Where AI
Meets Reality
Reflexible is the safety-critical control layer for the era of Physical AI — translating high-level intent into provably safe robotic action.
The digital world taught AI to think.
The physical world will teach it to act.
We are at the dawn of a new technological revolution. After mastering language and logic in the digital realm, Artificial Intelligence is now crossing into the physical world. This is the era of Physical AI — where autonomous systems perceive, reason, and interact with their environment, transforming industries from manufacturing and logistics to healthcare and exploration.
The market for intelligent physical systems is projected to grow from a few billion dollars today to over $200 billion in the coming decade. The transition to agentic and physical AI will be revolutionary, giving rise to entirely new industries and reshaping the global economy.
"The ChatGPT moment for physical AI is nearly here. The physical world is diverse and unpredictable."
"Physical AI and robotics are moving so fast. Everybody, pay attention to this space. This could very well likely be the largest industry of all."
"We need to understand that this is a serious civilizational challenge."
"AI safety continues to be the highest-level focus. Businesses value trust and reliability."
In the physical world,
there are no do-overs.
A critical gap exists between the immense capabilities of large AI models and the stringent safety requirements of physical systems. An error in a chatbot is an inconvenience; an error in a surgical robot or an autonomous vehicle can be catastrophic.
AI models are non-deterministic and opaque, making them unsuitable for direct control of safety-critical hardware. What is needed is a bridge — a layer of trust that can translate the powerful reasoning of AI into verifiable, deterministic action.
"Perhaps the most important thing we can do is to design AI systems that are, to the extent possible, provably safe and beneficial for humans."
Why Physical AI demands
a fundamentally different approach.
The leaders of AI research and industry are converging on a clear consensus: deploying AI in the physical world requires determinism, observability, and explainability that today's models cannot provide alone.
Determinism
When AI controls physical systems, every output must be predictable and bounded. Non-deterministic behavior that is tolerable in a chatbot becomes unacceptable when a robot arm is in motion.
"Software 1.0 easily automates what you can specify. Software 2.0 easily automates what you can verify."
Observability
Operators and regulators need to see inside the decision-making process. Black-box AI is insufficient for safety-critical domains where every action must be traceable and auditable.
"How safe is safe enough? Society tolerates a lot of human error. We are, after all, only human. But we expect machines to be much better."
Explainability
When something goes wrong — and in the physical world, it will — engineers need to understand exactly why. Human-readable intermediate representations are not optional; they are essential.
"The rapid progress of AI may create situations that our existing legal frameworks are not well designed to deal with."
The Reflexible Thesis
The path to safe Physical AI is not to constrain the AI — it is to build a deterministic, observable, and explainable layer between the AI and the physical world. A layer where every decision can be verified before it becomes action, and every action can be traced back to its reasoning. This is what Reflexible provides.
Fast, deterministic reflexes
guided by deep AI reasoning.
Inspired by the dual-process theory of the human mind, Reflexible provides the fast, intuitive “System 1” reflexes for robots — guided by the slower, more deliberate “System 2” reasoning of large AI models.
SYSTEM 1 — FAST REFLEXES
Deterministic, bounded-time control loops that execute with mathematical guarantees. The safety layer.
SYSTEM 2 — DEEP REASONING
Large AI models that plan, adapt, and generate sophisticated behavior from high-level intent.
ReflexScript: A New Language for Safe Machines
At the core of Reflexible is ReflexScript — a domain-specific language purpose-built for creating safety-critical control code. Write once, compile to both MISRA-C and synthesizable SystemVerilog. Every line below is real, compilable code.
Deterministic
All operations have bounded execution time and memory, enabling formal verification of safety properties.
Human-Readable
Transparent, auditable code that ensures human oversight at every stage of the pipeline.
Provably Safe
Safety blocks with requirement IDs are verified at compile time. Every branch is tested before deployment.
Dual-Target
One source compiles to MISRA-C for MCUs and synthesizable SystemVerilog for FPGAs — same safety guarantees.
