BLADE-SPACE Governance Node

Radiation-Tolerant Compute Path

Microchip RTG4 FPGA (part-level TID 100 krad per datasheet, SEL immune) primary + backup with lockstep voting; Aitech S-A1760 Venus SBC primary + backup with Latching Current Limiter trip on SEU latch-up; SEU monitor IP + scrubber re-loads bitstream on detected upset. System-level TID allocation is 30 krad after 3 mm Al equivalent shielding margin.

Three-Fault-Tolerant Firing Path

Payload/thruster firing line gated through two independent normally-open solid-state relays (path A and path B) that must both close to permit firing, plus pyrotechnic isolation circuit with hardwired safe-arm plug during ground handling (per SR-004, SR-401)

ECDSA-Anchored Audit Chain

P-256 keypair anchored in rad-tolerant TPM signs every audit-chain entry; hash continuity maintained across reboots, brown-outs, and failover events (SR-008); ECDSA signature throughput ≥ 100/second (SR-105)

CARA Safe-Mode Auto-Entry

On ABORT verdict, system enters automatic magnetorquer detumble + sun-pointing safe-mode (SR-007). Backup IMU (Honeywell HG1700) provides ≤ 30 min dead-reckoning if GNSS lock lost; star-tracker correction observation update

Stage 1: SATA: Sensor Trust Attestation

Computes trust scalar τ from ALL sensor inputs combined with beam-path confidence scoring. Atmospheric sensors measuring humidity, obscurants, and turbulence feed directly into trust computation because a clear sensor picture is useless if the beam cannot reach the target.

Stage 2: ADARA: Adversarial Deception-Aware Risk Assessment

GPU-accelerated anomaly detection targeting decoys, reflectivity manipulation, adversarial track shaping, GPS spoofing, and sensor-to-sensor inconsistency. Any deception flag independently triggers ABORT.

Stage 3: IFF, Identification Friend or Foe

Verifies target classification against known friendly signatures. Prevents fratricide through cryptographic IFF challenge-response before authority confirmation.

Stage 4: HMAA: Human-Machine Authority Architecture

Derives authority score A with laser-specific gating: target classification tiers, engagement authorization levels, dwell feasibility, atmospheric propagation, and thermal management before granting authority.

Stage 5: MAIVA: Multi-Agent Integrity Verification

Exchanges trust and authority values with nearby BLADE-EDGE units via encrypted MANET mesh radio. Byzantine fault-tolerant consensus ensures no single compromised node can fool the swarm.

Stage 6: FLAME: Flash War Latency Architecture

Enforces 50-300ms recheck windows before firing in ambiguous conditions. Three modes: immediate pass-through (high confidence), micro-deliberation (ambiguous), auto-handoff (engagement window exceeded).

Stage 7: CARA: Control Authority Regulation

Post-abort recovery: steps authority to zero, revalidates all sensors from scratch, re-acquires target track, feeds back to SATA for fresh trust computation. Prevents false confidence buildup from abort cycling.

Stage 8: BDA, Battle Damage Assessment

Post-engagement sensor revalidation. Confirms engagement outcome, updates target track state, and feeds back to SATA for trust recomputation before next engagement cycle.

Stage 9: EFFECTOR, Hardware Safety Interlock

Normally-open hardwired safety relay. Closes ONLY when the full 9-stage pipeline confirms authority. Physical circuit break prevents engagement without verified governance chain.

EXECUTE

Full pipeline authority confirmed. Beam conditions favorable (β_beam > threshold). Safety interlock relay closes. Engagement authorized.

DELAY (ms)

Ambiguous conditions detected by FLAME. System holds for 50-300ms micro-deliberation, re-queries sensors, re-runs ADARA, re-checks MAIVA consensus.

ABORT

Trust collapse, deception detected, or consensus failure. Safety interlock remains open. CARA recovery initiates: authority zeroed, sensors revalidated from scratch.

