Probability Engine
What is the Probability Engine?
The Probability Engine is the mechanism by which AIEP certifies that a DivergenceGraph node has a failure probability below a defined threshold — and gates execution on that certification.
This is what P04 (GB2519801.1) defines.
It is the answer to the question: for AI operating in high-assurance domains — aerospace, nuclear, medical, infrastructure — how do you prove that a proposed configuration is safe enough to execute, with cryptographic reproducibility and independent verifiability?
The problem with classical probability estimation
For most engineering systems, failure probability is estimated using Monte Carlo simulation. Run the system model many times with random inputs; count failures; estimate rate.
This breaks down at extreme rarity. A medical device certification may require failure probability below 10⁻¹⁵. To estimate this classically at that resolution, you need more simulation runs than there are atoms in the observable universe. The approach is computationally infeasible.
Quantum amplitude estimation provides a quadratic speedup for this class of problem — reducing the required number of oracle evaluations from O(1/ε²) to O(1/ε). But quantum hardware is probabilistic. It does not inherently provide the deterministic execution guarantees that AIEP requires.
P04 solves this by wrapping probabilistic estimation — quantum or classical — in a deterministic certification and arbitration layer.
Architecture
For each node in the DivergenceGraph, a Probability Certification Module is instantiated:
| Component | Function |
|---|---|
| Probabilistic Estimation Engine | Generates failure-probability distribution for a defined failure condition |
| Tail-risk Derivation Module | Derives certified bound: Failure probability ≤ ε at confidence C |
| Cryptographic Commitment Module | Canonical serialisation → collision-resistant hash |
| Deterministic Arbitration State Machine | Evaluates certified bound against threshold — fail-closed |
| Execution Control Module | Generates execution enablement signal only on full pass |
The Probability Certification Module runs before the canonical scoring function. A node that fails certification does not proceed to scoring. It transitions to non-executable state. There is no override.
The certified tail-risk bound
The certification takes the form:
Failure probability ≤ ε at confidence level C
In high-assurance embodiments, ε ≤ 10⁻¹⁵.
The bound is accompanied by:
| Field | Contents |
|---|---|
| Estimation specification | Which estimation method was used |
| Parameters | All parameters governing the estimation |
| Seed values | Deterministic seeds enabling bit-identical recomputation |
| Derived probability distribution | The full distribution, not just the point estimate |
| Certified tail-risk bound | The formal ε and C values |
All five are canonically serialised in deterministic order and a cryptographic commitment is computed over them. This commitment is recorded in the AIEP audit log — it is immutable.
Cryptographic reproducibility
The commitment architecture enables third-party independent recomputation:
- Any third party retrieves the canonical serialisation and committed artefacts from the audit log
- Recomputes the estimation using the declared specification, parameters, and seeds
- The recomputed bound must be bit-identical to the original
- The recomputed cryptographic digest must be identical to the recorded digest
- If either fails — execution authorisation was not valid
This is the key property: the system does not trust the certifier’s word. It trusts the reproducible computation. AIEP-certified execution can be independently verified by any party with access to the audit log — months or years later.
The arbitration state machine
The deterministic arbitration state machine evaluates each node:
| Input condition | Outcome |
|---|---|
| Certified bound ≤ threshold AND validation passes AND recomputation is bit-identical | → Execute — execution enablement signal generated |
| Certified bound exceeds threshold | → Reject — non-executable state |
| Validation of certified bound or artefacts fails | → Reject — non-executable state |
| Recomputation does not produce bit-identical result | → Reject — non-executable state |
| Any required certification, registry compliance, or commitment absent | → Reject — non-executable state |
The fail-closed principle: absence of certification is treated identically to failed certification. A node that has not been through the Probability Certification Module cannot execute.
Relationship to the canonical scoring function
The Probability Certification Module operates as a precondition layer to the canonical scoring function defined in GB2519711.2:
Score_i = α · deviation_i + β · safetyViolations_i + γ · resourceCost_i
Rejected nodes do not reach this function. Accepted nodes proceed unchanged — the certification does not modify deviation_i, safetyViolations_i, or resourceCost_i. It simply establishes admissibility before scoring begins.
This is distinct from the Plausibility Matrix (P03), which modifies the safetyViolations_i term. The Probability Engine is binary: an admissibility gate. The Plausibility Matrix is continuous: a scored contribution to the safety calculation.
Both must be satisfied. A node must pass probabilistic certification and achieve a PlausibilityScore above threshold and achieve an acceptable score on the canonical function before execution is enabled.
Applications
The Probability Engine was designed with the following deployment contexts in mind:
| Domain | Application |
|---|---|
| Aerospace | Flight control system configuration certification — failure probability bounds for avionics decisions |
| Nuclear | Reactor management configuration — extreme low-probability failure certification |
| Medical devices | Implantable device configuration — failure probability below regulatory thresholds |
| Autonomous vehicles | Path planning certification — failure probability bounds per manoeuvre decision |
| Infrastructure AI | Grid management configuration — failure probability certification for high-consequence switching decisions |
In each case: the claim is not “we believe this is safe.” The claim is “we have certified, with cryptographic commitment and independent recomputability, that this configuration has a failure probability below ε at confidence C.”
Quantum and classical embodiments
The estimation engine supports two modes:
| Mode | When used |
|---|---|
| Quantum amplitude estimation | When quantum hardware is available; provides quadratic speedup for rare-event estimation |
| Classical fallback | Tensor-network approximation, importance sampling, rare-event simulation, or extreme-value modelling |
The key invariant: whichever mode is used, the certified bound and all artefacts must be deterministically reproducible. Quantum hardware variance is handled by the same commitment architecture — the seed values ensure the computation is reproducible even where quantum results are used.
See: Quantum Alignment — how quantum computation is integrated with deterministic guarantees.
The P66 probability metadata envelope
P66 defines the public-facing Probability Metadata Envelope — what appears in the probability object of an AIEP machine mirror page.
| Field | Meaning |
|---|---|
provenance_type | Class of content provenance: primary_source, secondary_source, derived, or synthetic |
confidence_score | Normalised decimal [0.0, 1.0] — declared confidence |
attestation_source | URI or structured identifier of the attesting entity |
freshness_indicator | as_of (ISO 8601) + optional ttl_seconds |
A ProbabilityEnvelopeHash is computed: H(provenance_type || confidence_score || attestation_source || freshness_indicator).
The envelope declares metadata only. Internal probability engine logic, scoring functions, weight distributions, and Bayesian parameters are not exposed. Agents must apply their own version-bound evaluation rules — confidence_score is not a determinative admissibility threshold.
Patents
- P04 / GB2519801.1 — Deterministic Probability Certification Engine with Fail-Closed Arbitration
- P66 — Probability Metadata Envelope (open source prior art disclosure)
Related
- Plausibility Matrix — the registry-bound plausibility gate that runs alongside this
- Constitutional Substrate — the canonical scoring function this feeds into
- Quantum Alignment — deterministic guarantees for quantum computation
- Audit — where cryptographic commitments are stored
- Regulatory Governance — how certified bounds satisfy regulatory frameworks
- Patents — P04, P66