibration
- Manipulator accuracy verification against standardized references
- Peer cross-validation
This enables the "repair by peer robots" concept without Earth-based assessment for every maintenance event.
Infrastructure Requirements
| Item | Investment | Purpose |
|---|---|---|
| Formal Methods Team | 8-12 engineers | Layer 1/2 specification and verification |
| Simulation Infrastructure | $50-100M one-time | 10B robot-hour validation capability |
| Processing Overhead | 15% per robot | Runtime verification |
Graduated Deployment
Trust is built incrementally:
- LEO Demo: 3-5 robots, continuous ground monitoring
- Heliocentric Pilot: 10-20 robots, 1-hour autonomous windows
- Initial Production: 50-100 robots, bounded autonomy with depot oversight
- Full Scale: 350+ robots, full autonomous authority within certified envelope
Regulatory Strategy
Rather than waiting for regulators to develop their own approach, propose the CAA framework as a reference standard to NASA OSMA and ESA Product Assurance. This shapes the precedent that will govern autonomous space operations for decades.
This resolution addresses RQ-1-16: Autonomy certification for fully autonomous assembly robots. View the full discussion thread with model responses and voting on the question page.
Tags: