← Back to blog
May 27, 2026Colm Byrne

The 3-Sigma Halt: How a Robot Knows When Reality Has Deviated From What It Learned

A robot has learned to navigate from the kitchen to its charger. It has done this 47 times. Each time, the sensor readings followed a pattern: light around 200 lux, distance clear at 250 cm along the hallway, sound at 35 dBA, gentle deceleration as it approaches the dock. The robot has built a statistical model of what "normal" looks like for this behaviour.

On the 48th run, someone has moved a bookshelf into the hallway. Distance drops to 50 cm where it should be 250. Light is unchanged. Sound is unchanged.

Should the robot try to navigate around the bookshelf? Should it reverse? Should it ask for help?

None of these. The robot should STOP. Immediately. Because the current sensor state is outside what it has learned. The situation is anomalous. And the correct response to anomaly is not improvisation -- it is cessation of the current action and delegation to a higher decision-making layer.

Patent section [0090a] of the supplement to US 63/988,438 describes this mechanism: the distribution signature and the Mahalanobis halt condition.

Distribution Signatures

A distribution signature is the statistical fingerprint of "normal" for a specific behavioural sequence. It consists of two objects:

mu: mean vector of sensor values across completed executions
Sigma: covariance matrix of sensor values across completed executions

The key word is COMPLETED. An execution is only incorporated into the distribution signature if it finished without triggering any halt condition. Failed runs, halted runs, interrupted runs -- none of these update mu or Sigma. The distribution signature captures what success looks like, not what failure looks like.

Concretely: after 47 successful kitchen-to-charger runs, the robot has:

mu = [200, 250, 35, 0.98, 2.1, ...]
     (mean light, mean distance, mean sound, mean decel, mean duration, ...)

Sigma = [[var_light,    cov_ld,      cov_ls,      ...],
         [cov_ld,       var_dist,    cov_ds,      ...],
         [cov_ls,       cov_ds,      var_sound,   ...],
         [...,          ...,         ...,         ...]]

mu is a vector of length d, where d is the number of sensor dimensions monitored during the behaviour. Sigma is a d-by-d symmetric positive-definite matrix capturing how the sensor dimensions co-vary.

The covariance matrix is the critical part. It encodes correlations. When someone enters a room, light changes (shadow), sound changes (footsteps), and distance changes (approaching) simultaneously. These three changes are CORRELATED in the training data. The covariance matrix captures this: the off-diagonal entries cov_ld, cov_ls, and cov_ds are non-zero.

The Mahalanobis Distance

Given a distribution signature (mu, Sigma), the Mahalanobis distance of a new observation x from the distribution is:

d_M = sqrt((x - mu)^T * Sigma^(-1) * (x - mu))

In words: take the difference between the observation and the mean. Rotate and scale it by the inverse covariance matrix. Take the norm.

The inverse covariance matrix is what makes this different from Euclidean distance. Euclidean distance treats every sensor dimension independently and equally. A 1-lux deviation in light counts the same as a 1-cm deviation in distance. But these have completely different physical scales and completely different significance.

The Mahalanobis distance normalises by the learned variability. If distance normally varies by +/- 20 cm across successful runs, a 15 cm deviation is unremarkable (less than 1 sigma). If light normally varies by +/- 5 lux, a 15-lux deviation is significant (3 sigma).

More importantly, the covariance normalisation handles correlated changes. If light and distance change together (because a person enters the room), a simultaneous change in both is EXPECTED and does not increase the Mahalanobis distance much. But if distance changes without a corresponding change in light (something was placed in the hallway, not a person), the Mahalanobis distance spikes -- this is an uncorrelated deviation that the training distribution does not explain.

The Threshold: 3.0

If d_M exceeds 3.0, the robot halts the current behavioural sequence.

if d_M(x, mu, Sigma) > 3.0:
    halt()
    return_control_to_deliberative_layer()

Why 3.0? In a multivariate Gaussian distribution, a Mahalanobis distance of 3.0 corresponds to a point at the 3-sigma boundary. The probability of a single observation falling beyond 3 sigma in any direction depends on the dimensionality, but the interpretation is consistent: this observation is far enough from the learned distribution that it is unlikely to represent normal operation.