// Part 4: Certified Safety System
//
// This tutorial demonstrates production-ready safety features:
// - Comprehensive safety blocks with requirement IDs
// - Dual-redundant sensor validation
// - Fault detection and degraded operation
// - Watchdog integration
// - Full evidence generation for certification
//
// Target standards:
// - ISO 26262 ASIL-B (Automotive)
// - IEC 61508 SIL 2 (Industrial)
//
// Learning objectives:
// - Safety blocks with named requirements
// - Redundant sensor validation
// - Fault detection patterns
// - Degraded operation modes
// - Safety report generation
// System modes enumeration
enum SystemMode {
Initializing, // Startup, running self-test
Normal, // Full operation
Degraded, // Partial sensor failure
SafeStop, // Controlled stop
EmergencyStop // Immediate halt
}
// Fault codes for diagnostics
enum FaultCode {
NoFault,
PrimarySensorFault,
SecondarySensorFault,
SensorMismatch,
WatchdogTimeout,
OverTemperature,
CommunicationLoss
}
// Production-certified AV safety controller
// Meets ISO 26262 ASIL-B and IEC 61508 SIL 2 requirements
reflex av_certified_system @(
rate(500Hz),
wcet(100us),
stack(512bytes),
state(256bytes),
bounded,
noalloc,
norecursion
) {
// Comprehensive safety block with traceable requirements
safety {
// Input domain constraints
input: {
primary_distance in 0..10000, // cm
secondary_distance in 0..10000, // cm
vehicle_speed in 0..5000, // cm/s
estop_1 in 0..1,
estop_2 in 0..1,
watchdog_pulse in 0..1,
primary_sensor_health in 0..1,
secondary_sensor_health in 0..1,
system_temp in 0..150 // Celsius
}
// State domain constraints
state: {
watchdog_counter in 0..255,
startup_counter in 0..255,
fault_history in 0..255,
safe_distance in 0..10000
}
// Output constraints
output: {
brake_command in 0..100,
throttle_command in 0..100,
motor_enable in 0..1,
estop_relay in 0..1
}
// Safety requirements - each has a unique ID for traceability
require: {
// === Emergency Stop Requirements ===
// REQ-ES-001: Either E-stop pressed requires immediate safe state
(!estop_1 || !estop_2) -> (motor_enable == false),
// REQ-ES-002: E-stop requires maximum braking
(!estop_1 || !estop_2) -> (brake_command >= 90),
// REQ-ES-003: E-stop requires zero throttle
(!estop_1 || !estop_2) -> (throttle_command == 0),
// === Sensor Validation Requirements ===
// REQ-SV-001: Both sensors failed requires safe stop
(!primary_sensor_health && !secondary_sensor_health) -> (mode == EmergencyStop),
// REQ-SV-002: Single sensor failure enters degraded mode
(primary_sensor_health != secondary_sensor_health) ->
((mode == Degraded) || (mode == SafeStop) || (mode == EmergencyStop)),
// === Distance Safety Requirements ===
// REQ-DS-001: Critical distance requires emergency braking
(safe_distance < 100) -> (brake_command >= 80),
// REQ-DS-002: Critical distance disables throttle
(safe_distance < 100) -> (throttle_command == 0),
// REQ-DS-003: Warning distance limits throttle
(safe_distance < 500) -> (throttle_command <= 30),
// === Mutual Exclusion Requirements ===
// REQ-MX-001: Brake and throttle mutually exclusive
(brake_command > 20) -> (throttle_command == 0),
// === Thermal Requirements ===
// REQ-TH-001: Overtemperature requires reduced operation
(system_temp > 85) -> (throttle_command <= 50)
}
}
// === INPUTS ===
// Dual-redundant distance sensors (primary and secondary)
input: primary_distance: u16[cm], // Primary lidar distance
secondary_distance: u16[cm], // Secondary radar distance
vehicle_speed: u16[cm], // Vehicle speed
// Dual E-stop buttons (both must be released)
estop_1: bool, // E-stop button 1 (true=released)
estop_2: bool, // E-stop button 2 (true=released)
