Cascade Propagation: Refusal as First-Class Observation

1. Problem and Architectural Premise

Cascade events in coupled infrastructure follow a recognizable shape. A local node detects a constraint violation — overcurrent on a transmission line, stockout at a distribution center, perimeter intrusion at a forward operating base — and executes a protective action. The action is locally optimal: it preserves the node's mission, equipment, or personnel. The action is also globally destabilizing: it transfers load, demand, or risk to adjacent nodes that did not anticipate the transfer and whose own constraints now activate. The cascade is the recursion of locally rational protective actions across a topology that lacks structural feedback.

The architectural premise of every current control system in this space is that mitigation directives are issued downward through a hierarchy and either succeed or fail silently. NERC CIP reliability standards specify what utilities must do under contingency conditions, but the standards prescribe behavior rather than a coordination architecture. SCADA systems carry control points and telemetry, but they do not represent refusal as a typed observation. JADC2 and CJADC2 program offices specify a vision of joint all-domain command and control, but the underlying message buses (Link 16, VMF, MQ-series brokers) have no first-class concept of a credentialed refusal. Supply-chain visibility platforms track in-transit inventory but do not represent a tier-three supplier's refusal of a tier-two allocation directive as a structured, signed event.

The consequence is that originators of mitigation directives operate on stale or false models of downstream state. A regional reliability coordinator issues a load-shedding directive; the receiving utility executes partially, defers part, and refuses part on equipment-availability grounds; the coordinator's situational picture reflects only the executed portion because the deferral and refusal had no observation type to ride. The coordinator's next directive is computed against an incorrect baseline, and the cascade propagates further before being correctly modeled.

The premise of this primitive is that refusal, deferral, and partial execution are not exceptions to the observation stream — they are observations. They are the ones that carry the most information about the topology's current operating envelope, because they reveal the constraint that the directive activated. Promoting refusal to a first-class, credentialed, lineage-bound observation type closes the feedback loop without requiring any specific domain ontology, regulatory regime, or hierarchical authority structure.

2. Core Architectural Primitive

The primitive consists of three jointly defined elements: a governance-credentialed topology graph, a directive observation type, and a refusal observation type. Each element is independently signed under credentials issued by one or more authorities standing in the relevant domain, and each is recorded with full lineage to predecessor observations.

The topology graph G = (V, E) has vertices V representing participating systems — utilities, balancing authorities, supply-chain participants, military units, civil agencies, ports, hospitals, data centers — and edges E representing credentialed coordination relationships. Each edge carries metadata: capacity (e.g., MVA for a transmission tie, units-per-day for a supply lane, troops-per-hour for a logistics corridor), latency (microseconds for synchrophasor coordination, hours for material reallocation, days for procurement), criticality tier (1 through 5), and authority signatures. Edges are typed: physical (a transmission line, pipeline, or shipping route), informational (a telemetry feed or intelligence link), and authority (a regulatory oversight or contractual commitment relationship). Multi-authority signing is the structural norm: a transmission interconnect edge between two balancing authorities is signed by both authorities and the regional reliability authority, producing a triply-credentialed edge that is admissible under any of the three authorities' policies.

A mitigation directive is a credentialed observation issued by a coordinating authority, naming a target subgraph, an action template (shed N MW of load, reroute X units through alternate corridor, redistribute Y patients across receiving hospitals), a time window, and a confidence or priority class. Receiving nodes evaluate the directive against composite admissibility — a layered policy check that combines the receiver's local constraints, applicable regulatory policies, and the credentials presented by the issuer. Admission produces an execution observation; non-admission produces a refusal observation.

The refusal observation carries a typed reason from a structured taxonomy (described in section 4), the partial-execution fraction if any, the residual capacity available, the prerequisite that would unblock execution, and the credential of the refusing node. Refusal flows upstream along the same topology edges that carried the directive, but it also propagates laterally to peer nodes whose own admissibility depends on the refused node's state. The originator receives the refusal, updates its model of the operating envelope, and either re-plans, escalates, or accepts the residual exposure under explicit policy. The entire exchange — directive, partial execution, refusal, re-plan — is recorded in lineage, producing an audit-grade reconstruction of the cascade response.

