Deep Space Agent Execution Without Ground Control

Regulatory Framework

Spaceflight is one of the most heavily-regulated engineering domains in existence, and autonomous spaceflight inherits every regulatory layer of conventional spaceflight while adding new ones. NASA NPR 8715.3 General Safety Program Requirements establishes the agency-wide safety framework for crewed and uncrewed missions, requiring documented hazard analyses, risk classifications, and mitigation strategies. NPR 8715.6 Planetary Protection Provisions, which derives from Article IX of the Outer Space Treaty, imposes biological and chemical contamination controls on missions to bodies of biological interest, and these controls bind the spacecraft's behavior including its autonomous behavior at target bodies.

NPR 7150.2 NASA Software Engineering Requirements classifies flight software by safety criticality and imposes increasingly stringent process requirements at higher classifications. Class A and B software, which includes mission-critical and safety-critical flight code, requires documented requirements traceability, formal verification activities, configuration management, and acceptance testing before flight authorization. Autonomous decision-making code falls within these classes, and the requirements traceability extends to the decisions the code makes during operations.

NASA-STD-8729.1 Planning, Developing, and Managing an Effective Reliability and Maintainability Program imposes reliability analyses, failure mode and effects analyses, and maintainability provisions on flight systems. Autonomous systems must demonstrate that their decision behavior is analyzable under the standard's framework, including the ability to identify failure modes of the autonomy itself and to define mitigations for autonomy failures.

Export control regimes intersect spaceflight pervasively. The International Traffic in Arms Regulations administered by the State Department's DDTC cover spacecraft and related technical data classified under USML Category XV, with autonomy software frequently falling within Category XV(f) software directly related to spacecraft. The Export Administration Regulations administered by Commerce's BIS cover dual-use spacecraft technology under ECCN 9-series classifications. Onboard autonomy software, training data for that software, and the operational artifacts the software produces during mission can each be export-controlled, and any system that ships autonomy as a service or that transmits autonomy state to non-US ground stations must comply with the applicable license and exemption framework.

FCC Part 25 governs satellite communications licensing for space stations and earth stations operated under US authority. Authorization for spacecraft operations includes representations about command authority, telemetry, and autonomous behavior that affect spectrum use. FAA Part 450 governs launch and reentry licensing under the Commercial Space Launch Act, including safety analyses for autonomous flight termination and trajectory control during launch and reentry phases.

The Outer Space Treaty of 1967, particularly Articles VI, VII, and IX, establishes that states bear international responsibility for national space activities, including those of non-governmental entities, and bear liability for damage caused by their space objects. State responsibility extends to the autonomous behavior of state-licensed spacecraft, which means that the licensing and oversight regime must reach autonomous decision-making in a way that supports state-level accountability for its outcomes. The Liability Convention and Registration Convention extend this framework with operational obligations.

ESA's ECSS standards, JAXA's JERG and JMR standards, and ISRO's mission-assurance frameworks impose analogous requirements within their jurisdictions, and joint missions often must satisfy multiple regimes simultaneously. The ECSS-Q-ST-80 software product assurance standard and ECSS-E-ST-40 software engineering standard play roles analogous to NPR 7150 in European missions, with similar criticality classifications and process expectations.

Architectural Requirement

The regulatory framework above produces an architectural requirement that conventional autonomy approaches do not satisfy. The requirement has four components.

First, the autonomy must be governed by mission policy in a manner that is documented, auditable, and analyzable. NPR 7150 requirements traceability and NASA-STD-8729 reliability analysis presuppose that the system's decision-making is expressible in terms a reviewer can analyze. A neural-network controller whose decisions are not decomposable into governance predicates fails this expressibility test for high-criticality classifications.

Second, the autonomy must operate under finite onboard resources including power, thermal margin, propellant, data downlink budget, and computational capacity. Mission policy must encompass these resource constraints because autonomous decisions consume them, and exhaustion of any one constraint is mission-ending. Resource accounting must be intrinsic to the decision process, not a post hoc check that catches violations after they occur.

Third, every autonomous decision must produce evidence sufficient for ground review. This is both a regulatory requirement under NPR 7150's traceability and NASA-STD-8729's analyzability, and an operational requirement because ground operations must be able to reconstruct the spacecraft's reasoning to plan subsequent operations and to diagnose anomalies.

Fourth, the autonomy must operate within the planetary protection, export control, and treaty constraints that bind the mission as a whole. A rover that crosses into a planetary-protection special region without authorization, a probe that downlinks autonomy state to a non-licensed ground station, or a spacecraft that takes an action affecting other states' space objects without coordination produces violations whose consequences extend beyond the mission.