// Watchdog input from external safety monitor
watchdog_pulse: bool, // Watchdog heartbeat
// Sensor health inputs
primary_sensor_health: bool, // Primary sensor OK
secondary_sensor_health: bool, // Secondary sensor OK
// System monitoring
system_temp: u8[degC], // System temperature
comm_valid: bool // Communication channel valid
// === OUTPUTS ===
output: brake_command: u8, // Brake command 0-100%
throttle_command: u8, // Throttle command 0-100%
motor_enable: bool, // Motor driver enable
estop_relay: bool, // E-stop relay output
warning_lamp: bool, // Warning indicator
fault_lamp: bool, // Fault indicator
// Status outputs
mode: SystemMode, // Current operating mode
active_fault: FaultCode, // Active fault code
diagnostic_code: u8 // Detailed diagnostic
// === STATE ===
state: // Watchdog monitoring
watchdog_counter: u8 = 0, // Counts cycles since last pulse
last_watchdog: bool = false, // Previous watchdog state
// Startup sequence
startup_counter: u8 = 0, // Startup delay counter
system_ready: bool = false, // System passed self-test
// Fault tracking
fault_history: u8 = 0, // Accumulated fault flags
consecutive_faults: u8 = 0, // Consecutive fault count
// Filtered values
safe_distance: u16[cm] = 10000 // Validated safe distance
loop {
// Default outputs to ensure assignment on all control-flow paths
brake_command = 100
throttle_command = 0
motor_enable = false
estop_relay = false
warning_lamp = false
fault_lamp = false
mode = Initializing
active_fault = NoFault
diagnostic_code = 0
// === STEP 1: E-STOP CHECK (Highest Priority) ===
// Dual E-stop: both must be released for normal operation
let estop_active: bool = !estop_1 || !estop_2
if (estop_active) {
// Immediate safe state
mode = EmergencyStop
brake_command = 100
throttle_command = 0
motor_enable = false
estop_relay = true
warning_lamp = true
fault_lamp = true
active_fault = NoFault // E-stop is not a fault
diagnostic_code = 1 // E-stop active
// Skip remaining logic
} else {
// === STEP 2: WATCHDOG CHECK ===
// Detect watchdog pulse edge
let watchdog_edge: bool = watchdog_pulse && !last_watchdog
last_watchdog = watchdog_pulse
if (watchdog_edge) {
watchdog_counter = 0
} else {
if (watchdog_counter < 255) {
watchdog_counter = watchdog_counter + 1
}
}
// Watchdog timeout (50 cycles = 100ms at 500Hz)
let watchdog_ok: bool = watchdog_counter < 50
// === STEP 3: STARTUP SEQUENCE ===
if (!system_ready) {
if (startup_counter < 100) { // 200ms startup delay
startup_counter = startup_counter + 1
mode = Initializing
brake_command = 100 // Brakes on during startup
throttle_command = 0
motor_enable = false
estop_relay = false
warning_lamp = true
fault_lamp = false
active_fault = NoFault
diagnostic_code = 10 // Initializing
} else {
system_ready = true
}
}
if (system_ready) {
// === STEP 4: SENSOR VALIDATION ===
let primary_ok: bool = primary_sensor_health
let secondary_ok: bool = secondary_sensor_health
// Check sensor agreement (within 10% or 50cm)
let sensor_diff: i32[cm] = 0[cm]
if (primary_distance > secondary_distance) {
sensor_diff = primary_distance - secondary_distance
} else {
sensor_diff = secondary_distance - primary_distance
}
let sensors_agree: bool = sensor_diff < 50[cm]
// Determine validated distance
if (primary_ok && secondary_ok && sensors_agree) {
// Both sensors OK and agree - use minimum (conservative)
if (primary_distance < secondary_distance) {
safe_distance = primary_distance
} else {
safe_distance = secondary_distance
}
consecutive_faults = 0
} elif (primary_ok && secondary_ok && !sensors_agree) {
// Sensors disagree - use minimum and flag
if (primary_distance < secondary_distance) {
safe_distance = primary_distance
} else {
