Field notes · 20 May 2026

The Senior Service: what the factory borrowed from 480 years of Royal Navy engineering tradition.

Read this as: Plain English Formal-methods reader

The Royal Navy is the senior of the British armed forces by a comfortable margin. Henry VIII gave it its permanent standing in 1546; Charles II gave it the "Royal" name in 1660. By either count we are closer to its five-hundredth birthday than its four-hundredth. The lineage is uninterrupted, and the engineering culture that grew up around it — at Portsmouth, Chatham, Devonport, Rosyth, and on every ship that sailed under the white ensign — is one of the most rigorous in the world.

When we sat down to build the Dark Factory we did not invent its conventions from scratch. Several of the disciplines that make the factory's output trustworthy are borrowed, directly and unashamedly, from the Senior Service. Some of them are obvious. Some less so. None of them are accidents.

Standing watches and clean handovers

A ship at sea runs on the watch system: four hours on, four hours off, every officer of the watch handing the deck over to the next with a formal report. The wind. The course. The crew. Anything not normal. The relieving officer formally acknowledges before the previous one steps down. The ship never has a moment when nobody is watching it.

The Dark Factory runs on the same principle. Every working session ends with a handover note written for the next session — what was done, what's still in flight, what's broken, what's about to change. The next session begins by reading that note before any new work starts. There is never a moment when the factory has nobody watching it. It is not a metaphor; it is the same discipline applied to a different medium.

The captain's log

Every ship of the Royal Navy keeps a logbook. Every event of note — weather, fix, signal, sighting, alteration of course, change of watch — is entered with the date, the time, and the initials of the officer responsible. The log is auditable. It is not a marketing document; it is what an Admiralty Board, or a court martial, would read if anything went wrong.

Our portfolio page now carries a production ledger of the same form: every individual source file the factory has put through the pipeline, with date, line count, package count, and verdict. Anything we will not defend, we do not list. Anything we will defend, we list with the row open to inspection. When yesterday we caught ourselves overclaiming and had to deflate the public counter, we did it the same way a captain enters a navigational correction in the log — visibly, dated, and signed.

Damage control

The Royal Navy's damage-control doctrine is one of the most studied in the world. When a ship is hit, the damage-control parties move to the affected compartments, isolate the damage, contain the spread, restore what can be restored, and report up the chain. The doctrine assumes hits will happen. The discipline is in the response.

The factory's audit-and-roll-back culture comes from the same place. When we discover an output we cannot defend, we contain it (mark the bogus rows in the ledger), isolate it (re-run with the corrected pipeline), restore what we can (the recovered rows go back in), and tell anyone reading the page what happened. We do not pretend it didn't. The discipline is in the response.

Charts the rest of the world uses

For two centuries the British Admiralty's hydrographic charts have been the reference standard used by foreign navies, merchant shipping, fishing fleets, and yachtsmen who have never seen a Union Jack. The Royal Navy chose to give those charts away — because it was the right thing to do, and because the charts became more trusted the more widely they were used.

Every package the factory ships is open-source, under either Apache 2.0 (where we created it clean-room) or whatever permissive licence the source code carried. Anyone — UK research lab, foreign university, hobbyist, commercial competitor — can take our SPARK-Ada modernisations and use them. The charts get more trusted the more widely they are used. The Admiralty understood this in 1795. We understand it in 2026.

Defence in depth

A warship is built in layers. Outer hull, armour belt, watertight bulkheads, internal compartments, redundant power, redundant steering, redundant communications. No single hit should sink the ship. The doctrine is older than steam.

The factory's pipeline is built in layers too. The output of every stage is checked by the next, and a bad output is caught before it can poison the one downstream. No single mistake should reach the final ledger. The doctrine is older than electricity.

The Senior Service framing

Formal verification has been called the senior service of software engineering — the discipline that has been around the longest, that the others borrow from, that the others are slowly catching up to. Aircraft flight-control, rail-signalling, nuclear plant control, banking-card key-management: all of them have travelled the formal-methods road that SPARK and Ada lead. The Dark Factory's bet is that the road keeps widening, and that the codebases the world cannot afford to get wrong will, sooner or later, all want to be on it.

The Royal Navy got to 480 by treating engineering rigour as the default and inattention as the exception. The factory means to do the same. Anything less, and the rest of the analogy collapses.