Smallest-Deviation Harm Minimization Under Envelope Constraint

Mechanism

The planner produces candidate plans through its ordinary search. Each candidate is scored against the operating envelope, which is a structured collection of constraints supplied by the governing jurisdiction: speed limits, separation minima, intervention thresholds, harm-class orderings, and any domain-specific bounds applicable to the deployment. Under nominal conditions, at least one candidate satisfies all envelope constraints, and the planner selects among the satisfying candidates using its ordinary objective function. The smallest-deviation rule does not engage.

The rule engages when the satisfying set is empty. This occurs in scenarios where every available actuation produces some envelope violation: a vehicle whose only collision-avoidance trajectory crosses a curb, a medical infusion controller whose only stabilization plan exceeds a per-hour dose ceiling, an industrial process controller whose only safe shutdown path traverses a momentarily out-of-spec pressure regime. The shared structure across these scenarios is that the envelope describes the allowed steady-state operation, while the immediate physical situation requires departure from steady state to reach a safe terminal condition.

When the satisfying set is empty, the planner does not abort. Aborting in these scenarios is itself an action, often the worst one: a vehicle that refuses to swerve because every swerve violates a curb constraint commits to the collision. The rule instead instructs the planner to compute, for each candidate, a deviation vector measuring how far the candidate departs from each envelope constraint. The deviation vector is reduced to a scalar via a governance-supplied norm. Common norms include the L-infinity norm (worst single violation), the L1 norm (total violation), and weighted variants that prioritize specific constraint classes. The norm itself is a configurable element of the envelope.

The candidate with the smallest scalar deviation is selected and dispatched. Concurrently, the system commits to lineage the full deviation vector, the norm under which the candidate was selected, the alternatives that were considered and their deviation vectors, the envelope version against which the evaluation was performed, and the timestamp of the decision. The lineage entry is cryptographically committed, ensuring that a post hoc reviewer sees the actual decision space the planner faced rather than a reconstruction. If the deployment includes a real-time deviation supervisor, the supervisor is notified during execution; otherwise, the deviation surfaces in the next routine review.

The rule is bounded by a maximum admissible deviation. If even the smallest-deviation candidate exceeds the maximum, the system transitions to a fail-safe terminal action — full stop, isolation, handoff to operator — rather than executing an unbounded violation. The maximum admissible deviation is itself part of the envelope and is signed by the governing jurisdiction.

Operating Parameters

The rule is parameterized along four axes. The first axis is the envelope itself: the set of constraints that define nominal operation. Envelope constraints are supplied by the governing jurisdiction and consumed by the planner through the credentialed configuration channel. The envelope version is a first-class field that travels with every evaluation, so a deviation logged under envelope version 2.3.1 is reviewed against that version even if the current envelope is 2.4.0.

The second axis is the deviation norm. The norm reduces the multi-dimensional deviation vector to a scalar suitable for ranking. Selection of the norm is a policy decision: an L-infinity norm prioritizes minimization of the worst single violation, while an L1 norm permits a single large violation if it reduces total violation across constraints. Weighted norms allow the jurisdiction to express that certain constraint classes (pedestrian separation, dose ceiling on a critical medication) should dominate the ranking. The norm is part of the envelope and is governance-configurable.

The third axis is the maximum admissible deviation. This is the threshold beyond which even the smallest-deviation candidate is rejected and the system transitions to fail-safe. The threshold can be expressed in the same units as the norm or in a separate "absolute envelope" with stricter bounds than the nominal envelope. A two-tier construction — nominal envelope and absolute envelope — is the canonical form, with the smallest-deviation rule operating in the band between them.

The fourth axis is the lineage commitment scope. At minimum, the rule commits the selected plan, its deviation vector, and the alternatives considered. Optional additional fields include the planner's internal confidence in the input perception, the time budget consumed by the search, and references to the specific envelope rules that were violated. Operators with stringent forensic requirements enable the full schema; operators with bandwidth constraints enable the minimum schema and rely on aggregate analytics for deviations that do not reach review thresholds.

Alternative Embodiments

In the canonical embodiment, the rule operates within a single planner over a single envelope. In a hierarchical embodiment, the planner consults multiple envelopes corresponding to nested authorities — federal, state, and local for autonomous vehicles; international, national, and theater for defense systems — and the deviation vector is computed against each. The selected plan minimizes deviation against the most authoritative envelope first, breaking ties against the next-most-authoritative envelope, and so on. The hierarchical form preserves the bounded-deviation property at every level of authority.

In a temporal embodiment, the deviation is computed not against an instantaneous envelope but against a trajectory envelope that bounds permissible departure over time. A plan that deviates briefly and returns within tolerance can be ranked above a plan that deviates less in instant magnitude but for a longer duration. The temporal form is appropriate where transient deviation is recoverable and the operator's concern is integrated exposure rather than peak.