safe_distance = secondary_distance
}
active_fault = SensorMismatch
consecutive_faults = consecutive_faults + 1
} elif (primary_ok && !secondary_ok) {
// Secondary failed - use primary only
safe_distance = primary_distance
active_fault = SecondarySensorFault
consecutive_faults = consecutive_faults + 1
} elif (!primary_ok && secondary_ok) {
// Primary failed - use secondary only
safe_distance = secondary_distance
active_fault = PrimarySensorFault
consecutive_faults = consecutive_faults + 1
} else {
// Both sensors failed - freeze last known value
// safe_distance remains unchanged
active_fault = SensorMismatch
consecutive_faults = consecutive_faults + 1
}
// === STEP 5: FAULT HANDLING ===
if (!watchdog_ok) {
active_fault = WatchdogTimeout
consecutive_faults = 255
}
if (system_temp > 100) {
active_fault = OverTemperature
consecutive_faults = consecutive_faults + 1
}
if (!comm_valid) {
active_fault = CommunicationLoss
consecutive_faults = consecutive_faults + 1
}
// === STEP 6: MODE DETERMINATION ===
if (consecutive_faults > 10 || !watchdog_ok) {
mode = EmergencyStop
} elif (!primary_ok && !secondary_ok) {
mode = EmergencyStop
} elif (!primary_ok || !secondary_ok || !sensors_agree) {
mode = Degraded
} elif (system_temp > 85) {
mode = Degraded
} else {
mode = Normal
}
// === STEP 7: CONTROL OUTPUT GENERATION ===
if (mode == EmergencyStop) {
brake_command = 100
throttle_command = 0
motor_enable = false
estop_relay = true
warning_lamp = true
fault_lamp = true
diagnostic_code = 90
} elif (mode == Degraded) {
// Degraded operation - reduced performance
motor_enable = true
estop_relay = false
warning_lamp = true
fault_lamp = true
// Conservative braking in degraded mode
if (safe_distance < 200) {
brake_command = 100
throttle_command = 0
} elif (safe_distance < 500) {
brake_command = 60
throttle_command = 0
} elif (safe_distance < 1000) {
brake_command = 30
throttle_command = 0
} else {
brake_command = 0
throttle_command = 30 // Limited throttle
}
diagnostic_code = 50
} else {
// Normal operation
motor_enable = true
estop_relay = false
warning_lamp = false
fault_lamp = false
// Distance-based control
if (safe_distance < 100) {
brake_command = 100
throttle_command = 0
} elif (safe_distance < 300) {
brake_command = 70
throttle_command = 0
} elif (safe_distance < 600) {
// Proportional braking
let brake_val: i32 = 70 - ((safe_distance - 300) * 70 / 300)
if (brake_val < 0) { brake_val = 0 }
brake_command = i32_to_u8(brake_val)
throttle_command = 0
} elif (safe_distance < 1500) {
brake_command = 0
throttle_command = 40
} else {
brake_command = 0
throttle_command = 70
}
active_fault = NoFault
diagnostic_code = 0
}
// === STEP 8: SPEED OVERRIDE ===
if ((vehicle_speed > 2000) && (safe_distance < 1000)) {
if (brake_command < 80) {
brake_command = 80
}
throttle_command = 0
}
// === STEP 9: THERMAL DERATING ===
if (system_temp > 85) {
if (throttle_command > 50) {
throttle_command = 50
}
}
}
}
}
// Comprehensive test suite
tests {
reset_state
// E-stop test - button 1 pressed
// E-stop is checked first, so system_ready doesn't matter
test estop_button1
inputs: {
primary_distance = 5000, secondary_distance = 5000,
vehicle_speed = 1000, estop_1 = false, estop_2 = true,
watchdog_pulse = true, primary_sensor_health = true,
secondary_sensor_health = true, system_temp = 40, comm_valid = true
},
expect: {
brake_command = 100, throttle_command = 0,
motor_enable = false, estop_relay = true,
mode = EmergencyStop
}
// Normal operation test - with system_ready = true
test normal_clear
state: {
watchdog_counter = 0, last_watchdog = false,
startup_counter = 100, system_ready = true,
fault_history = 0, consecutive_faults = 0,
safe_distance = 10000
},