Conventional pre-planned command sequences satisfy these requirements at the cost of forfeiting any opportunity that arises between planning cycles. Conventional onboard autonomy, exemplified by AEGIS on Mars rovers, satisfies a narrow band of opportunistic behavior within tightly-bounded parameters but does not generalize to mission-strategy autonomy. The architectural requirement is for an autonomy substrate that lifts the governance, resource accounting, traceability, and constraint reasoning into a structural property of the autonomy itself, so that the autonomy can be granted broader scope without losing the auditability that the regulatory regime requires.

Why Procedural Compliance Fails

Procedural compliance for space autonomy currently consists of pre-planned command sequences validated on the ground, narrow onboard autonomy bounded by operator-set parameters, post-event telemetry review, and configuration-managed software releases. This stack fails the missions now in formulation for reasons that the operating community has documented and that the regulatory community is beginning to acknowledge.

Pre-planned command sequences forfeit science opportunities that arise between planning cycles. A Mars rover that finds a previously-unobserved geological feature between sols of command upload cannot investigate it unless the contingency was anticipated and pre-encoded. A flyby probe that detects a feature during the encounter window cannot reframe its observations because the encounter is shorter than the round-trip light time. These forfeitures are not edge cases; they are the dominant cost of communication-bounded operations, and they grow with mission distance.

Narrow onboard autonomy bounded by operator-set parameters generalizes poorly. AEGIS-style target selection works because the parameter space is small and the failure modes are characterized. Mission-strategy autonomy, including reformulation of observation plans based on accumulated results, has a larger parameter space whose failure modes are not characterized by any operator-set parameter. Extending the parameter space without extending the governance substrate exposes the mission to autonomy failures that do not produce traceable telemetry.

Post-event telemetry review is structurally lagging. By the time ground operations review the telemetry from an autonomous decision, the spacecraft has moved past the decision point. Anomaly diagnosis becomes archaeology rather than steering, and corrective action is limited to future planning cycles. NASA-STD-8729 reliability analysis presupposes that anomalies are diagnosable from artifacts the system produces; an autonomy stack that produces only output telemetry without decision lineage produces archaeology, not diagnosis.

Configuration-managed software releases satisfy NPR 7150 process requirements for the code itself but say nothing about the artifacts the code produces during operations. The autonomy system that is configuration-managed is the one on the ground; the one in flight may have processed inputs the ground system never saw and produced internal states the ground system cannot reconstruct. The traceability obligation of NPR 7150 ranges over decisions, not just code.

The procedural stack also fails the export-control and treaty regimes when autonomy operates in a manner that produces export-controlled artifacts or treaty-relevant actions. ITAR-controlled autonomy state transmitted to a non-licensed ground station is a violation regardless of intent; planetary-protection-relevant autonomous actions taken in special regions without authorization create state-responsibility consequences that no procedure can retroactively cure.

What the AQ Primitive Provides

AQ memory-resident execution lifts the spacecraft's mission into a persistent semantic execution context that the spacecraft carries as an operational artifact. The execution object encodes the scientific objectives, the prioritized observation plan, the resource budgets, the risk thresholds, the planetary-protection constraints, the export-control bindings, and the governance policy as a single integrated structure. The autonomy is not a controller invoked over a state vector; it is a self-evaluating execution that mutates its own plan under governance.

When the spacecraft encounters an opportunity, the execution object evaluates the opportunity against its mission objectives, proposes a plan mutation that would investigate it, and validates the mutation against the governance bound to the object. The validation includes resource feasibility against the budgets, risk feasibility against the thresholds, and constraint feasibility against the planetary-protection, export-control, and treaty bindings. A mutation that violates any binding is rejected before it is committed, and the rejection is recorded in the lineage. A mutation that passes is committed, executed, and recorded.

The lineage is a structural property of the execution rather than an output of a logging system. Each plan mutation, the governance evaluation that authorized it, the resource accounting that accompanied it, and the observed outcomes are recorded in the execution object's persistent state. The record is what NPR 7150 traceability requires, what NASA-STD-8729 reliability analysis presupposes, and what mission operations need for steering. It is produced as a side effect of the execution itself and cannot be lost separately from the execution that produced it.

The execution object's resource accounting is intrinsic. Budgets for power, thermal margin, propellant, downlink, and computation are reduced as decisions are made, and proposed mutations are evaluated against the remaining budget before commitment. Resource exhaustion is a governance failure that causes the proposing mutation to be rejected, not a runtime failure that strands the spacecraft after the resource is spent.

The constraint substrate is uniform across regulatory bindings. Planetary-protection constraints, export-control bindings, treaty obligations, and mission-policy constraints are all expressed as predicates evaluated by the same admissibility check that evaluates resource and risk constraints. This produces a single locus of governance that can be analyzed under NPR 7150, NASA-STD-8729, and the equivalent ECSS, JERG, and ISRO standards.

