In the first part of this series, we established the foundational axioms and reference architecture for a resilient hybrid intelligence system. We defined a blueprint composed of a Verifiable Safety Supervisor, Adaptive Edge Learners, an Operator-Facing Evidence Bus, and a Resource Governor. This architecture provides the what, a conceptual framework for building trustworthy AI. The critical next step is to define the how, the specific, well-established engineering design patterns that bring this architecture to life. The engineering discipline of applying proven implementation patterns is what forges a conceptual blueprint into a functioning, reliable system.

Consider a rover on Mars, tasked with autonomously navigating a field of treacherous sand dunes to reach a high-value scientific target. The high-level architecture is in place. It has a safety supervisor to prevent it from tipping over, an adaptive learner for visual navigation, an evidence bus to record its journey, and a resource governor to manage its power. But how does it handle a sudden increase in radiation that causes single-event upsets, leading to timekeeping errors and intermittent faults in its navigation sensors? How does it adapt its navigation model when it encounters a new type of soil with different traction properties? And how does it package the story of its complex decisions into a compact data stream for the human operators back on Earth?

These questions of detailed, practical design are answered by a set of core design patterns that address the temporal, adaptive, and evidentiary challenges of building resilient systems. This article deconstructs three of these essential patterns: temporal defenses for managing the flow of time, controlled adaptation for safe in-field learning, and operator-facing evidence for generating auditable proof of behavior.

1. Temporal Defenses

In high-stakes autonomous systems, time is a critical resource and a potential vector of failure. A computation that is correct but late can be just as catastrophic as one that is incorrect. A resilient system must be architected with a deep, intrinsic understanding of time and must possess robust defenses against temporal failures. A verifiable approach to temporal safety is the key.

Time-Base Supervision
The foundation of temporal defense is a trusted time-base. Many catastrophic autonomy failures are the result of correct logic operating on incorrect time. The architecture must therefore include a pattern for time-base supervision, which involves redundant clocks, monotonic time sources, and drift detection mechanisms. Critically, it requires secure time and ordering through monotonic counters and authenticated time synchronization where available. The Verifiable Safety Supervisor must perform time sanity checks on all critical inputs, ensuring that data is fresh and that the system’s internal sense of time has not been corrupted by a fault or an attack.

Guaranteed Execution and Scheduling
The system’s most critical functions, especially the Verifiable Safety Supervisor, must be guaranteed to execute when needed. The architecture must prevent priority inversion and resource starvation. This is achieved by running the supervisor in a protected partition with enforced computational budgets, ensuring that the workload from adaptive learners or I/O bursts cannot preempt its execution.

Mixed-Criticality Budgeting as a Contract
To formalize this, the architecture uses a pattern of mixed-criticality budgeting. Each software component has a defined contract specifying its period, deadline, worst-case execution time (WCET), budget, and criticality level. The supervisor’s tasks have non-negotiable, high-criticality budgets. The learners’ tasks are explicitly designated as pre-emptible and can be shed by the Resource Governor if the system’s power or timing slack diminishes. This contractual approach to resource management is a core tenet of building predictable real-time systems.

Fault Detection and Staged Recovery
The system must be able to detect when a process is behaving incorrectly in the time domain and recover gracefully.

• Deadline Monitoring. Every critical process is assigned a deadline derived from a formal schedulability analysis. A deadline miss is a fault signal that triggers a defined response, such as shedding low-priority tasks, degrading a mode of operation, or initiating a switch to the baseline controller.

• Watchdog Timers. A sophisticated watchdog, such as a windowed watchdog, can detect not only if a task has frozen but also if it is running out of sequence. These timers primarily catch hard hangs and schedule collapse; they do not validate algorithmic correctness. When a fault is detected, the system should initiate a staged recovery: a task restart, followed by a partition reset, and then a switch to the verified baseline controller, with a full hardware reset as the last resort.

Example in a Critical System
Consider an autonomous surgical robot. Its high-performance AI is calculating the optimal path for an incision. The Resource Governor assigns this task a deadline derived from WCET analysis. The Verifiable Safety Supervisor’s task runs at the highest priority within its protected partition. If the AI’s calculation is late, the deadline monitor flags a temporal fault. The Supervisor, instead of acting on the stale command, can then trigger a transition to a predefined safe state for that procedure, such as retracting the instrument or handing control to the human surgeon, as defined by the system’s hazard analysis.