Policy-Configurable Harm Ordering

Mechanism

The gate operates as a deterministic pre-action evaluator placed between the planning subsystem and the actuator command bus. At each control cycle the planner emits a set of candidate actions, each annotated with a forecast of the entities and properties the action will perturb. The gate consults the active harm ordering, a signed structured policy resident on the device, and computes for each candidate a worst-case harm class drawn from the ordering's enumerated entity classes. The ordering establishes a strict partial order: life ranks above limb, limb above property, property above mission, and mission above comfort, with finer entity classes (pedestrian, cyclist, occupant, bystander, infrastructure, vegetation, payload integrity, schedule adherence, ride comfort) nested within each tier.

Selection proceeds by elimination. The gate discards any candidate whose worst-case projected harm exceeds the configured acceptable threshold for the present operating mode. From the remaining candidates it selects the one that maximizes a configured objective subject to the harm ceiling, with ties broken by preference for the action that minimizes harm to the highest-ranked class touched. If the surviving set is empty, the gate emits a non-execution signal and surfaces the reason — that every available action would have crossed the harm ceiling — to the lineage record. Non-execution is a first-class admissible output; the architecture explicitly permits the actuator to refuse rather than fabricate a permissible action.

The harm ordering is consumed as a credentialed observation rather than compiled into the firmware. The signing authority embeds a validity window, a jurisdictional scope tag, and a policy version. Receivers verify the signature against an admitted authority set, check that the jurisdictional scope matches the device's present location credential, and only then load the ordering into the active gate. A device that loses its valid ordering — through expiry, revocation, or scope mismatch — falls back to a conservative manufacturer-default ordering whose acceptable threshold is set lower than any credentialed ordering would set it.

Operating Parameters

Several parameters govern the gate's operation. The candidate set size is the number of actions the planner presents per cycle; representative deployments use sets of four to thirty-two candidates, with larger sets common in path-planning subsystems and smaller sets common in discrete actuator subsystems such as door-release, weapon-safety, and high-voltage isolation. The cycle period is the maximum interval the gate is permitted to consume; safety-critical vehicular deployments hold the gate to two-millisecond worst-case execution, while supervisory deployments tolerate one hundred milliseconds or longer.

The acceptable harm class is the highest harm class the gate is willing to admit during the present operating mode; this parameter is itself drawn from the credentialed ordering and may shift with mode (a vehicle in autonomous-emergency-braking mode may admit property harm to avert limb harm, while the same vehicle in normal cruise admits no projected harm above comfort without operator confirmation). The tie-break policy governs the secondary preference when multiple candidates share the same worst-case harm class; common policies include minimum-energy, minimum-deviation-from-plan, and minimum-population-of-affected-entities. The non-execution dwell is the duration the gate will hold a non-execution output before re-soliciting candidates; deployments range from a single cycle (the planner is expected to immediately offer alternatives) to several seconds (the actuator is expected to remain quiescent until the situation evolves).

The credential refresh interval bounds how stale an ordering may be before the gate falls back to defaults; civilian-vehicle deployments typically refresh on the order of hours to days, while expeditionary deployments refresh on the order of weeks because connectivity is intermittent. The scope-mismatch behavior defines what the gate does when the device's location credential places it outside the jurisdictional scope of any loaded ordering; the architecture supports either fallback-to-default or non-execution-until-refreshed, selected per deployment.

Alternative Embodiments

A first embodiment realizes the gate as a synchronous in-line evaluator co-located with the planner on the same compute substrate, suitable for vehicular and robotic platforms where cycle-period budgets are tight and the planner-to-actuator path is short. A second embodiment realizes the gate as an asynchronous arbiter on a dedicated safety co-processor, suitable for high-assurance platforms where the planner runs on a complex general-purpose stack and the gate must remain in a smaller, separately certified trusted computing base.

A third embodiment carries multiple credentialed orderings simultaneously and selects among them based on the present mode, location, and operator role. A vehicle traversing a state boundary loads the destination state's ordering at the boundary credential transition; an aircraft transitioning from controlled airspace into uncontrolled airspace loads the airspace authority's ordering; a defense platform transitioning between theater commands loads the inbound theater's ordering. A fourth embodiment supports cross-jurisdictional cross-recognition: when both the outbound and inbound jurisdictions have signed a cross-recognition policy, the gate consumes both orderings during the boundary transition and applies the more restrictive of the two until the transition completes.

