BLADE-MARITIME v3.11 · Governance Simulator · Burak Oktenli

SATA

D-S Trust
τ=0.800

→

ADARA

Deception
P=0.000

→

IFF

AIS/Radar CPA
MATCH

→

HMAA

α(H)·τ·adj
A=0.800

→

MAIVA

BFT Median
Cons=0.82

→

FLAME

Δw Gate
PASS

→

CARA

GREP Phase
NOM

→

BDA

Threat Score
LOW

→

EFFECTOR

5-cond gate
OPEN

τ_fused (D-S)

0.800

K=0.000

Authority A

0.800

α(H)·τ·adj_factor

α(H) sea-state

1.000

H=0.3m

P_deception

0.000

ADARA Bayesian

IFF Class

MATCH

AIS-Radar CPA ε

BDA Threat

LOW

score=0.000

Unsafe Acts

/0 ticks

Trust · Authority · BDA Timeline

SATA Dempster-Shafer Mass Functions (K explicit)

m_hydro({T})=clip(γ_MF·SE_norm + γ_DEMON·ρ_DEMON, 0,1) · Pd_sonar
m_MAD({T})=δ_MAD if |B−B₀|>kσ else 0 · δ_MAD∈[0.3,0.7]
K=m_h({T})·m_MAD({¬T})+m_h({¬T})·m_MAD({T}) (conflict)
τ_fused=[m_h·m_M(Θ)+m_h(Θ)·m_M+m_h·m_M]/(1−K)

HMAA Sea-State α(H) · IFF CPA Correlation

IFF AIS-Radar Gate (ε_pos gate)

MAIVA BFT Weighted Median · Multi-Target Tracks

Active Track Table

TRK	TYPE	Range	IFF	BDA	Pd	Authority

INV-1

Trust Collapse → Authority Zero

□(τ_fused < 0.15 → A = 0) · MIL-STD-882E Class I hazard

HOLDS

Violations: 0

INV-2

No Out-of-Authority Command

□(relay_closed → A ≥ 0.45 ∧ IFF ≥ 0.5 ∧ BDA ≠ CRITICAL)

HOLDS

Violations: 0

INV-3

CARA Phases Mutually Exclusive

□(¬(GOVERN ∧ RESTRICT) ∧ ¬(RESTRICT ∧ EXECUTE) ∧ ¬(EXECUTE ∧ PERSIST))

HOLDS

Violations: 0

INV-4

FLAME Deliberation Enforced

□(flame_transition → elapsed ≥ Δw ∨ LOCKOUT_override)

HOLDS

Blocked: 0

INV-5

MAIVA BFT Consensus Valid

□(byzantine_count < n/3 → consensus = weighted_median) · f=1, n=3

HOLDS

Byzantine: 0/3

INV-6

D-S Conflict Normalization

□(K < 1.0 → τ_fused = combination/(1−K)) · K=1 undefined

HOLDS

K_max: 0.000

INV-7

α(H) Continuity at H_limit

α(2.5⁻) = 1−0.25(2.5−0.5) = 0.5 = α_min · continuous, no jump

PROVEN

α(2.5)=0.500

BDA Multi-Factor Threat Assessment

score = 0.3·τ + 0.3·P_dec + 0.25·(1−IFF) + 0.15·(1−α) ← high τ means detected submarine → HIGH threat

Authority Explainability — Why is A low?

Waterfall contribution to authority reduction. Green = safe, Red = threat driver.

Monte Carlo Configuration

Trials N

Mode

PRNG Seed

Mean τ

—

Std τ

—

Min A

—

Max A

—

P(unsafe)

—

P(A<0.3)

—

Mean Pd

—

E-Stop %

—

Mulberry32 PRNG · Reproducible

All trials use seeded PRNG.
Same seed → identical results.