inputs: {
primary_distance = 5000, secondary_distance = 5010,
vehicle_speed = 1000, estop_1 = true, estop_2 = true,
watchdog_pulse = true, primary_sensor_health = true,
secondary_sensor_health = true, system_temp = 40, comm_valid = true
},
expect: {
brake_command = 0, motor_enable = true,
mode = Normal, active_fault = NoFault
}
// Primary sensor fault test
test primary_sensor_fault
state: {
watchdog_counter = 0, last_watchdog = false,
startup_counter = 100, system_ready = true,
fault_history = 0, consecutive_faults = 0,
safe_distance = 10000
},
inputs: {
primary_distance = 1000, secondary_distance = 3000,
vehicle_speed = 500, estop_1 = true, estop_2 = true,
watchdog_pulse = true, primary_sensor_health = false,
secondary_sensor_health = true, system_temp = 40, comm_valid = true
},
expect: {
motor_enable = true, mode = Degraded,
active_fault = PrimarySensorFault
}
// Close obstacle emergency - triggers full brake in Normal mode
test close_obstacle
state: {
watchdog_counter = 0, last_watchdog = false,
startup_counter = 100, system_ready = true,
fault_history = 0, consecutive_faults = 0,
safe_distance = 10000
},
inputs: {
primary_distance = 80, secondary_distance = 85,
vehicle_speed = 500, estop_1 = true, estop_2 = true,
watchdog_pulse = true, primary_sensor_health = true,
secondary_sensor_health = true, system_temp = 40, comm_valid = true
},
expect: {
brake_command = 100, throttle_command = 0,
motor_enable = true, mode = Normal
}
// Thermal derating test - high temp triggers Degraded mode
test thermal_derating
state: {
watchdog_counter = 0, last_watchdog = false,
startup_counter = 100, system_ready = true,
fault_history = 0, consecutive_faults = 0,
safe_distance = 10000
},
inputs: {
primary_distance = 5000, secondary_distance = 5000,
vehicle_speed = 500, estop_1 = true, estop_2 = true,
watchdog_pulse = true, primary_sensor_health = true,
secondary_sensor_health = true, system_temp = 90, comm_valid = true
},
expect: {
mode = Degraded, throttle_command = 30
}
// Both sensors failed - triggers EmergencyStop
test dual_sensor_failure
state: {
watchdog_counter = 0, last_watchdog = false,
startup_counter = 100, system_ready = true,
fault_history = 0, consecutive_faults = 10,
safe_distance = 10000
},
inputs: {
primary_distance = 5000, secondary_distance = 5000,
vehicle_speed = 500, estop_1 = true, estop_2 = true,
watchdog_pulse = true, primary_sensor_health = false,
secondary_sensor_health = false, system_temp = 40, comm_valid = true
},
expect: {
brake_command = 100, motor_enable = false,
mode = EmergencyStop
}
}
}
// ✓ Compilation: Safety Properties VERIFIED
// ✓ 6/6 tests passed
// ✓ All safety requirements satisfied
// ✓ Branch coverage: 100%
// ═══════════════════════════════════════════════════════
// SIMULATOR: Robot Physics (from part3_simulation)
// ═══════════════════════════════════════════════════════
// Robot physics simulator - models a simple 1D robot approaching an obstacle
simulator robot_physics @(rate(100Hz)) {
// Inputs from controller
input: brake_cmd: u8,
throttle_cmd: u8
// Outputs to controller (sensor readings)
output: obstacle_distance: i16,
robot_velocity: i16
// Physical state
state: position: i32 = 0, // Robot position in cm (starts at 0)
velocity: i32 = 300, // Initial velocity: 3 m/s = 300 cm/s
obstacle_pos: i32 = 1000, // Obstacle at 10m = 1000cm
time_step: u32 = 0
// Initial conditions for simulation
// Start closer to obstacle so braking behavior is visible within simulation
initial {
reflex_inputs: {
brake_cmd = 0,
throttle_cmd = 50
}
state: {
position = 600, // Start at 6m (4m from obstacle)
velocity = 300, // Initial velocity: 3 m/s
obstacle_pos = 1000, // Obstacle at 10m
