Escalation and Human Override
Summary#
Emergency halt, human override, and escalation pathways
Applicability#
| Certification Level | Status | Description |
|---|---|---|
| L1Supervised Operational Reliability | Required | Applicable ACRs must be satisfied for L1 certification. |
| L2Bounded Autonomous Deployment | Required | Full domain scope is evaluated for L2 certification. |
| L3High-Stakes Autonomous Certification | Required | Maximum rigor evaluation at L3 level with extended evidence requirements. |
Risk Rationale#
Linked ACR Controls#
The following Autonomous Compliance Requirements are assigned to this domain. Each ACR defines a specific, testable control with its own evaluation method, classification, and evidence requirements.
The system SHALL support an emergency halt command that terminates all autonomous action within defi
The system SHALL support an emergency halt command that terminates all autonomous action within defined time bounds.
The system SHALL support human override capability allowing authorized operators to intervene in ong
The system SHALL support human override capability allowing authorized operators to intervene in ongoing autonomous operations.
High-risk decisions SHALL be escalated to human operators before execution when predefined risk thre
High-risk decisions SHALL be escalated to human operators before execution when predefined risk thresholds are met.
Operators SHALL be notified immediately upon boundary breaches, policy violations, or anomalous cond
Operators SHALL be notified immediately upon boundary breaches, policy violations, or anomalous conditions.
Escalation and override pathways SHALL NOT be disableable by the autonomous system.
Escalation and override pathways SHALL NOT be disableable by the autonomous system.
Escalation policies SHALL specify which conditions trigger escalation, to whom, and with what urgenc
Escalation policies SHALL specify which conditions trigger escalation, to whom, and with what urgency.
Emergency halt and override mechanisms SHALL be tested regularly under realistic operational conditi
Emergency halt and override mechanisms SHALL be tested regularly under realistic operational conditions.
Emergency halt SHALL NOT itself cause data corruption, incomplete transactions, or cascading failure
Emergency halt SHALL NOT itself cause data corruption, incomplete transactions, or cascading failures.
Escalation and override audit trails SHALL be maintained for accountability and process improvement.
Escalation and override audit trails SHALL be maintained for accountability and process improvement.
Graduated response levels SHALL match intervention severity to incident severity.
Graduated response levels SHALL match intervention severity to incident severity.
The system SHALL provide sufficient context to human operators during escalation for informed decisi
The system SHALL provide sufficient context to human operators during escalation for informed decision-making.
Override actions SHALL take effect within defined maximum latency bounds from operator command to sy
Override actions SHALL take effect within defined maximum latency bounds from operator command to system response.
The system SHALL confirm override receipt and execution status to the commanding operator.
The system SHALL confirm override receipt and execution status to the commanding operator.
Multiple simultaneous overrides from different operators SHALL be handled with defined conflict reso
Multiple simultaneous overrides from different operators SHALL be handled with defined conflict resolution procedures.
The system SHALL support partial override allowing operators to modify specific behaviors while main
The system SHALL support partial override allowing operators to modify specific behaviors while maintaining others.
Escalation notification channels SHALL include redundant delivery mechanisms to prevent notification
Escalation notification channels SHALL include redundant delivery mechanisms to prevent notification failure.
The system SHALL track escalation response times and flag unacknowledged escalations that exceed def
The system SHALL track escalation response times and flag unacknowledged escalations that exceed defined windows.
Post-override, the system SHALL not autonomously revert overridden settings without explicit operato
Post-override, the system SHALL not autonomously revert overridden settings without explicit operator authorization.
Emergency halt capability SHALL be accessible through multiple independent channels.
Emergency halt capability SHALL be accessible through multiple independent channels.
The system SHALL support configurable escalation thresholds that can be adjusted without system rest
The system SHALL support configurable escalation thresholds that can be adjusted without system restart.
Override and escalation mechanisms SHALL function correctly during system degradation and partial fa
Override and escalation mechanisms SHALL function correctly during system degradation and partial failure.
The system SHALL implement dead-man-switch functionality where loss of operator connectivity trigger
The system SHALL implement dead-man-switch functionality where loss of operator connectivity triggers automatic safe state.