Embodied autonomous systems are entering kitchens, wards, and food lines — environments where hygiene failure is not a degraded output but a physical event with a patient or a customer on the other end. The instinctive framing is capability: will the robot be intelligent enough to handle hygiene? This page argues that the framing is wrong. The question is whether hygiene assurance should depend on intelligence at all — and clinical practice answered that question, for humans, long before the first service robot shipped. The answer was no.
Five reasons, none of which weaken as models improve.
The most skilled surgeon in the world cannot begin a procedure with an instrument that lacks a sterilization indicator. Not because the surgeon's judgment is doubted — because the operating regime deliberately placed sterility assurance in a layer that judgment cannot override. The autoclave indicator does not advise the procedure; it is a precondition for the procedure existing. No sterile evidence, and the procedure path does not form.
That regime was not a failure of trust in clinicians. It was the recognition, paid for over more than a century, that competence and contamination are independent variables. RHP-OS is not the invention of a new principle. It is the transplant of that regime — evidence as a structural precondition, not an input to judgment — from human procedure to machine actuation. A layer that intelligence was never allowed to waive for humans is not one a robot should be the first to be excused from.
The clinical genealogy of this principle is the subject of the origin essay.
The chain reads left to right and never backward. Hygiene-readiness evidence is generated by trusted instrumentation and presented first. A deterministic gate — no model in the loop — checks the evidence against the readiness policy. Only a passing verdict commits, and only a commit permits the actuation path to assemble. Absent or failed evidence produces non-action by default: fail-closed is the resting state, not an alarm condition.
The physical domain makes one property of this ordering non-negotiable. In software, a bad write can at least pretend to be undone. An actuation that must be recalled has already happened — there is no rollback for contact. Which is why the check must precede formation: after is too late by definition, not by degree.
One further element completes the structure: the protocol is built so that its integrity can be confirmed by an independent verifier — a third party can check that the evidence chain is intact and untampered without receiving the implementation itself.
RHP-OS occupies a single position: between the generation of readiness evidence and the commit that permits actuation. It does not replace the robot's perception or planning stack, its safety-rated motion control, or the hygiene certification regimes a facility already operates under — HACCP-style programs in food service, infection-control protocols in clinical environments. Those regimes define what counts as ready; RHP-OS makes the proof of readiness a structural precondition of action and leaves a machine-checkable record behind. Evidence automation alongside certification, not a substitute for it. The environments where this cut matters first are the ones already deploying: food-service robots operating under hygiene programs, and delivery and service robots working hospital corridors.
The protocol specification and its execution baseline are sealed under the same pre-registered evidence discipline used for CMF and PAG: falsification targets declared before the build, and a gate that cannot be made to fail not accepted as evidence. Work against the baseline is admitted only as signed, independently verifiable execution evidence. Evaluation materials are shared under NDA.
Evidence → deterministic gate → commit → path formation is the same sequence Certum applies to an agent's persistent memory in MWP and to action authorization in CCA. The physical domain is where the principle was learned, and it is the domain where its consequences are least negotiable — a poisoned memory can be studied; a contaminated contact has occurred. That the identical structure holds across substrates is the strongest evidence we can offer that non-formation is a paradigm, not a product feature.
Filed with KIPO (Korean Intellectual Property Office).
For technical evaluation or collaboration on embodied-systems readiness:
certumsystems@gmail.com