Federal-Need Application · Civil Space

AUTHREX-SPACECYBER

Onboard authority governance for orbital autonomy.

A spacecraft cannot phone home before every decision, the speed of light makes the round trip too slow. When an anomaly happens and ground control is minutes or hours away, the vehicle must decide for itself. AUTHREX-SPACECYBER governs what a spacecraft is allowed to do on its own, at what authority tier, and when it must hold and wait for a ground uplink instead of acting on uncertain data.

7
Pipeline Stages
4
Authority Tiers
30krad
Rad-Hard Class
LEO
Domain
The Concept

What AUTHREX-SPACECYBER actually does.

In space, the human is structurally out of the loop. A satellite in low Earth orbit may have only minutes of contact per pass; a deep-space probe is light-minutes from any operator. When a fault or a threat appears between contacts, waiting for a human is not an option, and acting blindly on possibly-stale data can put the vehicle into a worse state, a bad maneuver, a wasted burn, a tumble.

AUTHREX-SPACECYBER runs the governance pipeline onboard. When an anomaly is detected, the pipeline first asks whether the triggering data is fresh and trusted (SATA): a conjunction warning based on stale ephemeris is not acted upon as if it were current. It then sets the authority tier for the proposed response by its consequence (HMAA), and asks whether there is time to wait for a ground uplink before committing (FLAME). A low-consequence, well-supported action within the vehicle's authorized envelope executes onboard. A high-consequence action, or one based on uncertain data, triggers a governed safe-hold: the vehicle enters a safe state and waits for ground rather than gambling. If communications never arrive, CARA keeps it in that safe state indefinitely rather than defaulting to action.

The teaching point is that distance forces governed autonomy. The further the human is, the more the vehicle must be trusted to act, and the more important it is that its authority is bounded, evidence-checked, and reversible by design.

The Benefit, and Who It Serves

Who needs this, and why.

Satellite Operators

Operators of LEO constellations get vehicles that can handle anomalies between contacts without either freezing (and risking the asset) or acting recklessly on stale data. The vehicle knows the difference between "act now" and "safe-hold for ground."

Mission Designers

Designers of autonomous spacecraft get a bounded authority model they can reason about: every onboard action has a tier, a freshness check, and a recovery path, so autonomy is auditable rather than a black box.

NASA & Civil Space

Civil-space programs pursuing autonomous onboard health management get a governance reference that matches the capability NASA is soliciting, with safety bounded by construction rather than by hope.

How It Benefits the U.S. Government

The national-importance case.

Autonomous onboard capability is something NASA is actively soliciting, and space-system safety is a directive-level government concern.

It matches a NASA solicitation

NASA SBIR 2026 BAA subtopic EXPAND.3.S26B seeks autonomous onboard health management for small spacecraft and distributed systems. SPACECYBER is a governance reference for exactly that: onboard autonomy that is bounded, evidence-checked, and reversible.

It supports space-system safety policy

Space Policy Directive 5 addresses cybersecurity principles for space systems. A governed onboard authority model, where the vehicle will safe-hold rather than act on untrusted data, is a concrete safety control aligned with that direction.

It protects national space assets

Space assets are expensive, scarce, and strategically vital. A governance layer that prevents a satellite from acting on a spoofed or stale signal protects national assets from both faults and manipulation.

It is the same pipeline, proven elsewhere

SPACECYBER is the AUTHREX pipeline instantiated for orbit, the same governance core used across the other domains. One validated pattern serving space reduces the cost of trusting autonomy in a high-stakes environment.

The DARPA Questions · Heilmeier Catechism

Answered, plainly.