In an ensemble embodiment, multiple candidate planners propose plans independently, and the smallest-deviation rule operates over the union of their candidates. The ensemble form is appropriate where redundant planners are available and the deployment wishes to benefit from differential search strengths without surrendering the bounded-deviation guarantee.

In a deferred-execution embodiment, the rule selects the smallest-deviation plan but suspends execution pending operator confirmation, when the operating context permits delay. The deviation vector is presented to the operator with the alternatives considered and the rationale, and the operator either confirms execution, substitutes an alternative, or invokes the fail-safe. The deferred form is appropriate in domains where human-in-the-loop confirmation is feasible within the available time budget.

Composition With Adjacent Primitives

The smallest-deviation rule composes with three adjacent primitives in the confidence-governance architecture. It composes with the credentialed envelope distribution channel by consuming envelope updates as they are signed and published, and by versioning every deviation against the envelope active at decision time. An envelope revision does not retroactively reclassify past deviations; it governs only decisions made after the new version is in effect.

It composes with the lineage substrate by writing the full deviation record into the same append-only record that carries other planner decisions. A reviewer reading the lineage sees deviations interleaved with nominal decisions, can compute deviation rates and trends, and can correlate deviations with environmental conditions, sensor states, and operator inputs. The lineage thus supports both individual incident review and aggregate operating-envelope tuning.

It composes with the harm-class ordering primitive disclosed in the broader confidence-governance work by allowing the deviation norm to consult the harm-class ordering when ranking candidates. A candidate that deviates by violating a low-harm-class constraint is preferred over a candidate that deviates by violating a high-harm-class constraint, even if the raw magnitudes of the deviations are equal. The composition allows the smallest-deviation rule to honor the jurisdiction's expressed priorities about which violations are tolerable.

Distinction From Prior Art

Conventional autonomous-system planners handle the empty-feasible-set case in one of three ways. The first is hard refusal: the planner aborts and the system enters fail-safe. This converts every infeasibility, however minor, into a worst-case action. The second is silent envelope relaxation: the planner internally relaxes the envelope until at least one candidate satisfies it, without recording that the relaxation occurred. This produces unauditable behavior and shifts liability onto the manufacturer. The third is hardcoded fallback policy: the planner consults a manufacturer-defined fallback rule whose contents are opaque to the jurisdiction. The construction here departs from all three by making deviation an explicit, governance-bounded, and lineage-logged primitive.

Optimization-based planners with soft constraints offer a related but distinct construction. Soft constraints are absorbed into the objective function with weights, blurring the distinction between feasible and infeasible regions. The smallest-deviation rule preserves the distinction: the planner first searches the feasible region and engages the deviation rule only when the feasible region is empty, ensuring that envelope violations are exceptional events that are detected and logged rather than routine costs that are silently accumulated.

Anomaly-logging frameworks attached to controllers can record envelope violations after they occur, but they do not influence the controller's selection among violating actions. The construction here uses the same lineage record but binds the recording to the selection rule, so the violation that is logged is the one that minimizes the violation magnitude rather than an arbitrary one.

Model-predictive control with constraint relaxation provides a closely adjacent technique in which an inner solver penalizes constraint violations during optimization. The relaxation, however, is typically opaque to downstream review and is calibrated by the manufacturer rather than by the deploying jurisdiction. The construction described here exposes the relaxation as a first-class deviation, signed against a jurisdiction-supplied envelope, and committed to lineage in a form a regulator can audit without manufacturer cooperation. The technical innovation is not the act of relaxing a constraint under infeasibility but the architecture that makes the relaxation governance-bounded and forensically reconstructable.

Rule-based safety supervisors layered on top of a primary planner can veto unsafe candidates, producing behavior superficially similar to fail-safe transition. The supervisors typically do not rank residual candidates by deviation magnitude when all candidates are vetoed; they revert to a single hardcoded fallback. The smallest-deviation rule produces a finer-grained outcome, surrendering as little of the operating envelope as the situation requires rather than collapsing to a fixed last-resort action.

Disclosure Scope

The disclosure under Provisional 64/049,409 covers the rule in which a planner facing an empty feasible set selects the candidate with the smallest envelope deviation under a governance-supplied norm, executes the candidate, and commits the deviation magnitude, the alternatives considered, and the envelope version to immutable lineage. Coverage extends to the parameter families described above, including the envelope versioning, the norm selection, the maximum admissible deviation, and the lineage commitment scope. Coverage extends to the alternative embodiments described including hierarchical, temporal, ensemble, and deferred-execution forms, and to the composition with adjacent envelope-distribution, lineage, and harm-class primitives. Embodiments that lack the bounded-deviation guarantee, that do not commit deviations to an immutable record, or that absorb deviation into a soft-constraint objective without a feasible-region distinction fall outside the claimed scope. The disclosure is intended to support a non-provisional filing that elaborates the norm taxonomy, the hierarchical envelope resolution protocol, and the deferred-execution operator interface.