3. Governance-Credentialed Topology and Authority-Gated Learning

The topology graph is itself a governed observation rather than a configuration artifact. Each edge is created, modified, or retired through a credentialed proposal-and-admission flow. A new transmission tie between balancing authorities is proposed by both endpoint authorities and admitted by the regional reliability authority before it becomes part of the operating topology. An edge degradation — a line derated for thermal limits, a supply lane disrupted by weather, a coordination channel impaired by communications loss — is observed by either endpoint, signed under the endpoint's credential, and admitted by the relevant authority before propagating. Edge retirement follows the symmetric flow.

Multi-authority topology resolution is structural rather than negotiated. The same physical edge can be represented under multiple authority frames simultaneously: the transmission tie above is an asset under the FERC frame, a reliability element under the NERC frame, and an interconnection under the bilateral utility frame. Each frame carries its own metadata and its own admissibility policies; cross-frame consistency is checked when a directive references the edge, and frame disagreement surfaces as an observable event rather than an internal failure.

Topology learning is the mechanism by which the operating graph stays aligned with physical reality. Observed coordination patterns — which nodes consistently exchange directives during which event classes, which edges carry traffic above their declared capacity, which authority signatures are repeatedly invoked together — produce credentialed proposals to add edges, modify metadata, or retire stale edges. The proposals are not auto-applied. Each proposal is itself a credentialed observation that requires authority approval before becoming part of the operating topology, with the approving authority's signature serving as the gating event.

Authority-approval gating is the load-bearing defense against adversarial topology manipulation. An attacker cannot simply assert that two nodes are connected, that an edge has higher capacity than physically supported, or that a regulatory edge exists where none does. The proposal must clear an authority's admissibility policy, and the authority's signature is itself audited. The learning mechanism is therefore structurally aligned with regulatory oversight rather than working around it, which distinguishes the primitive from machine-learning approaches to topology inference that produce un-credentialed inferences applied to operating systems without governance review.

4. Refusal as Structured Feedback and Reason Taxonomy

Refusal is the observation type that carries the most information about cascade dynamics, because every refusal reveals the constraint that the directive activated. The primitive defines a structured reason taxonomy that enables the originator to compute a corrective response without ambiguity. The taxonomy includes capacity-exceeded (the directive demands more than the node can deliver, with the residual capacity declared), authority-insufficient (the issuing credential does not satisfy the receiver's admissibility policy for the requested action), prerequisite-unmet (a dependency observation is missing or stale, with the dependency declared), conflicting-directive (a prior or concurrent directive from another authority is in force, with the conflicting observation referenced), policy-violation (a local or regulatory policy bars the action, with the policy clause cited), equipment-unavailable (the executing element is out of service, with the unavailability window declared), and dependent-system-unavailable (an upstream or peer system the action requires is itself refused or unreachable).

Each reason category drives a distinct upstream response. Capacity-exceeded triggers redistribution: the originator computes a revised allocation across additional nodes whose declared residual capacity sums to the deficit. Authority-insufficient triggers escalation: the originator either presents an additional credential, or routes the directive through an authority whose signature is admissible at the receiver. Prerequisite-unmet triggers issuance of the prerequisite: the originator either issues the missing dependency directly or requests its issuance from the authority that holds it. Conflicting-directive triggers cross-authority resolution: the receiver surfaces both directives to a coordinating authority empowered to issue a dispositive observation. Policy-violation triggers either re-formulation under a different action template or formal exception under explicit waiver authority. Equipment- and dependent-system-unavailable trigger horizon updates: the originator's model is corrected to reflect the unavailability window, and re-planning proceeds against the corrected horizon.

Partial execution is treated as a refusal of the residual rather than as a successful execution. If a balancing authority directs 800 MW of load shed and the receiving utility executes 520 MW, the response decomposes into a credentialed execution observation for 520 MW and a credentialed capacity-exceeded refusal observation for the 280 MW residual. The originator sees the partial fulfillment and the structured residual and re-plans the residual against the topology's remaining capacity. This eliminates the silent-shortfall pathology in which fire-and-forget directives appear to have succeeded because no negative acknowledgment was structurally available.