1 · What are you trying to do?
Govern what a spacecraft is allowed to do on its own when ground control is too far away to ask in time, and make it safe-hold instead of guessing when data is uncertain. No jargon: teach the satellite when to act alone and when to wait.
2 · How is it done today, and what are the limits?
Today, onboard autonomy is either hard-coded fault responses (brittle, can act on bad data) or conservative safe-modes (safe, but waste opportunities and can still mishandle novel faults). Neither has a bounded, evidence-checked authority model for novel autonomous decisions.
3 · What is new in your approach?
Running an explicit authority pipeline onboard, where the decision to act versus safe-hold depends on data freshness, action consequence, and whether there is time to reach ground. The vehicle defaults to a governed safe-hold under uncertainty rather than to action.
4 · Who cares? If you succeed, what difference does it make?
Satellite operators, mission designers, and NASA care. If it works, autonomous spacecraft handle anomalies between contacts without either freezing or acting on bad data, protecting expensive national assets.
5 · What are the risks?
The main risks are over-conservatism (safe-holding when it should act, wasting a window) and the radiation-hardness and compute limits of running governance logic on a flight processor. The simulation shows the act/hold logic; the flight-compute budget is a hardware design parameter.
6 · How much will it cost?
The reference platform, BLADE-SPACE, is a preliminary design around rad-hard flight parts (the most expensive of the AUTHREX platforms, approximately $505K in the reference BOM, reflecting space-grade components). The governance logic itself is software.
7 · How long will it take?
The architecture and simulation exist now (TRL 2-3 for the space hardware). Maturing it toward flight is a multi-year path; the governance logic can be validated in a hardware-in-the-loop testbed much sooner.
8 · What are the midterm and final exams?
Midterm: in simulation, the vehicle safe-holds on a stale-data conjunction warning and acts on a fresh, low-consequence one. Final: the governance logic runs on a representative flight processor in a hardware-in-the-loop testbed within the compute and power budget.
9 · What is explicitly out of scope?
SPACECYBER does not fly a spacecraft, does not replace flight software, and is not a NASA-adopted system. It governs the onboard authority decision. Independent research aligned to a public solicitation, no agency adoption implied.
Try It · Interactive Simulation

Make the light-speed delay decision.

An anomaly is detected onboard. Set how far the ground station is (the signal delay) and pick the situation, then run it. The vehicle decides whether to act onboard within its authority, or to enter a governed safe-hold and wait for ground. Illustrative simulation of the onboard authority logic, not operational validation.

◇ THE LIGHT-SPEED DELAY DECISION · SIMULATOR
Set the delay · pick the situation · act or safe-hold
Onboard Situation
1
SATA
Is the triggering data fresh & trusted?
2
HMAA
Authority tier set by action consequence
3
FLAME
Is there time to wait for ground?
4
CARA
Safe-state held if uplink never arrives
Illustrative simulation of the onboard authority logic. Synthetic scenarios; no real spacecraft is commanded. The vehicle defaults to a governed safe-hold under uncertainty rather than to action.
Formal-Methods Foundation

The authority logic is model-checked, not just described.

Every AUTHREX application shares one verified core. The HMAA authority state machine is specified in TLA+ and exhaustively model-checked: 48,751 reachable states verified, with 8 of 9 safety properties holding (no skip-ahead, monotonic downgrade, no zombie tier, among them). The ninth, the MAIVA CriticalSafe invariant, is flagged as a known violation in the issue register rather than hidden, which is the honest state of the work. The model checker also caught a real S5 view-change regression during development, evidence the method finds defects rather than rubber-stamping them.

48,751
Reachable States
8 / 9
Safety Properties Hold
1
Known Violation, Logged
TLA+
Formal Spec
TLA+ spec & Rover testbed → Full verification detail on AUTHREX-AGENT →
Anchors & Honest Limitations

What this rests on, and what it is not.

Federal anchors: NASA SBIR 2026 BAA subtopic EXPAND.3.S26B (autonomous onboard health management for small spacecraft); Space Policy Directive 5.

Hardware Anchor: BLADE-SPACE → Homepage section →
  • This is a reference architecture; the space hardware (BLADE-SPACE) is a preliminary design at TRL 2-3, not flight-qualified.
  • Running governance logic within a real flight processor's radiation, compute, and power budget is a hardware design parameter, not yet demonstrated.
  • The act-versus-safe-hold thresholds are one researcher's analytical judgment, released for independent review.
  • All scenarios in the simulator are synthetic. No real spacecraft is commanded. No agency adoption or endorsement is implied.