Autonomous Vehicle Ethical Decision-Making Through Computable Integrity

Regulatory Framework

SAE J3016 partitions driving automation into levels 0 through 5 and binds each level to a specific allocation of the dynamic driving task between human and machine. The taxonomy is the entry point for nearly every other instrument: the level determines which obligations apply. UNECE WP.29 Regulation 157 establishes uniform provisions for Automated Lane Keeping Systems and includes explicit requirements on minimum risk maneuvers, transition demands, and a Data Storage System for Automated Driving (DSSAD) that records system status and human-machine handover events. NHTSA's AV TEST initiative and the agency's Standing General Order on crash reporting impose disclosure obligations on operators of automated driving systems and Level 2 advanced driver assistance.

ISO 26262 governs the functional safety of electrical and electronic systems in production road vehicles, defining Automotive Safety Integrity Levels and a development lifecycle keyed to hazard analysis and risk assessment. ISO 21448 (SOTIF) extends this to scenarios where the system is functioning as designed but the design itself is insufficient for the operational design domain, particularly relevant for perception and decision systems whose failure modes are not classical electrical faults. Together they cover the engineering envelope of the vehicle's safety case.

The IEEE 7000 family addresses the ethics layer above the safety case. IEEE 7000-2021 specifies a process for value-based system design; IEEE 7001 addresses transparency of autonomous systems; IEEE 7009 covers fail-safe design. The EU AI Act, in Article 14, requires that high-risk AI systems be designed to permit effective human oversight, including the ability to interpret outputs, override decisions, and intervene during operation. Article 15 demands accuracy, robustness, and cybersecurity. The MIT Moral Machine experiment, drawing tens of millions of moral judgments from millions of participants across more than two hundred countries, established empirically that moral preferences in AV scenarios vary significantly across cultures, foreclosing any claim that a single hard-coded ethical ruleset is universally valid.

The aggregate regulatory picture is that an autonomous vehicle must declare a normative profile, demonstrate that its safety case covers both functional and SOTIF risks, expose its decision logic to human oversight per Article 14, record its operational state per WP.29 R157's DSSAD requirements, and maintain transparency per IEEE 7001 and NHTSA disclosure obligations. The profile must be defensible across cultural and jurisdictional variation that the Moral Machine data documents empirically.

Architectural Requirement

Translating these obligations into architecture produces a layered requirement set. The vehicle must carry a declared normative profile as an inspectable artifact, not as implicit behavior emerging from optimization weights. It must compute, in real time, the deviation of its actual behavior from that profile, weighted by the ethical significance of the operating context. It must detect when its self-assessment of conformance has itself drifted from its actual conformance, a meta-property without which Article 14 oversight reduces to inspecting the vehicle's own potentially unreliable self-report.

The architecture must produce a continuous record of normative state suitable for the WP.29 R157 DSSAD interface and for NHTSA crash and incident reporting. It must support jurisdiction-specific normative profiles, because the same physical vehicle operating across jurisdictions encounters different legal speed margins, different pedestrian-priority conventions, and different cultural expectations the Moral Machine data quantifies. It must integrate with ISO 26262 hazard analysis by treating normative deviation as a monitored quantity whose excursions trigger documented safety responses, and with ISO 21448 SOTIF by recognizing that ethical insufficiency is a SOTIF concern even when the function is operating within its specified envelope.

Crucially, the architecture must enable post-hoc reconstruction. When a regulator, a court, or an internal review asks why the vehicle made a specific decision in a specific context, the answer must be auditable, deterministic, and grounded in the declared normative profile that was active at the moment of the decision. The architectural requirement is therefore for the normative state to be a first-class, persistent, queryable property of the vehicle, distinct from and orthogonal to the perception, planning, and control stacks but bound to each of them through deviation measurement.

Why Procedural Compliance Fails

Current autonomous driving architectures attempt to satisfy these obligations procedurally. Rule-based safety monitors enforce specific constraints: do not exceed posted speed limits, yield to pedestrians in marked crosswalks, maintain a minimum following distance. Learned components, trained on human driving data and refined by reinforcement objectives, handle the continuous decisions the rule layer cannot enumerate. Compliance evidence is assembled from telemetry logs, simulation suites, and disengagement reports. This procedural composition fails on several axes simultaneously.

First, rules and learned policies coexist without a shared normative substrate. When a rule conflicts with a learned policy, the resolution is a hand-tuned arbitration whose normative content is opaque. Two rules can conflict directly: yielding to a pedestrian who has not yet entered the crosswalk requires slowing, but maintaining minimum traffic-flow speed is also required. The arbitration that resolves the conflict is itself a normative decision, and procedural architectures bury that decision inside arbitration code rather than expressing it as a declarable, auditable parameter.

Second, learned policies inherit the normative content of their training data. A model trained on aggressive driving behavior makes aggressive normative trade-offs by default, because the optimization target is an aggregate of the training distribution rather than a declared profile. There is no structural mechanism to detect that the policy's aggregate behavior has drifted from a stated normative target, because no stated target is computationally bound to the policy.

Third, IEEE 7001 transparency and EU AI Act Article 14 oversight require interpretability of the actual behavior, not interpretability of the design intent. Procedural compliance generally produces interpretability of design intent through documentation, while the deployed behavior is interpreted retrospectively from telemetry. A vehicle whose telemetry shows lawful behavior across a million miles can still be normatively inconsistent if its behavior systematically privileges one class of road user over another in a way that no individual decision exposes. Procedural compliance has no instrument for this kind of aggregate normative drift.

