Certum Systems ← home
Protocol position page · Embodied systems

Robot Hygiene Protocol (RHP-OS)

Verified physical readiness for embodied autonomous systems — the non-formation paradigm in its native domain
No level of skill has ever exempted a human operator from the sterility layer. There is no reason the exemption should be invented for a robot.
Position & protocol structure · for claims deliberately not made, see Boundaries below
Overview

The question is older than the robots.

Embodied autonomous systems are entering kitchens, wards, and food lines — environments where hygiene failure is not a degraded output but a physical event with a patient or a customer on the other end. The instinctive framing is capability: will the robot be intelligent enough to handle hygiene? This page argues that the framing is wrong. The question is whether hygiene assurance should depend on intelligence at all — and clinical practice answered that question, for humans, long before the first service robot shipped. The answer was no.

The argument

Why the assurance layer must be independent of intelligence.

Five reasons, none of which weaken as models improve.

The precedent

Humans never solved this with intelligence either.

The most skilled surgeon in the world cannot begin a procedure with an instrument that lacks a sterilization indicator. Not because the surgeon's judgment is doubted — because the operating regime deliberately placed sterility assurance in a layer that judgment cannot override. The autoclave indicator does not advise the procedure; it is a precondition for the procedure existing. No sterile evidence, and the procedure path does not form.

That regime was not a failure of trust in clinicians. It was the recognition, paid for over more than a century, that competence and contamination are independent variables. RHP-OS is not the invention of a new principle. It is the transplant of that regime — evidence as a structural precondition, not an input to judgment — from human procedure to machine actuation. A layer that intelligence was never allowed to waive for humans is not one a robot should be the first to be excused from.

The clinical genealogy of this principle is the subject of the origin essay.

Structure

Four stages, one direction.

Readiness evidence → Deterministic gate → Commit → Actuation path forms

The chain reads left to right and never backward. Hygiene-readiness evidence is generated by trusted instrumentation and presented first. A deterministic gate — no model in the loop — checks the evidence against the readiness policy. Only a passing verdict commits, and only a commit permits the actuation path to assemble. Absent or failed evidence produces non-action by default: fail-closed is the resting state, not an alarm condition.

The physical domain makes one property of this ordering non-negotiable. In software, a bad write can at least pretend to be undone. An actuation that must be recalled has already happened — there is no rollback for contact. Which is why the check must precede formation: after is too late by definition, not by degree.

One further element completes the structure: the protocol is built so that its integrity can be confirmed by an independent verifier — a third party can check that the evidence chain is intact and untampered without receiving the implementation itself.

Where it sits

One layer, complementary by design.

RHP-OS occupies a single position: between the generation of readiness evidence and the commit that permits actuation. It does not replace the robot's perception or planning stack, its safety-rated motion control, or the hygiene certification regimes a facility already operates under — HACCP-style programs in food service, infection-control protocols in clinical environments. Those regimes define what counts as ready; RHP-OS makes the proof of readiness a structural precondition of action and leaves a machine-checkable record behind. Evidence automation alongside certification, not a substitute for it. The environments where this cut matters first are the ones already deploying: food-service robots operating under hygiene programs, and delivery and service robots working hospital corridors.

Boundaries

What RHP-OS does not claim.

Status

Specification sealed.

The protocol specification and its execution baseline are sealed under the same pre-registered evidence discipline used for CMF and PAG: falsification targets declared before the build, and a gate that cannot be made to fail not accepted as evidence. Work against the baseline is admitted only as signed, independently verifiable execution evidence. Evaluation materials are shared under NDA.

One paradigm, two substrates

The same chain, in memory and in the world.

Evidence → deterministic gate → commit → path formation is the same sequence Certum applies to an agent's persistent memory in MWP and to action authorization in CCA. The physical domain is where the principle was learned, and it is the domain where its consequences are least negotiable — a poisoned memory can be studied; a contaminated contact has occurred. That the identical structure holds across substrates is the strongest evidence we can offer that non-formation is a paradigm, not a product feature.

Patent

Status.

Filed with KIPO (Korean Intellectual Property Office).

Contact

Evaluation · collaboration.

For technical evaluation or collaboration on embodied-systems readiness:

certumsystems@gmail.com