ICAN-Deploy: Identity-Stable Canary Deployment for Safety-Critical Embodied Agents
Xue Qin, Simin Luan, John See, Zeyd Boukhers, Cong Yang, Zhijun Li
THE PROBLEM
This paper focuses on Control & PlanningControlThe method used to make the robot move the way you want.. ICAN-Deploy is a middleware for managing safe Simulation & Sim-to-RealDeploymentPutting the trained system on a real robot. of LLM-driven robots. It addresses the problem that standard canary Simulation & Sim-to-RealDeploymentPutting the trained system on a real robot. techniques (Argo Rollouts, Spinnaker, Flagger) change a system's identity during Simulation & Sim-to-RealDeploymentPutting the trained system on a real robot., which forces re-certification of safety-critical embodied agents. The solution separates capability names (immutable, hashed for certification) from capability versions (mutable runtime Core ConceptsStateThe robot’s current condition, such as joint positions, velocity, object positions, or internal variables.), preserving identity across canary windows. Verified via formal proof, AST linting, and TLA+ model checking, with testing on 100 real canary cycles on a Franka Panda arm in MuJoCo showing zero identity drift and sub-2ms Simulation & Sim-to-RealLatencyDelay between input, computation, and action. impact. Read the paper by tracking the Core ConceptsTaskThe job the robot is supposed to complete, such as pick-and-place, navigation, or drawer opening. definition, the Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. or data assumptions, and the evidence that supports the claimed improvement.
HOW IT WORKS
Task framing
Core method
Data and supervision
Evaluation evidence
KEY RESULTS
This solves the certification nightmare for deploying Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. updates—instead of re-certifying every time you deploy a new version of your Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. Control & PlanningControllerThe algorithm or system that turns desired behavior into motor commands., you certify the Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions.'s identity once and then deploy unlimited capability updates without breaking safety guarantees. The middleware maintains a cryptographic identity hash across deployments by separating frozen capability names from mutable versions, letting you iterate on Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. code without re-doing expensive Movement, Mechanics & Robot BodyComplianceThe robot’s ability to yield a little during contact instead of staying rigid. audits.
WHY DEVELOPERS SHOULD CARE
This solves the certification nightmare for deploying Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. updates—instead of re-certifying every time you deploy a new version of your Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. Control & PlanningControllerThe algorithm or system that turns desired behavior into motor commands., you certify the Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions.'s identity once and then deploy unlimited capability updates without breaking safety guarantees. The middleware maintains a cryptographic identity hash across deployments by separating frozen capability names from mutable versions, letting you iterate on Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. code without re-doing expensive Movement, Mechanics & Robot BodyComplianceThe robot’s ability to yield a little during contact instead of staying rigid. audits.
LIMITATIONS
The main limitation to check is whether the claimed behavior holds outside the paper's reported setup. That means testing across different Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. embodiments, scenes, objects, and data distributions.
WHAT COMES NEXT
The practical next step is independent reproduction with clear baselines, ablations, and stress tests. For a developer, the useful follow-up is to map the paper's Control & PlanningControlThe method used to make the robot move the way you want. assumptions onto a concrete Core ConceptsRobotA physical system with sensors and actuators that can observe the world and take actions. stack, then test the smallest version of the method that could run end to end.