For a univariate Gaussian, the probability beyond 3 sigma is 0.27%. For a multivariate Gaussian with d dimensions, the threshold captures points outside the 3-sigma ellipsoid in d-dimensional space. The exact probability varies with d, but the practical interpretation is stable: d_M above 3.0 means "this sensor pattern is qualitatively different from what I have seen during successful executions."

The threshold is deliberately conservative. 2.0 would trigger too many false halts from normal operational variability. 4.0 would let genuinely anomalous situations go unchallenged. 3.0 is the standard anomaly detection threshold across engineering disciplines, from statistical process control (Walter Shewhart, 1924) to particle physics (3-sigma evidence threshold). We did not invent it. We applied it to robot behavioural safety.

Four Halt Conditions

The Mahalanobis distance is one of four halt conditions. Any one triggers immediate cessation of the current behavioural sequence. From patent section [0090a]:

Condition 1: Collision. The IMU detects an impact event. An impact is defined as an acceleration spike exceeding 5g with a rise time below 10 ms. This is a hard physical event -- the robot hit something, something hit the robot, or the robot was dropped. No statistical analysis needed. Immediate halt.

if imu_peak_accel > 5.0 * G && rise_time < 10ms:
    halt(HaltReason::Collision)

Condition 2: Tension spike. Social tension exceeds 0.8 during execution. Tension is computed from the social phase classifier and reflects environmental instability: rapid context changes, unfamiliar presences, conflicting signals. A tension of 0.8 means the environment has become significantly unstable since the behaviour began. The robot should not continue a learned sequence in an environment that has fundamentally changed.

if tension > 0.8:
    halt(HaltReason::TensionSpike)

Condition 3: Duration anomaly. The execution time exceeds 2x the mean duration of prior successful completions. If the kitchen-to-charger route normally takes 12 seconds and the current attempt has been running for 25 seconds, something is wrong -- the robot may be stuck, looping, or following an incorrect path. The 2x factor provides headroom for normal variation (slow starts, minor detours) while catching genuine anomalies.

if elapsed > 2.0 * mean_duration:
    halt(HaltReason::DurationAnomaly)

Condition 4: Distribution deviation. The Mahalanobis distance exceeds 3.0. This is the statistical condition described above.

if d_M(current_sensors, mu, Sigma) > 3.0:
    halt(HaltReason::DistributionDeviation)

The four conditions are complementary. Collision catches physical impacts. Tension catches social/environmental instability. Duration catches stuck states. Distribution deviation catches everything else -- any sensor pattern that does not match the learned model of successful execution.

The Bookshelf Scenario, Quantified

Return to the kitchen-to-charger run with the bookshelf.

From 47 successful runs, the distribution signature at the hallway midpoint is:

mu     = [light: 200, distance: 250, sound: 35]
Sigma  = [[25,  5,  -2],    (light variance 25, covariance with distance 5)
          [ 5, 400,  8],    (distance variance 400, covariance with sound 8)
          [-2,   8, 16]]    (sound variance 16)

The robot reaches the hallway midpoint on run 48 and reads:

x = [light: 195, distance: 50, sound: 37]

Deviation from mean:

x - mu = [-5, -200, 2]

Light deviated by 5 lux (normal -- variance is 25, so this is 1 sigma). Sound deviated by 2 dBA (normal -- variance is 16, so this is 0.5 sigma). Distance deviated by 200 cm (variance is 400, so this is 10 sigma in isolation).

But the Mahalanobis distance accounts for correlations. Light and distance have a covariance of 5 (weakly positive -- brighter hallways tend to have slightly longer sight lines). If BOTH changed together, the Mahalanobis distance would be lower because the joint deviation is explained by the correlation. But here, distance changed dramatically while light barely changed. This is an uncorrelated deviation.

Computing d_M (simplified 3D case):

Sigma_inv = inverse([[25, 5, -2], [5, 400, 8], [-2, 8, 16]])

d_M = sqrt([−5, −200, 2] * Sigma_inv * [−5, −200, 2]^T)

The dominant term is the distance deviation. With distance variance of 400, the marginal contribution is approximately 200/sqrt(400) = 10 sigma. The cross-terms reduce this slightly (the light deviation is partially explained by the distance-light correlation), but d_M is still approximately 9.8.