HANDOFF (effector ID)

Pipeline authority confirmed but beam conditions unfavorable (atmospheric turbulence, thermal limits). Engagement transferred to kinetic interceptor via MIL-STD-1553.

Layer 1: Physical

Space-grade aluminum chassis with 3 mm Al equivalent shielding (30 krad TID); ASTM E595 outgassing-compliant materials (TML < 1.0%, CVCM < 0.1%); hardwired safe-arm plug for pyrotechnic isolation during ground handling.

Layer 2: Electronic

Electronic tamper mesh controller raises alarm on probe attempt; LCL trip on SEU-induced latch-up < 1 ms; hardware watchdog forces reset on hang; SEU monitor IP + scrubber re-loads FPGA bitstream on detected upset.

Layer 3: Cryptographic

ECDSA P-256 keypair anchored in rad-tolerant TPM; signs every audit-chain entry with hash continuity across reboots/brown-outs/failover (SR-003, SR-008); ≥ 100 signatures/sec throughput (SR-105); dual link encryptors for RF chain redundancy.

Functional Tests

• T-002: Payload-firing path safety interlock (FMEA F-009)
• T-004: SBC primary-to-backup failover < 200 ms
• T-005: ECDSA audit-chain hash continuity across reboots
• T-007: GNSS spoofing via multi-constellation correlation
• T-008: End-to-end 9-stage pipeline latency ≤ 300 ms

Performance Tests

• T-006: Star tracker ≤ 30 arcsec 3σ / GNSS ≤ 5 m 1σ / IMU ≤ 0.5 °/hr
• T-005: ECDSA throughput ≥ 100 signatures/sec

Environmental Tests

• T-010: Operating temperature -40 to +60 °C
• T-011: Survival temperature -55 to +85 °C
• T-012: GEVS-type random vibration (3 axes)
• T-013: 1000 g half-sine pyro shock (3 axes)
• T-017: ASTM E595 outgassing
• T-018: 30 krad TID

Risk Analysis

• FMEA: 35 failure modes (7 catastrophic, 4 mitigated by redundancy)
• Hazard Analysis: 10 hazards (3 critical with three-fault-tolerant mitigations)
• Reliability: R_system = 0.949 at 5-year EOL with CIL closure
• Radiation: 30 krad TID, per-part SEU/SEE classification

System Design

Full schematic SVG (200 KB), CONFIG.json master configuration, ELECTRICAL_CONNECTIONS.json (134 connections), MECHANICAL_CONNECTIONS.json (117 attachments), all originals in the engineering package.

Bill of Materials

91-component PARTS.csv with manufacturer, MPN, description, export-control classification, cost, and source URL. Open the file in any spreadsheet tool; values reproduce the BOM table on this page.

V&V Protocol

VV_PLAN.md specifies the 20-test campaign with pass/fail criteria, equipment lists, and method per test. RTM.md links every SRD requirement to the test that verifies it.

Standards Alignment

DoDD 3000.09 (autonomy authority), NASA SBIR EXPAND.3.S26B (spacecraft health management), GEVS vibration, ASTM E595 outgassing, NIST AI RMF.

NASA SBIR Phase I (EXPAND.3.S26B)

Submit Phase I proposal to EXPAND.3.S26B - Autonomous Onboard Health Management for Small Spacecraft and Distributed Systems under the NASA SBIR/STTR Program Year 2026 BAA (released 17 April 2026, valid through 30 September 2027). The subtopic explicitly accepts terrestrial Earth-analog testbed demonstrations in Phase I, with Phase II advancing to flight-hardware validation and Phase III to operational infusion. BLADE-SPACE's 9-stage governance pipeline maps directly to the subtopic's call for "continuous on-board health management capabilities to detect anomalies, diagnose, isolate" faults - particularly the unknown-fault response requirement (up to 40% of failure modes go unidentified through Key Decision Point E).

