Harm-Minimization Deviation

Mechanism

The harm-minimization deviation primitive sits at the lowest tier of the governed-actuation stack, executed only when the planner has already established that no admissible plan exists within the unmodified envelope. The planner enumerates a candidate set of plans, each of which violates at least one envelope constraint. For every candidate, a deviation vector is computed: a per-constraint scalar measuring how far the plan steps outside the envelope along that axis, expressed in units defined by the credential that signed the envelope. The vector is reduced to a scalar magnitude under the credentialed entity-class harm ordering. The plan with the minimum magnitude is selected. The selection, the deviation vector, the candidate set considered, and the harm ordering used to reduce the vector are written into lineage as a single atomic record, sealed under the signing key of the executing platform and counter-credentialed by the policy under which the envelope was originally authorized.

Because the deviation is itself the signal, no separate utility function, no learned reward model, and no manufacturer-specified fallback is required to break ties between options that all cause some harm. The harm ordering supplies the weighting, the envelope supplies the constraint surface, and the deviation magnitude supplies the comparator. The primitive does not invent a new ethical calculus; it converts an existing, signed, regulated artifact (the credentialed envelope) into a tie-breaking metric. This makes the primitive deterministic with respect to its inputs: given the same envelope, the same candidate set, and the same harm ordering, the same plan is selected, and the same record is written. Determinism is the property that makes the primitive auditable.

The candidate set is bounded. The planner is not required to enumerate an exhaustive search across all conceivable physical actuations; it is required to enumerate the set of plans that are reachable within the bounded compute budget granted to the planner under the same credential that signed the envelope. The bound is itself credentialed and logged. A platform whose planner cannot find a sufficiently small candidate set within its budget is required to record that the budget was exhausted and to fall through to a credentialed safe-state behavior, which is itself signed.

Operating Parameters

The harm ordering is a credentialed artifact authored by the governing jurisdiction rather than the manufacturer. Entity classes include but are not limited to pedestrians, cyclists, vehicle occupants, third-party property, the unit itself, and any domain-specific extensions the credentialing authority chooses to publish — patients and clinical staff in medical autonomy, combatants and non-combatants and protected infrastructure in defense autonomy, livestock and crop assets in agricultural autonomy. The relative weighting between classes is the harm ordering. The ordering is consumed as a signed object; the platform does not modify it locally and is not authorized to substitute its own ordering when the signed ordering produces a counter-intuitive result.

Deviation is measured per-axis in the units the envelope was specified in. A speed envelope expressed in meters per second produces a deviation in meters per second. A separation envelope expressed in meters produces a deviation in meters. A torque envelope expressed in newton-meters produces a deviation in newton-meters. The reduction from vector to scalar is performed under the harm ordering: each axis is multiplied by a credentialed weight that maps the physical deviation onto the harm-class scale, and the weighted axes are combined under a credentialed reduction operator (typically a weighted L1 or L2 norm, with the operator itself specified in the policy). Different jurisdictions can specify different reduction operators without changing the primitive; the operator is part of the credentialed input.

Compute budget is bounded and credentialed. The planner is granted a wall-clock budget, a memory budget, and a candidate-enumeration budget under the same credential that signed the envelope. Exceeding any of the three causes the planner to terminate enumeration, record the exhaustion event, and fall through to the credentialed safe-state. The safe-state is itself a plan with a known deviation vector, so the lineage record is uniform regardless of whether the selected plan was found through enumeration or through fallthrough.

Logging is mandatory and pre-action. The deviation record is sealed and committed to lineage before the actuation command is issued. A platform that issues an actuation without a corresponding sealed deviation record is operating outside the primitive and outside the credentialed envelope, and any downstream consumer of lineage is entitled to reject the actuation as uncredentialed.

Alternative Embodiments

The primitive admits several embodiments that vary along orthogonal axes. The reduction operator can be a weighted L1 norm, a weighted L2 norm, a lexicographic ordering across harm classes (in which any deviation in a higher-priority class dominates any deviation in a lower-priority class), or a saturating operator that caps the contribution of any single axis to prevent a small deviation in a heavily weighted class from being washed out by a large deviation in a lightly weighted class. The choice of operator is a policy parameter, not a manufacturing parameter.

The candidate set can be enumerated by sampling, by gradient descent against a relaxed envelope, by trajectory-library lookup with deviation rescoring, or by any combination of the three under a credentialed combinator. Embodiments that use learned candidate generators are admissible provided the generator is itself credentialed and its output is rescored under the signed harm ordering rather than under the generator's internal preferences.

The primitive composes upward into multi-tier governance. A platform operating under composite credentials (federal regulator plus state DOT plus operator-specified envelope) reduces the deviation vector under the composite harm ordering; conflicts between tiers are resolved by the cross-recognition rules signed at the higher tier. The primitive composes downward into safety-case argumentation: the lineage record produced at run time is the artifact a safety case consumes when arguing that the platform behaved as specified in the regulated scenarios.

Cross-jurisdictional embodiments handle the geographic-transition case. When a platform crosses from one signing authority's territory to another mid-mission, the active harm ordering is swapped at the boundary under a credentialed cross-recognition policy. Plans that straddle the boundary are evaluated against both orderings and the deviation magnitudes are reconciled under the cross-recognition combinator. The lineage record names both orderings and the boundary-crossing event.