9.8 is far above the 3.0 threshold. The robot halts immediately. It does not attempt to navigate around the bookshelf. It does not reverse. It reports HaltReason::DistributionDeviation and returns control to the deliberative layer.

After the Halt

When a halt triggers, three things happen:

1. The failed run is excluded from the distribution signature. Run 48 is NOT incorporated into mu and Sigma. The distribution signature still reflects what success looks like: 47 completions in a hallway with no bookshelf. This prevents safety erosion -- a series of anomalous runs does not degrade the model's understanding of "normal."

2. The halt reason is logged. The deliberative layer receives a structured report: HaltReason::DistributionDeviation, with the Mahalanobis distance (9.8), the sensor vector that triggered it, and the expected distribution. This gives the higher layer sufficient information to decide what to do next.

3. The deliberative layer chooses a response. Three standard options:

  • Request demonstration. Ask the human to show the new route. The robot observes and builds a new distribution signature for the modified environment.
  • Attempt alternative. If the robot has learned multiple routes to the charger, it can try a different one. Each route has its own distribution signature.
  • Alert operator. If no alternative exists, report the obstruction and wait for intervention.

The failed execution does not reset trust. The robot's coherence in the kitchen context is unaffected. The halt is specific to the behavioural sequence (kitchen-to-charger), not to the context itself. The robot can still operate normally in the kitchen -- it just cannot complete this particular navigation.

Why Mahalanobis, Not Euclidean

The comparison is concrete. Consider a scenario where someone enters the room during the charger run. Light drops by 20 lux (shadow), sound increases by 10 dBA (footsteps), and distance decreases by 30 cm (person in the hallway).

Euclidean distance (with raw sensor values):

d_E = sqrt(20^2 + 30^2 + 10^2) = sqrt(400 + 900 + 100) = sqrt(1400) = 37.4

Is 37.4 anomalous? You cannot tell without knowing the scales. 20 lux might be nothing. 30 cm might be critical. Euclidean distance mixes incommensurable units.

Normalised Euclidean (divide by standard deviation):

d_NE = sqrt((20/5)^2 + (30/20)^2 + (10/4)^2)
     = sqrt(16 + 2.25 + 6.25)
     = sqrt(24.5)
     = 4.95

Better -- now each dimension is in sigma units. But this ignores correlations. A simultaneous change in light, sound, and distance is EXPECTED when someone enters the room. Normalised Euclidean treats each dimension independently and over-counts the evidence.

Mahalanobis distance (accounting for correlations):

The covariance matrix captures the fact that light, sound, and distance change together when a person enters. The inverse covariance "de-correlates" the observation. The simultaneous, correlated changes produce a lower Mahalanobis distance than the normalised Euclidean because they are explained by the learned correlation structure.

In this case, d_M might be 1.8 -- well below the 3.0 threshold. The robot does not halt. A person entering the room during a charger run is normal. The Mahalanobis distance correctly identifies this as within the learned distribution.

Compare with the bookshelf: distance changed but light and sound did not. The deviation is uncorrelated -- the covariance structure cannot explain it -- and d_M spikes to 9.8.

The Mahalanobis distance is the right metric because it asks: "is this observation explainable by the patterns I have learned?" not "is this observation different from the average?"

Computational Cost

The Mahalanobis distance requires the inverse covariance matrix, which is a d-by-d matrix inversion. For the sensor dimensions monitored during a behaviour (typically d = 4 to 8), this is a small dense matrix.

Matrix inversion: O(d^3) ~ O(512) for d = 8
Mahalanobis computation: O(d^2) ~ O(64) for d = 8
Total per tick: ~600 floating-point operations

On ARM Cortex-M4 at 168 MHz with hardware FPU: under 50 microseconds. Negligible relative to the 100 ms tick interval.

The covariance matrix and its inverse are updated incrementally using Welford's online algorithm for the mean and covariance update. No batch recomputation needed. Each successful completion contributes one rank-1 update to the covariance estimate, which is O(d^2).

The distribution signature is stored per behavioural sequence. A robot with 10 learned behaviours stores 10 (mu, Sigma, Sigma_inv) triples. At d = 8, each triple is 8 + 64 + 64 = 136 float32 values = 544 bytes. Ten behaviours: 5.4 KB. This fits comfortably in the SRAM of any ARM Cortex-M4.