Authority Distribution Histogram (N trials)

τ_fused Distribution

SHA-256 Hash Chain · Web Crypto API

Chain integrity:

VALID

Entries: 0

Latest hash: —

Invariant Violation Summary

Pipeline Latency Model

SATA: 12±3ms · ADARA: 8±2ms · IFF: 6±2ms
HMAA: 4±1ms · MAIVA: 45±20ms (acoustic)
FLAME: 2±1ms · CARA: 3±1ms · BDA: 5±2ms
Total: —ms · Budget: 150ms

NMEA Protocol Framing

$AIVDM,1,1,,A,15M:Yb?P00G?T...
$GPGGA,123519,4807.038,N,01131.000,E,...
$GPGLL,4916.45,N,12311.12,W,225444,A,*1D

ROE Decision Matrix

ROE Level	BDA	IFF	Relay Permitted
WEAPONS_HOLD	ANY	ANY	NEVER
WEAPONS_TIGHT	CRITICAL	HOSTILE	CRITICAL+HOSTILE only
WEAPONS_FREE	≥MEDIUM	≠MATCH	Any threat detected

Current ROE: WEAPONS_HOLD
Active condition: relay locked — HOLD

HOTL Authority Timeline

Protocol: REQUEST(3t) → DELIBERATING(15t) → GRANT/DENY/TIMEOUT
TIMEOUT → CARA escalates to RESTRICT automatically

Degraded Mode Authority Table (DMAT) — MIL-STD-882E

20 critical sensor-degradation combinations → governance outcome. Per MIL-STD-882E System Safety Assessment.

Deterministic Replay Log

Entries: 0

Full input+output log. Export → exact replay possible from any tick.

Simplex Monitor Coverage

Safety properties verified every tick. Override = main pipeline violated invariant.
Total overrides: 0

Design-by-Contract — computeFrame() Preconditions + Postconditions (NASA JPL CLARAty)

A2 · Certification Evidence Traceability Matrix — DO-178C / MIL-STD-882E

Maps each safety requirement to: LTL property · computeFrame code location · MC evidence · Runtime check count · TLA+ property

A1 · STPA Control Structure (STAMP/STPA)

Unsafe Control Actions (UCAs) per MIL-STD-882E / NASA-STD-8739.8. Each arrow = control path; each UCA = governance hazard.

A4 · WCET — Worst-Case Execution Time per Pipeline Stage

Measured via performance.now() · Jetson AGX Orin @ 2GHz ≈ 13ns/cycle · 150ms total budget

A3 · Adversarial Input Fuzzing — Safety Bound Proof

10K trials, adversary maximizes P(unsafe) within physical bounds. If P(unsafe)=0.000%, architecture is adversarially robust.

Adversary seed: — (crypto.getRandomValues per run)

Click to run adversarial fuzzing...

B5 · BDA ROC Curve + Confusion Matrix (Neyman-Pearson Framework)

ROC: TPR vs FPR across BDA thresholds. α_NP = max allowable FPR (adjustable per threat environment).

α_NP FPR limit: 1.0%

AUC: —

Confusion matrix at current BDA threshold (score > 0.5 = threat).

Neyman-Pearson: maximize TPR subject to FPR ≤ α_NP = 0.01

✅ WITH BLADE-MARITIME Authority-governed · ROE enforced · C2 monitored

⚓ BLADE-MARITIME MISSION CONTROL

Route: WAYPOINT A → WAYPOINT B

Ship: USV-BLADE-01

Speed: 12.4 kt

Bearing: 047°

ETA: —

Governance: NOMINAL

Authority: —

Effector: OPEN

━ Planned route ━ Actual track ● Threat contact ● Unknown ▲ Own ship ▬ EEZ boundary

❌ WITHOUT BLADE-MARITIME No governance · No ROE · No safety monitor

⚠ INCIDENTS

Collisions: 0

ROE violations: 0

EEZ breaches: 0

False fires: 0

Mission Progress

WPT-A (Origin)WPT-B (Destination)

0% complete · — nm remaining

Governance State

NOMINAL

τ_fused: —

Authority A: —

CARA: NOM

ROE: WEAPONS_HOLD

C2 Link: LINKED

Threat Picture

No threats detected

Mission Log

Real-World Demonstration

This mission simulation shows the BLADE-MARITIME governance architecture operating in a live tasking scenario.

The USV autonomously navigates A→B while the 9-module pipeline (SATA→ADARA→IFF→HMAA→MAIVA→FLAME→CARA→BDA→EFFECTOR) governs every decision in real time.

When threat contacts are detected, the governance system enforces ROE, escalates CARA, and authorizes or blocks the effector — demonstrating authority-governed autonomy for U.S. national security applications.