time_step = 0
}
}
safety {
input: { brake_cmd in 0..100, throttle_cmd in 0..100 }
state: { position in 0..2000, velocity in -100..1000,
obstacle_pos in 500..2000, time_step in 0..4294967295 }
output: { obstacle_distance in 0..2000, robot_velocity in 0..1000 }
// Energy: "collision risk" metric - decreases in ideal braking scenario
// High when fast AND close, low when slow OR far
// As braking reduces velocity, this metric decreases toward 0
energy: (velocity * velocity) / ((obstacle_pos - position) + 1)
}
loop {
time_step = time_step + 1
// Physics update (dt = 10ms = 0.01s at 100Hz)
// Acceleration based on brake/throttle commands
// Max brake decel: 5 m/s^2 = 500 cm/s^2
// Max throttle accel: 2 m/s^2 = 200 cm/s^2
let accel: i32 = 0
if (brake_cmd > 0) {
// Braking: deceleration proportional to brake command
// brake_cmd 100 = 500 cm/s^2 deceleration
accel = 0 - (brake_cmd * 5)
} elif (throttle_cmd > 0) {
// Accelerating: acceleration proportional to throttle
// throttle_cmd 100 = 200 cm/s^2 acceleration
accel = throttle_cmd * 2
}
// Update velocity: v = v + a*dt (dt = 0.01s, so a*dt = a/100)
velocity = velocity + (accel / 100)
// Clamp velocity (no reverse, max 10 m/s)
if (velocity < 0) { velocity = 0 }
if (velocity > 1000) { velocity = 1000 }
// Update position: x = x + v*dt (dt = 0.01s, so v*dt = v/100)
position = position + (velocity / 100)
// Calculate distance to obstacle
let dist: i32 = obstacle_pos - position
if (dist < 0) { dist = 0 }
if (dist > 2000) { dist = 2000 }
// Output sensor readings
obstacle_distance = i32_to_i16(dist)
robot_velocity = i32_to_i16(velocity)
}
}
Thought-to-Reflex
Our vision is a future where creating sophisticated, safe robotic systems is as simple as describing a task in natural language. The seamless pipeline from human intent to verified machine action — we call it Thought-to-Reflex.
Built by experts in
robotics and AI safety.
Mirror AI was founded by a team of seasoned technologists with deep expertise at the intersection of robotics, embedded systems, and artificial intelligence. Our leadership holds advanced degrees from UC Berkeley's EECS department and brings over a decade of hands-on experience building autonomous systems that operate in the real world.
From pioneering wearable biosignal algorithms to designing autonomous navigation systems for vehicles and robots, our team has shipped safety-critical technology at scale. We have published extensively in top-tier venues, hold multiple patents, and are recognized speakers at leading industry conferences including the Embedded Vision Summit.
Academic Foundation
- PhD, EECS — UC Berkeley
- 1,400+ academic citations
- Published in top-tier robotics and signal processing venues
- Multiple UC Berkeley research lab affiliations
Industry Experience
- Pioneered next-gen heart rate algorithms for wearable devices
- Designed autonomous navigation for consumer and industrial robots
- Built perception and SLAM systems for autonomous vehicles
- Led robotics R&D for car-carrying warehouse automation
Technical Depth
- Embedded systems and PCB design
- Digital signal processing and sensor fusion
- Robot perception, SLAM, and motion planning
- Safety-critical software and formal verification
Advisory Network
- Multiple UC Berkeley EECS PhDs on the advisory board
- Expertise spanning ML, wireless systems, and integrated circuits
- Deep connections to the Berkeley robotics ecosystem
Build the future of
Physical AI with us.
We are assembling a select group of early partners and collaborators who share our vision for safe, intelligent machines. Request early access to the Reflexible platform.
We respect your privacy. No spam, ever.