Connection to Fleet Analytics

When a halt occurs, the halt reason becomes part of the robot's operational telemetry. Not the raw sensor data that triggered it -- just the halt reason enum and the Mahalanobis distance. This feeds into the fleet analytics fingerprint: a robot that frequently triggers DistributionDeviation halts has an environment that has changed since its behaviours were learned. A robot that triggers DurationAnomaly halts may have a mechanical problem.

The halt frequency and halt reason distribution are scalar statistics -- they contain no raw sensor data, no camera feeds, no audio recordings. They tell the fleet operator "this robot's environment has deviated from what it learned" without telling them anything about what the environment contains. This is the same privacy-by-construction principle that applies to all CCF fleet analytics.

See the Sinkhorn-Knopp convergence bound for how the trust transfer computation that feeds into the min gate is itself bounded and deterministic.

The full claim structure covering distribution signatures and halt conditions is in the patent. The implementation is available in ccf-core on crates.io under BSL 1.1. Commercial licensing through Flout Labs.

— Colm Byrne, Founder — Flout Labs, Galway, Ireland

Patent pending. US Provisional 64/039,626.

FAQ

How many successful completions are needed before the distribution signature is reliable?

The covariance matrix estimate requires at least d + 1 completions, where d is the number of sensor dimensions, for mathematical stability (the matrix must be invertible). In practice, we require at least 10 completions before enabling the Mahalanobis halt condition. With fewer completions, the covariance estimate is noisy and the halt condition produces false positives. During the initial learning phase (completions 1 through 9), only the first three halt conditions (collision, tension, duration) are active. The distribution deviation condition activates on completion 10, at which point the covariance estimate has enough samples to be meaningful. The duration anomaly uses the 2x-mean threshold, which is valid from completion 2 onward.

Can the distribution signature adapt to gradual environmental changes?

Yes, through exponential weighting. Rather than computing mu and Sigma from ALL prior completions equally, the signature uses an exponential decay with a configurable half-life (default: 50 completions). Recent completions contribute more to the signature than older ones. This means the signature gradually adapts: if a piece of furniture is moved and the robot successfully completes the route 20 times with the new layout, the old layout's influence fades. The half-life of 50 means that after 50 completions, a historical observation's weight is halved. After 100, it is quartered. The adaptation is slow enough to prevent a handful of anomalous-but-completed runs from corrupting the signature, but fast enough to track genuine environmental changes over weeks.

What if the robot has multiple routes to the same destination?

Each route has its own distribution signature. The route "kitchen-to-charger via hallway" and "kitchen-to-charger via living room" are separate behavioural sequences with independent (mu, Sigma) pairs. When the hallway route triggers a distribution halt, the robot can attempt the living room route, which has its own distribution signature reflecting what "normal" looks like for that path. If both routes trigger halts, the robot escalates to the deliberative layer. This is not path planning -- the robot does not compute new routes. It selects from previously demonstrated routes, each with their own safety envelope.

Is the 3.0 threshold configurable?

Yes, through the Personality struct. The halt_sigma_threshold field defaults to 3.0 but can be adjusted per deployment. A more cautious robot might use 2.5 (halts more readily). A robot in a highly variable environment (children's playroom, outdoor agricultural) might use 3.5 to reduce false halts. The threshold must be at least 2.0 -- below this, normal operational variability produces too many false halts. There is no enforced upper bound, but values above 4.0 are not recommended because they allow genuinely anomalous situations to proceed unchallenged. The choice of threshold is a deployment decision, not an architectural one.

How does this interact with the minimum gate? Does a halt affect coherence?

A halt does not directly modify coherence. The minimum gate C_eff = min(C_inst, C_ctx) operates continuously, including during behavioural sequences. If C_inst drops during the sequence (environmental instability), C_eff drops, and the permeability function reduces motor output. The halt conditions operate on a different layer: they are SEQUENCE-level safety checks, not TICK-level trust computations. A halt terminates the sequence. A coherence drop modulates the output within the sequence. Both can happen simultaneously -- a tension spike both reduces permeability (through the sigmoid) and triggers a halt (through condition 2). But a distribution deviation halt at d_M = 3.5 does not change coherence. The robot's trust in the kitchen context is preserved. Only the specific behavioural sequence is interrupted.