Fourth, WP.29 R157 DSSAD records system status events but does not, by itself, expose normative state. NHTSA reporting captures crashes and disengagements but not the continuous normative trajectory between them. The Moral Machine data shows that what counts as ethical behavior varies across jurisdictions; a procedural architecture deployed globally either ships a single profile that is locally inappropriate somewhere or maintains a constellation of jurisdictional variants whose consistency with each other is not structurally enforced. Fifth, ISO 21448 SOTIF anticipates exactly the failure mode in which the function is operating as designed but the design's normative content is insufficient for the operational design domain; without computable normative state, SOTIF analysis must rely on scenario enumeration that cannot be exhaustive.

What the AQ Primitive Provides

Computable integrity introduces three coupled structures into the vehicle's control architecture. The first is a declared normative profile, expressed as a typed, inspectable set of parameters: pedestrian deference, traffic cooperation, speed-margin tolerance, lane-change assertiveness, school-zone caution multipliers, jurisdiction-specific overrides keyed to map data, and culturally calibrated parameters informed by Moral Machine results for the deployment region. The profile is an artifact of the vehicle, not of its documentation. It is loaded at startup, signed by the manufacturer and the deploying operator, and bound to every decision the vehicle makes.

The second is the deviation function, D = (N - T) / (E × S), which computes at every decision point the gap between the normatively prescribed action N and the actually taken action T, normalized by the ethical significance E of the context and the recent behavioral trajectory S. The function produces a continuous integrity scalar whose trajectory over time is the vehicle's normative state. Small deviations in low-significance contexts accumulate slowly; large deviations in high-significance contexts trigger immediate self-correction. The integrity scalar is exposed through a typed interface that the WP.29 R157 DSSAD, the EU AI Act Article 14 oversight surface, and the ISO 26262 safety monitor can each consume.

The third is the coherence trifecta: a structural relation among the vehicle's internal state, its external behavior, and its self-assessment of behavior. The trifecta requires that all three remain mutually consistent, and it makes the failure modes explicit: a vehicle that is deviating but does not detect the deviation has a coherence-domain failure distinct from a behavioral-domain failure. The trifecta exposes meta-deviation, the deviation between actual deviation and reported deviation, which is the property Article 14 oversight ultimately requires. Self-correction operates as a continuous control loop: when the deviation scalar exceeds a context-weighted threshold, the planning stack adjusts to restore conformance, and the adjustment itself is recorded as a typed event in the integrity history.

The integrity history is durable, append-only, and tamper-evident. It is the artifact regulators inspect when asking whether the vehicle's aggregate behavior over a fleet-million miles conformed to its declared profile. It is the artifact a court inspects when asking why a particular decision was made. It is the artifact a safety engineer inspects when refining the SOTIF case. The vehicle's ethical character becomes a queryable, auditable structure rather than an emergent property of optimization.

Compliance Mapping

SAE J3016 levels are honored because the normative profile encodes the human-machine task allocation appropriate to the deployed level, and the trifecta exposes any drift between declared level and operational behavior. UNECE WP.29 R157 minimum-risk-maneuver and DSSAD obligations are satisfied because the integrity history is the natural source for DSSAD events, and minimum-risk maneuvers are themselves recorded with the deviation context that triggered them. NHTSA AV TEST and Standing General Order disclosures are satisfied by structural extracts from the integrity history rather than by ad-hoc telemetry assembly.

ISO 26262 hazard analysis incorporates normative deviation as a monitored quantity with an Automotive Safety Integrity Level appropriate to the deployment context, and the deviation function's threshold excursions become defined safety responses with documented hand-off semantics. ISO 21448 SOTIF coverage extends to ethical insufficiency because the integrity scalar exposes precisely the kind of in-spec, design-insufficient drift SOTIF anticipates. IEEE 7000-2021 value-based design is supported because the normative profile is the formalization of stakeholder values; IEEE 7001 transparency is satisfied because the integrity history is the transparency artifact; IEEE 7009 fail-safe design maps to the self-correction loop and its documented escalation paths.

EU AI Act Article 14 human oversight is satisfied structurally: the integrity scalar and the trifecta meta-deviation give human operators a meaningful signal to interpret, override, and intervene against, rather than the raw firehose of perception and planning state. Article 15 robustness is supported because deviation excursions are themselves a robustness signal. The Moral Machine empirical findings are operationalized by jurisdiction-keyed normative profiles whose differences are explicit and auditable rather than buried in reweighted policies.

Adoption Pathway

Adoption begins at the integration layer rather than at the planning core. A first-stage deployment introduces the integrity scalar as a passive observer, computing deviation from a declared profile against the existing planner's outputs without intervening in control. This phase establishes the calibration of the deviation function, validates the profile against real-world driving distributions, and produces the integrity-history schema that downstream WP.29 DSSAD, NHTSA reporting, and EU AI Act Article 14 oversight surfaces will consume.

The second stage introduces self-correction in low-stakes contexts: parking-lot maneuvering, low-speed urban driving, and operational design domains where the safety envelope tolerates active normative adjustment. This stage validates the coherence trifecta in production and produces the meta-deviation telemetry that Article 14 oversight requires. ISO 26262 and ISO 21448 hazard analyses are updated to incorporate the new control surface, and the deviation thresholds are bound to ASIL-appropriate response paths.

The third stage extends self-correction across the full operational design domain and exposes the integrity interface as a regulatory primitive. At this point the vehicle's normative profile is the artifact regulators certify, the integrity history is the evidence base, and the trifecta is the structural guarantee that procedural compliance cannot supply. Manufacturers gain a defensible answer to the central regulatory question of the next decade: not whether the vehicle was lawful in any specific moment, but whether its aggregate behavior across millions of decisions remained inside the normative profile to which it was certified. Computable integrity makes that question answerable as a query rather than as an investigation.