A fifth embodiment exposes the harm ordering as a parameterized template rather than a fixed list, allowing the credentialing authority to publish updates that adjust class weights without re-issuing the entire policy. A sixth embodiment supports per-mission overlays: a base civilian ordering is augmented at the start of a sanctioned operation with a mission-specific overlay signed by the mission-authorizing authority, and the overlay expires automatically at mission end. A seventh embodiment integrates the gate with operator-in-the-loop confirmation: when the surviving candidate set's best option crosses a configured operator-confirmation threshold, the gate suspends action and requests an operator credential before proceeding.

An eighth embodiment supports ordering composition for multi-tenant platforms: a shared platform consumes orderings from each tenant authority and the gate evaluates against the composition, with conflicts resolved either by lattice meet (most-restrictive wins) or by an explicit tenant-priority credential. A ninth embodiment records the gate's decision rationale into the device lineage, including the candidate set, the projected harm classes, the surviving set, the selected action or non-execution, and the policy version under which the decision was made; the lineage record is itself a credentialed observation suitable for after-action audit.

Composition With Other Primitives

The gate composes with the credentialed-observation primitive: the harm ordering arrives as a signed observation and is admitted only if the signing authority is a member of the device's admitted authority set. The gate composes with the lineage primitive: each gate decision becomes a lineage entry that downstream auditors can replay. The gate composes with the location-credential primitive: the device's present location is itself a credentialed observation that determines which jurisdictional orderings are in scope. The gate composes with the operator-role primitive: operator-confirmation thresholds are evaluated against the role credential the operator presents at the moment of action.

Composition with the spatial-mesh substrate is operationally significant because the mesh is the channel over which orderings reach disconnected devices. A vehicle that enters a region without cellular coverage continues to receive ordering updates as long as it remains in mesh contact with a relay that has fresher credentials. The recursive admissibility property of the substrate ensures that the orderings cannot be fabricated by a relay; only credentialed authorities can update what governs the gate.

Prior-Art Distinctions

Conventional safety supervisors implement fixed lookup tables compiled into firmware; the operator and jurisdiction have no structural means to update the safety policy without a firmware revision. The gate disclosed here treats the policy as a credentialed first-class observation, not as code, and supports policy update on a timescale orders of magnitude faster than firmware update. Conventional rules-of-engagement systems in defense settings are policy-bound at deployment configuration time and require operator-side rebuilds to change; the architecture here treats theater authority as a signing party whose credentialed updates flow over the same substrate as any other observation.

Conventional ethical-AI proposals frame the harm-ordering problem as a single global ordering chosen by the system designer, an approach that does not match the actual jurisdictional structure under which vehicles, drones, and robots already operate. The gate disclosed here makes the jurisdictional structure explicit: each ordering is signed by an identifiable authority with bounded scope, and the gate enforces the boundary structurally. The non-execution output, treated as a first-class admissible result, is itself a distinguishing property: most prior actuator-control architectures require the planner to always emit something, and the safety subsystem can only veto rather than refuse.

Disclosure Scope

The disclosure covers the pre-action gate; the credentialed harm-ordering policy format with its scope, validity, and version fields; the candidate-elimination selection procedure; the non-execution output as a first-class result; the credential refresh and fallback procedures; the scope-mismatch behaviors; and the cross-jurisdictional transition procedures including cross-recognition. The disclosure further covers compositional embodiments with credentialed observations, lineage records, location credentials, operator role credentials, and the spatial-mesh substrate.

The associated provisional, 64/049,409, situates this primitive among the governed-actuation cluster. The primitive is not limited to any particular vehicle, robot, drone, or industrial platform; it applies wherever an actuator's behavior is governed by a policy that an external authority is entitled to update on a timescale shorter than firmware revision.

The disclosure further covers degenerate and limiting cases. A degenerate ordering with a single tier reduces the gate to a binary admit-or-refuse evaluator, and the disclosed mechanisms continue to apply. An ordering whose acceptable threshold is set to its top tier reduces the gate to a permissive forwarder that admits every planner output, retained for completeness so that the same evaluator may be deployed across permissive and restrictive contexts without code change. An ordering whose acceptable threshold is set below the lowest tier reduces the gate to a perpetual non-execution emitter, retained as a credentialed safe-state behavior for use during maintenance windows or during regulatory holds.

The disclosure additionally contemplates simulation and certification embodiments in which the gate is exercised against synthetic candidate sets and synthetic projected harms generated by a certification authority's test harness, with the gate's decisions and lineage records supplied as the artifact of certification. Because the gate is identical in simulation and field use, the certification artifact is dispositive of field behavior under the same ordering and threshold configuration.