The execution object is uplinkable and downlinkable as a structural artifact. Ground operations can review the current execution state, propose policy updates that bind on subsequent decisions, and reconstruct the exact reasoning that led to a given action by replaying the lineage. This is the operational analog of the analyzability that the regulatory regime presupposes, supplied as a property of the autonomy rather than as an interpretive overlay.

Compliance Mapping

NPR 8715 mission safety maps onto the execution object's risk thresholds and the admissibility check that enforces them. Hazard analyses produce predicates that are evaluated at every plan mutation; risk classifications determine the thresholds; mitigation strategies are encoded as alternative mutations that the execution explores when a primary mutation is rejected.

NPR 7150 software engineering requirements map onto the execution object as a configuration-managed artifact whose internal structure preserves requirements traceability. Each policy predicate links to the requirement it implements; each lineage entry links to the policy predicates evaluated; each plan mutation traces to the objective it advances. The traceability that NPR 7150 obliges as a process becomes a structural property of the execution.

NASA-STD-8729 reliability and maintainability maps onto the lineage as the artifact reliability analysis consumes. Failure mode and effects analysis of the autonomy is performed against the policy and the admissibility check, which are the loci where autonomy decisions are made. Maintainability is supplied by the uplinkable policy: ground operations update the policy as understanding evolves without redeploying the autonomy substrate.

ITAR and EAR export-control bindings map onto admissibility predicates that constrain autonomy state transmission, derivative-data production, and tool use. An execution object operating under an ITAR binding rejects mutations that would transmit controlled state to non-licensed ground assets and records the rejection in lineage suitable for compliance review.

FCC Part 25 satellite licensing maps onto autonomy-relevant license representations: command authority, telemetry, autonomous behavior. The execution object's policy expresses the licensed envelope of autonomous behavior, and the lineage demonstrates operation within the envelope. FAA Part 450 launch and reentry licensing maps onto the autonomous flight termination and trajectory-control governance that the standard imposes during launch and reentry phases.

Outer Space Treaty Articles VI, VII, and IX map onto state-responsibility bindings. Autonomous actions that affect other states' space objects, that occur in regions of treaty interest, or that produce environmental contamination subject to Article IX are governed by predicates that align the autonomy with state-level commitments. The Liability Convention and Registration Convention's operational obligations are similarly expressible.

ESA ECSS-Q-ST-80 and ECSS-E-ST-40, JAXA JERG and JMR standards, and ISRO mission-assurance frameworks map onto the execution object analogously to NPR 7150 and NASA-STD-8729. Joint missions operating under multiple regimes encode the union of the regimes' requirements as policy predicates evaluated by a single admissibility check, which avoids the dual-stack governance overhead that joint missions otherwise carry.

Adoption Pathway

Missions adopt memory-resident execution incrementally rather than as a wholesale replacement for existing flight software. The first phase wraps an existing autonomy capability, such as AEGIS-style target selection, with the execution-object substrate. The wrapping does not change the underlying capability's behavior but produces the lineage that the regulatory regime presupposes and that mission operations need for steering. Existing NPR 7150 traceability artifacts are preserved, and the lineage extends them with operational detail.

The second phase extends the policy bound to the execution object beyond the wrapped capability's parameter space. Mission operators encode the strategic-level governance, including resource budgets, risk thresholds, and planetary-protection constraints, as predicates evaluated by the admissibility check. The autonomy gains the ability to propose mutations beyond the wrapped capability's original scope, with the new mutations governed by the extended policy.

The third phase replaces pre-planned command sequences for opportunistic-science windows with execution-object operation. Ground operations continue to upload strategic-level plans, but the spacecraft executes opportunistic science within the planned envelope under autonomous governance. Science return per unit time increases because the spacecraft acts on opportunities between communication windows; lineage replaces telemetry as the primary review artifact for the opportunistic-science windows.

The fourth phase extends to mission-strategy autonomy on missions where communication latency, encounter brevity, or operational tempo make ground steering inadequate. Outer solar system missions, flyby probes, lunar surface operations, and Mars subsurface exploration adopt mission-strategy autonomy under execution-object governance. Joint missions adopt the substrate as the locus where multiple regulatory regimes' requirements are reconciled.

The final phase is the operational baseline for missions whose communication architecture makes pre-planned command sequences structurally inadequate. Interstellar precursors, deep-Kuiper missions, and long-duration crewed missions to Mars and beyond adopt memory-resident execution as the autonomy substrate of record, and the regulatory regime's traceability, analyzability, and accountability obligations are satisfied by the lineage that the substrate produces as a structural property of operation. The result is an autonomy posture that does what physical communication latency makes necessary while satisfying what the regulatory regime makes obligatory, with the same artifact serving both purposes.