5. Cross-Domain Cascade Composition and Multi-Authority Resolution

Real cascades cross domains. A cyber intrusion at a control-system vendor produces a credentialed cyber-domain observation that propagates to operating utilities; the utilities issue physical-domain protective directives (isolate affected substations, fall back to manual operation); the protective actions produce supply-chain-domain consequences (delivery contracts cannot be fulfilled, force majeure clauses activate); the contract status produces financial-domain observations (counterparty risk re-rated, collateral calls issued); the financial response feeds back into cyber-domain (funding constraints on remediation efforts) and physical-domain (capital-spend deferrals on hardening). Each domain has its own topology, authority structure, and admissibility policies. The cascade flows across them.

Cross-domain composition is implemented as credential cross-recognition rather than as a unified ontology. Each domain's topology is a credentialed observation under that domain's authorities. Cross-domain edges are credentialed by authorities standing in both domains: a CISA advisory standing across cyber and physical, an industry information sharing and analysis center standing across cyber and supply, a financial regulator standing across physical asset operation and counterparty exposure. A cyber-domain refusal observation crossing into the physical domain is admitted under the cross-recognized credential and produces a physical-domain re-plan; a physical-domain refusal crossing into supply produces a supply re-plan; the composition is recursive and audit-traceable.

Multi-authority resolution is the mechanism that handles directive conflicts. A utility's load-shed directive may conflict with a regional reliability authority's stability directive; a state emergency-management directive may conflict with a federal regulator's compliance directive; a port authority's diversion directive may conflict with a shipping line's contract-routing directive. The receiving node treats each directive as a credentialed observation, evaluates the set against its composite admissibility policy, and surfaces the conflict as a typed observation rather than resolving it locally with arbitrary precedence. A coordinating authority — an authority credentialed to resolve conflicts among the involved authorities — receives the conflict observation and issues a dispositive directive that supersedes the conflicting set.

The resolution process is itself audit-grade. Every original directive, every refusal, every conflict observation, every dispositive resolution, and every downstream execution is recorded in lineage with its credentials. Post-event reconstruction can walk the lineage and answer the questions regulators routinely ask after cascade events: who issued what to whom, who refused on what grounds, who resolved the conflict, and what the residual exposure was at each step. The architecture is structurally tamper-evident.

6. Operating Parameters and Engineering Envelope

The primitive is parameterized for operating envelopes spanning microsecond synchrophasor coordination through multi-day procurement cycles. Directive propagation latencies in representative deployments range from sub-millisecond (intra-substation protective relaying) through tens of milliseconds (regional balancing authority coordination), seconds (transmission system operator dispatch), minutes (supply-chain reallocation), hours (multi-jurisdictional emergency coordination), to days (strategic procurement and force redistribution). The same observation, directive, and refusal types operate at every tier, with credential cryptography and signature verification accounting for less than one millisecond at typical hardware profiles.

Topology graphs in deployment range from tens of nodes (a single balancing authority's interchange neighbors) through thousands of nodes (a regional reliability coordinator's full topology) to hundreds of thousands of nodes (a continental supply-chain federation). Edge counts scale super-linearly with vertex counts in tightly-coupled regions and sub-linearly in loosely-coupled federations. The reference implementation supports topology graphs with on the order of one million edges with directive propagation completing within the latency budget of any tier above intra-substation.

Refusal-reason taxonomy depth is configurable per domain. The base taxonomy contains seven top-level categories; domain-specific extensions add typed sub-reasons (e.g., NERC contingency classification under capacity-exceeded, ITAR jurisdiction under policy-violation). Composite admissibility policies are evaluated in bounded time using credential indexing and pre-compiled policy automata; representative evaluation times are below ten milliseconds for policies of fewer than fifty clauses against credential sets of fewer than thirty signatures.

Confidence and priority encoding follow a five-tier classification (informational, advisory, urgent, emergency, dispositive) with explicit precedence semantics under conflict. Preemptive directives carry a forecast horizon (typically one minute through 72 hours) and a forecaster confidence (a calibrated probability or a NERC-style confidence tier). Graduated response thresholds are set per receiving node and per directive class, defaulting to monitoring-only at confidence below 0.5, capacity reservation between 0.5 and 0.8, and full execution above 0.8, with the thresholds themselves credentialed under operator policy.