Worked Example: Constrained Roadway Avoidance

Consider an autonomous road vehicle moving at twelve meters per second through an urban segment whose credentialed envelope has been authored by a state DOT and a municipal authority. The envelope specifies a maximum lateral acceleration of three meters per second squared, a minimum lateral separation of one meter from any classified entity, a maximum longitudinal deceleration of four meters per second squared (above which occupants are exposed to whiplash risk), and a hard prohibition on entering the oncoming travel lane while a vehicle is detected within sixty meters in that lane. A pedestrian steps from a parked-vehicle occlusion into the travel lane at a range of eight meters. The planner enumerates candidates within its credentialed budget: hard braking with maximum deceleration of seven meters per second squared (deviation in deceleration axis); steering into the adjacent oncoming lane to clear the pedestrian (deviation in lane-prohibition axis); steering toward the curb to maintain separation, accepting reduced lateral separation from a parked-vehicle row (deviation in separation axis); and continuing on path (deviation in pedestrian-separation axis at full magnitude).

Each candidate produces a deviation vector under the envelope. The credentialed harm ordering — authored by the state DOT in coordination with the municipal authority — assigns the highest weight to pedestrian separation, the next highest to oncoming-lane occupancy when an oncoming vehicle is detected, then to occupant deceleration, then to curb-side separation. Under the published reduction operator (a lexicographic ordering with saturating contribution within each tier), the steering-toward-curb candidate produces the smallest reduced magnitude: it preserves the highest-weight quantity (pedestrian separation), it does not enter the prohibited oncoming lane, it stays within the deceleration cap, and it deviates only on the lowest-weight axis. The planner selects this candidate, seals a deviation record naming the candidate set considered, the deviation vector along the curb-axis, the harm ordering and reduction operator that were applied, the credential under which both were signed, and the planner's compute-budget consumption, and then issues the actuation. A subsequent review of the lineage record reconstructs the decision deterministically: presented with the same candidate set, envelope, and ordering, any other compliant platform reaches the same selection.

Composition with the Governed-Actuation Stack

Harm-minimization deviation is one primitive among the governed-actuation primitives disclosed in Provisional 64/049,409. It composes with credentialed envelope authorship, with composite admissibility, with cross-authority cross-recognition, with sealed lineage, and with the safe-state fallthrough behavior. The composition is intentional: each primitive is bounded so that the others can reason about its inputs and outputs without depending on its internal mechanism. A platform that swaps in an alternative reduction operator does not invalidate the envelope-authorship primitive; a jurisdiction that revises its harm ordering does not invalidate the cross-recognition primitive.

The deviation primitive is the primitive that closes the trolley-problem class of structural failure modes. The other primitives establish that the platform operates under signed authority; this primitive establishes that even when signed authority cannot be perfectly satisfied, the deviation is itself a signed, recorded, comparable, and reviewable artifact. Downstream regulatory review consumes the deviation record under the same chain that signed the envelope.

Prior-Art Distinction

Existing autonomous-vehicle control architectures address the no-good-options scenario in three ways. Manufacturer-hardcoded ordering builds the harm weights into the planner at compile time, with the result that the manufacturer is the de facto ethical authority and bears the unallocated portion of the resulting liability. Refused articulation declines to specify ordering at all, with the result that the platform's behavior in the scenario is emergent and unauditable. Reinforcement-learned utility functions bury the ordering in a learned reward model whose weights are not human-interpretable and not signed by any external authority.

The deviation primitive distinguishes itself from all three. It does not ask the manufacturer to specify ethical weights; the weights are credentialed externally. It does not refuse articulation; the weights are explicit and the deviation magnitude is a deterministic function of them. It does not bury the ordering in a learned model; the ordering is a signed artifact consumed at run time and recorded in lineage at the point of selection.

The closest related art in governed control treats envelope deviation as a fault to be reported but does not use the deviation as the selection signal. The primitive disclosed here makes the deviation the signal itself, which collapses the no-good-options scenario into the same architectural pattern as the in-envelope scenario: a bounded enumeration, a credentialed reduction, a sealed record, and an actuation.

Disclosure Scope

The disclosure in Provisional 64/049,409 covers the primitive across mobile-platform domains where credentialed envelopes are authored by an external regulator and where no-good-options scenarios are operationally routine rather than philosophically exceptional. The disclosed mobile-platform examples include autonomous road vehicles operating under state DOT and federal credentials, autonomous medical platforms operating under FDA and hospital-ethics credentials, autonomous defense platforms operating under national-command and theater-ROE credentials, autonomous agricultural and mining equipment operating under operator and state-safety credentials, and autonomous maritime platforms operating under flag-state and port-authority credentials.

The disclosure includes the deviation vector, the per-axis deviation measurement, the credentialed reduction operator, the bounded candidate enumeration, the credentialed compute budget, the sealed pre-action lineage record, the cross-jurisdictional swap, and the safe-state fallthrough as a uniform record. The disclosure does not depend on a particular vehicle dynamics model, a particular sensing modality, a particular planner algorithm, or a particular signing infrastructure; the primitive is specified at a level of abstraction that admits substitution along each of those axes provided the credentialed inputs and outputs are preserved.