A Hierarchical Trajectory Model of Cyber Resilience in Safety-Critical Cyber-Physical Systems

Resilience in safety-critical cyber-physical systems is not a settled concept. It carries competing meanings inherited from four distinct intellectual traditions - materials science, ecology, safety engineering and cybersecurity - each with its own definition of what a successful outcome looks like. This tension is not merely academic: it produces operational frameworks in which robustness, adaptability, safety constraint and recovery are treated as equivalent attributes, their structural differences obscured. The result is guidance that can satisfy audit requirements while leaving complex systems vulnerable in ways that compliance metrics cannot detect. This paper introduces Cyber-Compatibilism as the organising principle for resolving that tension: the recognition that, although cyber disturbance in safety-critical systems may be inevitable, systems and operators can preserve meaningful operational agency through resilience mechanisms that integrate deterministic safety constraint with adaptive capacity across every phase of the disturbance trajectory. To operationalise this principle, a hierarchical trajectory model is developed in which engineering resistance capacity governs degradation magnitude, organisational recovery and adaptive capacity governs detection latency and recovery duration, and safety functions as a continuous constraint boundary throughout - not a threshold event triggered at extremis. The model's primary structural contribution is the translation of STAMP's constraint logic into resilience trajectory analysis: making explicit the domain-causal structure that existing quantitative frameworks measure as a unified index without attribution. By separating robustness from resilience, introducing hierarchical structuring and grounding assessment in operational consequence rather than adversarial technique, the framework provides structural clarity for resilience assessment in modern OT environments. The conceptual foundations established here are validated empirically in a companion paper through controlled testbed experimentation in a safety-critical industrial environment.