7. Alternative Embodiments

Bulk power system embodiment. The primitive is instantiated across a North American Reliability Corporation footprint with balancing authorities, transmission operators, and reliability coordinators as nodes; tie lines, AGC channels, and reliability standards as edges; and contingency reserve, load shed, generation redispatch, and emergency interchange as directive types. Refusal reasons map to NERC contingency classifications, with capacity-exceeded carrying the residual MW, prerequisite-unmet referencing the missing reserve product, and policy-violation citing the specific reliability standard.

Multi-tier supply chain embodiment. Nodes are tier-one through tier-N suppliers, distribution centers, and end-customers; edges are contract relationships, shipping lanes, and regulatory compliance bindings; directives are allocation, reallocation, expediting, and substitution requests. Cross-domain composition with cyber-domain (vendor compromise events) and financial-domain (counterparty risk) is routine. Refusal-reason taxonomy adds export-control sub-reasons, lot-genealogy mismatches, and qualification-status invalidation.

Multi-domain joint operations embodiment. Nodes are coalition units, civil agencies, host-nation authorities, and shared logistics enablers; edges are command relationships, liaison channels, and combined operating areas; directives are mission tasking, force redistribution, fires coordination, and rules-of-engagement updates. Authority-insufficient refusals are common and structural — a coalition unit cannot accept a tasking from an authority outside its national chain without a credentialed liaison signature — and the primitive's escalation flow maps directly onto the existing combined-joint-task-force command lattice.

Hospital-network and public-health embodiment. Nodes are hospitals, regional health authorities, public-health agencies, and supply distributors; edges are mutual-aid agreements, transfer protocols, and reporting relationships; directives are patient-redistribution, supply-reallocation, and clinical-protocol-update events. Refusal reasons include licensure-mismatch (out-of-jurisdiction provider credentials), capacity-exceeded with bed-class breakdown, and policy-violation citing institutional review or consent constraints. The primitive composes with regional incident command structures without modification.

Civil-aviation embodiment. Nodes are airline operations centers, air navigation service providers, airport authorities, and military airspace controllers; edges are letters of agreement, sector handoffs, and ground-control-to-tower coordination relationships; directives are flow-management initiatives, ground-stop orders, miles-in-trail restrictions, and special-use-airspace activation events. Refusal reasons map to capacity constraints, equipment outages (radar, ILS, runway lighting), weather minima, and crew-duty-time limits. Cross-domain composition with the cyber domain (control-system intrusions at en-route centers) and with the supply domain (fuel availability at constrained airports) is routine.

Port-customs custody and water-system mutual-aid embodiments follow analogous patterns. In each, the topology, authorities, and directive types are domain-specific while the directive-execution-refusal architecture and the credential and lineage discipline are common. The same primitive operates across data-center fleet coordination, financial-market circuit-breaker propagation under credentialed exchange authority, and pandemic public-health resource allocation across federal, state, tribal, and territorial authorities, with the embodiment-specific work confined to taxonomy extension and authority enrollment rather than to the architectural primitive itself.

8. Composition with Broader Architecture

Cascade propagation is not a standalone module. It composes with several adjacent primitives disclosed under the same provisional and related provisionals, and the composition is what produces the architectural value beyond any single primitive's contribution.

Composition with governed-actuation. Governed-actuation defines the receiver-side discipline by which an actuation request is admitted, executed, deferred, or refused under composite admissibility. Cascade propagation supplies the upstream and lateral propagation of the resulting observations. Refusal mode, partial-execution mode, and deferred-execution mode in governed-actuation each emit the credentialed observations that cascade propagation routes upstream and across domain boundaries.

Composition with governance-chain. Governance-chain provides the credentialing primitives — authority issuance, credential delegation, revocation, and cross-authority recognition — under which directives, executions, and refusals are signed. Cascade propagation consumes governance-chain credentials at every step, and the cascade's audit-grade property is inherited from governance-chain's tamper-evident credential lineage.