CDR Closeout Documentation (TRL 4 entry)

Surface the 11 Interface Control Documents publicly (currently in ZIP only); add Requirements Traceability Matrix excerpt; declare NASA-STD-8739.8 software safety class (Class B target for firing-path firmware); add NASA-STD-8719.27 lithium-battery hazard analysis for Saft VES16; build ESATAN-TMS network thermal model with worst-hot / worst-cold orbital cases; publish AP9/AE9 or SPENVIS orbit-environment run output backing the 30 krad TID system-level allocation; add ITAR USML Category XV(e) export-control flag on documentation cover.

Custom 12-Layer PCB & Component Procurement

Class V QML / Class S parts procurement (12-18 month lead time for rad-hard T2080 and RTG4); flight-harness fabrication per NASA-STD-8739.4; ESD-controlled clean-room assembly per ISO 14644 Class 8. Engineering Model build with single-string electrical functional validation, then assembly to flight-hardware-equivalent (FHE) configuration with full hot-redundant pairs.

AFRL STARS Run-Time Assurance Integration

Integrate the AUTHREX 9-stage authority pipeline with AFRL's STARS (Safe Trusted Autonomy for Responsible Spacecraft) Run-Time Assurance framework (an AFRL Seedlings for Disruptive Capabilities program). This is a proposed research-alignment target; no affiliation, sponsorship, or funding relationship exists. Map the HMAA authority-graduation model onto the published STARL (Space Trusted Autonomy Readiness Levels) scale. The HMAA hardware-enforced authority gating is complementary to STARS RTA safety-filtering and provides the physical-layer enforcement that RTA assumes but does not implement.

Environmental Qualification (GEVS / MIL-STD-1540E)

Vibration to GSFC-STD-7000A GEVS qualification levels (14.1 g_rms random, 5 minutes/axis); 1000 g half-sine pyrotechnic shock per MIL-STD-810G Method 516.7; TVAC across -55°C to +85°C at <10⁻⁵ Torr; ASTM E595 outgassing (TML <1.0%, CVCM <0.1%); MIL-STD-461G EMC against CE102 / CS101 / RE102 / RS103 / CS114; helium leak per pressurized vessel applicable items.

Heavy-Ion SEU Characterization

Single-event characterization at TAMU Cyclotron Institute or LBNL 88-Inch Cyclotron over LET 0.5-80 MeV·cm²/mg per JESD57. Measure FPGA configuration upset cross-section, SBC latch-up threshold, DDR4 ECC scrub margin. Validate the 100 krad part-level / 30 krad system-level TID allocation through Co-60 gamma ray test at AFRL or DTRA-approved facility.

USSF Tetra-5 / On-Orbit Servicing Demonstrations

Align with the four 2026-2028 on-orbit servicing demonstrations: USSF/AFRL Tetra-5 (autonomous RPO + docking + inspection + refueling), Astroscale U.S. Provisioner (GEO hydrazine refueling, USSF SSC), SpaceLogistics MRV (Northrop Grumman, NRL robotic arm, DARPA-funded RSGS), and Astroscale ELSA-M (multi-client servicing/debris removal). Each demonstration requires hardware-enforced authority gating for proximity-operations maneuvers; BLADE-SPACE provides exactly that governance layer.

DARPA Oversight Constellation Custody

Position the MAIVA cross-string Byzantine consensus layer for integration with DARPA Oversight - autonomous constant custody of up to 1,000 targets with operator at aggregate level, not per-target. The BDA stage's post-event trust revalidation provides the "continual assurance" framework that DARPA Assured Autonomy specifies for Learning-Enabled Cyber-Physical Systems. Submit white-paper response to next Oversight BAA opening.

USSF Maneuverable GEO + Race to Resilience

Position as the governance layer for the USSF Maneuverable GEO program (competition opened January 2026) and the broader USSF Race to Resilience initiative (FY2026 Space Force baseline appropriation $26.3B, approaching $40B with reconciliation funding via the "One Big Beautiful Bill Act"). Small / medium maneuverable commercial satellites in GEO require authority-graduated decision-making for autonomous orbit changes - the HMAA + FLAME + CARA stack is positioned for direct integration.

