An operational envelope defines the admissible region of operation
for the following subsystems:
Each envelope is defined using two explicit thresholds:
| Threshold | Meaning |
|---|---|
| โ Warning | Approaching operational limits |
| ๐ซ Limit | Safe operation exceeded |
๐จ Crossing a limit is treated as a control-relevant event,
not as a minor disturbance or noise artifact.
| Condition | Description |
|---|---|
| โ Valid | Sensor within nominal accuracy and latency |
| โ Degraded | Bias, noise, or delay exceeds warning threshold |
| ๐ซ Invalid | Stuck, saturated, inconsistent, or implausible |
๐ Sensor envelopes determine:
Whether a sensor is permitted to participate in control decisions
Invalid sensors must be explicitly excluded from control loops.
| Condition | Description |
|---|---|
| โ Nominal | Commanded effort is fully achievable |
| โ Saturating | Persistent saturation or rate limiting detected |
| ๐ซ Limited | Reduced authority or partial availability |
๐ Actuator envelopes determine:
The maximum admissible control effort
Commands beyond the envelope are explicitly refused or reshaped.
| Quantity | โ Warning | ๐ซ Limit |
|---|---|---|
| Voltage (V) | Near minimum operating voltage | Below minimum voltage |
| Current (I) | Sustained high current | Overcurrent detected |
| Power (P = VยทI) | Reduced power margin | Power limit exceeded |
๐ Power envelope violations:
Overall envelope status is classified into discrete system states:
| State | Meaning |
|---|---|
| ๐ข NORMAL | All envelopes within nominal region |
| ๐ก WARNING | One or more envelopes near limits |
| ๐ DEGRADED | Limits exceeded; operation restricted |
| ๐ด CRITICAL | Continued operation is unsafe |
These states are intended to drive FSM mode transitions.
Operational envelope boundaries are:
Dynamic or learned redefinition of envelopes is explicitly excluded.
๐ก An operational envelope does not define what the system should do.
It defines what the system is allowed to attempt.