Composition with forecasting and spatial context. The forecasting primitive produces predicted-disruption observations with horizon and confidence; the spatial-context primitive produces region-bound and topology-bound forecasts. Cascade propagation consumes the forecasts to issue preemptive directives and to set graduated-response thresholds; refusal observations on preemptive directives are themselves inputs to the forecaster, closing the learning loop without bypassing authority gating.

Composition with mesh-time and mesh-coordinates. Many cascade events are sensitive to time alignment (synchrophasor protection, sequence-of-events reconstruction) or to spatial scope (geographic load areas, port custody zones, theater operating areas). Mesh-time provides credentialed time without exclusive reliance on GNSS; mesh-coordinates provides credentialed position without exclusive reliance on GPS. Cascade propagation references both as observation lineage when directives or refusals carry temporal or spatial scope.

9. Prior-Art Distinctions

The primitive is distinct from NERC reliability standards. Those are policy frameworks specifying what utilities must do under contingency conditions; they prescribe behavior rather than provide an architecture. The primitive is the architecture that could carry NERC policies with structural refusal feedback and cross-authority coordination. NERC compliance behavior maps onto admissibility policies; the architecture is policy-agnostic.

The primitive is distinct from circuit-breaker and bulkhead patterns in distributed software systems. Those isolate failure within one service to prevent it from propagating to callers. The primitive's refusal is not isolation; it is a structured upstream observation that enables originator re-planning. Circuit breakers do not carry credentialed reason taxonomies, do not propagate across authority boundaries, and do not produce audit-grade lineage.

The primitive is distinct from reinforcement-learning value-function fail-safes. RL fail-safes constrain a learned policy from taking actions whose value falls below a safety threshold; the constraint is internal to the learning agent. The primitive's refusal is external, credentialed, and propagated; it is not a learned policy and does not depend on learned value estimates. RL agents can be participants whose actuations are subject to governed-actuation and whose refusals participate in cascade propagation.

The primitive is distinct from blockchain supply-chain visibility platforms. Those produce tamper-evident records of in-transit inventory and chain-of-custody events. They do not represent directives, refusals, or authority structure; they are passive ledgers, not coordination architectures. The primitive's lineage is tamper-evident in the same sense, but the load-bearing contribution is the credentialed directive-refusal exchange, not the immutability of the record.

The primitive is distinct from JADC2 / CJADC2 program architectures. Those are integration efforts whose target architecture the primitive could implement; the primitive is broader than any single program scope and is not bound to defense applications. The primitive is also distinct from federated-learning gradient aggregation, multi-agent reinforcement learning communication protocols, and consensus protocols (Paxos, Raft, PBFT), each of which addresses a different problem and lacks the credentialed-refusal observation type.

10. Disclosure Scope

This article describes architectural primitives and embodiments disclosed under USPTO provisional patent application 64/049,409. The disclosure includes refusal as a first-class governed observation type, the structured refusal-reason taxonomy and its domain-specific extensions, the directive-execution-refusal exchange under composite admissibility, governance-credentialed multi-authority topology graphs, authority-approval-gated topology learning, cross-domain cascade composition through credential cross-recognition, multi-authority directive resolution through dispositive coordinating-authority observations, and preemptive graduated response gated on forecaster confidence and operator policy.

The disclosure spans bulk power system, multi-tier supply chain, multi-domain joint operations, hospital-network public-health, civil aviation, port-customs custody, and water-system mutual-aid embodiments without limitation to those domains. The primitive is domain-agnostic; the embodiments illustrate rather than constrain. Composition with governed-actuation, governance-chain, forecasting, spatial-context, mesh-time, and mesh-coordinates primitives is disclosed as part of the broader architecture.

The primitive is distinguished from NERC reliability standards, circuit-breaker and bulkhead patterns, reinforcement-learning fail-safes, blockchain supply-chain ledgers, JADC2 program architectures, federated-learning aggregation, and consensus protocols, each of which addresses a different problem or lacks the credentialed-refusal observation type that is the load-bearing contribution. Claim scope is reserved for the corresponding non-provisional and continuation filings.