Distributed Constellation Demonstration

Multi-node MAIVA Byzantine consensus across N≥3 BLADE-SPACE governance nodes over inter-satellite optical link (Mynaric CONDOR Mk3); cross-satellite audit-chain hash continuity via ECDSA P-256 chain-of-trust; demonstrate authority-graduated decision-making across a constellation with degraded-node ride-through, swarm continuity under one-node-loss, and cross-satellite health exchange - all four primary capabilities called out in EXPAND.3.S26B.

domain: orbital
pipeline: SATA → ADARA → IFF → HMAA → MAIVA → FLAME → CARA → BDA → EFFECTOR

sensors:
 - id: star_tracker
 type: blue_canyon_nst100
 weight: 0.35
 cross_validate: [gnss, imu_tactical]
 - id: gnss
 type: novatel_oem7600_rg
 weight: 0.25
 cross_validate: [star_tracker, imu_tactical]
 - id: imu_tactical
 type: sensonor_stim_300
 weight: 0.25
 cross_validate: [star_tracker, gnss]
 - id: sun_sensor
 type: adcole_digital_array
 weight: 0.15
 cross_validate: [star_tracker]

effector:
 type: thruster_firing + magnetorquer + reaction_wheel
 relay: normally_open_interlock_x2_series
 safety_standard: NASA_STD_5017 + NASA_STD_8719_27
 engagement_gate: HMAA_authority + safe_arm_plug
 fail_safe: sun_pointing_safe_mode

authority:
 A3_threshold: 0.85 # Propulsive maneuver authorized
 A2_threshold: 0.60 # Reaction wheel only, no thruster
 A1_threshold: 0.35 # Attitude hold, no maneuvers
 A0_action: safe_mode # NO relays open, payload off
 hysteresis_up_s: 30 # Long climb (eclipse-aware)
 hysteresis_down_s: 0 # Immediate downgrade

import blade_governance as bg

# Initialize with orbital domain config
pipeline = bg.GovernancePipeline("blade_space.yaml")

# In your spacecraft ACS/payload control loop (10Hz):
while mission_active:
 sensors = get_sensor_readings() # ST, GNSS, IMU, sun

 result = pipeline.evaluate(sensors)
 # result.trust → 0.91
 # result.authority → "A3"
 # result.deception_p → 0.02
 # result.flame_hold_ms → 5000 # deliberation
 # result.execute → True

 if result.execute and result.authority == "A3":
 thruster.fire(result.envelope) # gated through 2× NO relays
 elif result.authority == "A0":
 pipeline.cara_recover() # sun-pointing safe-mode

# ROS 2 Topic Map, Orbital
/blade/sata/fused_trust # Float64 τ ∈ [0,1]
/blade/hmaa/authority_level # UInt8 {A3,A2,A1,A0}
/blade/hmaa/maneuver_envelope # ManeuverMsg
/blade/flame/circuit_breaker # UInt8 state
/blade/flame/deliberation_ms # UInt32 hold time
/blade/cara/grep_phase # String {GUARD,REDUCE,EVALUATE,PROMOTE}
/blade/effector/thruster_interlock # Bool (NO relay × 2 state)
/blade/adara/gnss_spoof_prob # Float64 P(spoofing)
/blade/bda/orbit_revalidation # OrbitRevalidation

# Core API, domain-agnostic
pipeline = bg.GovernancePipeline(config)
result = pipeline.evaluate(sensors)
recovery = pipeline.cara_recover()

# result object, universal fields
result.trust # Float64 τ ∈ [0,1]
result.authority # String {A3,A2,A1,A0}
result.deception_p # Float64 P(adversarial)
result.flame_hold_ms # UInt32 deliberation window
result.execute # Bool action permitted
result.relay_state # Bool hardware interlock
result.grep_phase # String CARA state

# Lifecycle
pipeline.get_audit_chain() # Hash-chained log
pipeline.export_forensics() # BLADE-BLACKBOX
pipeline.get_config() # Current domain cfg