Harm-Minimization Deviation
by Nick Clark | Published April 25, 2026
When all available actuations produce some harm, the actuation that minimizes harm under a governance-policy-configurable entity-class harm ordering is selected. The harm ordering is signed by the governing jurisdiction rather than hardcoded by the manufacturer.
What Harm-Minimization Deviation Specifies
The architecture treats no-good-options scenarios as a structural concern. The harm-minimization computation runs against a credentialed entity-class harm ordering and selects the actuation with minimum weighted harm. Each selection is recorded in lineage with the ordering policy under which it was evaluated.
The entity-class taxonomy includes pedestrians, cyclists, occupants, property, the unit itself, plus domain-specific extensions (patients, combatants, non-combatants, infrastructure, allied units). The relative weighting between classes is the harm ordering.
Why Externalizing Ordering Solves the Trolley Problem
Current autonomous systems handle harm ordering in one of two ways: hardcoded by the manufacturer, or refused articulation. Both produce structural failure. Hardcoded ordering puts ethical decision authority in the manufacturer; refused articulation produces unallocated liability when scenarios arise.
Externalizing the ordering through credentialed governance policy signed by the jurisdiction fits how every other regulated transportation domain (aviation, rail, shipping, maritime) actually allocates ethical authority. State DOTs, NHTSA, FAA, FRA, and similar authorities can sign harm orderings applicable to their territories.
How the Credentialing Chain Operates
For autonomous vehicles, the chain runs through state DOTs, federal regulators, and possibly cross-jurisdictional bodies for interstate corridors. For medical autonomy, through FDA, hospital ethics boards, and clinical-procedure authorities. For defense autonomy, descending from national command authority through theater command through mission ROE.
Each level signs within its scope. The autonomous platform consumes the composite policy through composite admissibility. Cross-jurisdictional operation handles transitions through cross-authority cross-recognition.
What This Enables for Liability Allocation
The trolley-problem framing has been treated as a philosophical edge case. It is in fact a routine liability allocation question that every L4 vehicle, every autonomous medical system, and every autonomous-defense platform makes thousands of times per operating period.
Externalized harm ordering shifts the allocation. The jurisdictional authority signs and bears liability for the policy. The manufacturer is liable for executing correctly. The operator is liable for operating within authorized scope. This is how aviation, rail, and maritime regulatory frameworks operate, and the architecture lets autonomous systems join those frameworks.
