ODDC // Sentinel Authority

The Physics of Permission.

A voluntary conformance and evidence framework for autonomous systems.

ODD Conformance Determination (ODDC) is Sentinel Authority's conformance determination against a declared Operational Design Domain (ODD) plus ENVELO enforcement requirements. ODDC attests that evidence supports operation within the declared ODD, with ENVELO-compliant enforcement present and auditable.

Independent conformance determination. Not a regulator. Not legal advice. Implementations remain the operator's responsibility.

ODDC does not attest safety, compliance, cybersecurity, or performance.

Conformance determination for autonomous actuation within bounded operational design domains.

Request Conformance Review View criteria How enforcement works See a record

Requests are evaluated for critical infrastructure operators, insurers, and licensed implementers. Determinations may support underwriting and regulatory review.

THE FRAMEWORK

ODDC + ENVELO

ODDC answers: "Where is this autonomous system allowed to operate?"
ENVELO answers: "What prevents it from operating outside that boundary?"
Without ENVELO, ODDC would be paperwork. With ENVELO, ODDC becomes enforceable.

ODDC

Operational Design Domain — the formally specified boundary of permitted autonomous action.
Conformance verification — evidence that the system respects its ODD at runtime.
Auditable record — signed conformance artifact for regulators, insurers, and counterparties.
Revocable — conformance determination subject to suspension upon evidence of material deviation, drift, or enforcement failure.

ENVELO Requirements

ENVELO defines enforcement requirements. Sentinel Authority does not implement, operate, or monitor runtime systems.

Enforcer for Non-Violable Execution & Limit Oversight — the runtime enforcement layer that makes a declared operating boundary real. A non-bypassable interlock.

ENVELO is a method designation describing non-bypassable enforcement requirements, not a product or platform.

Non-bypassable interlock (required) — enforcement mechanism must validate actions before execution.
Fail-closed behavior (required) — out-of-domain actions must be blocked or overridden.
Runtime comparison (required) — operator must demonstrate state evaluation against ODD constraints.
Tamper-evident logging (required) — boundary interactions must be recorded for audit.
Architectural consonance (required) — safe operational envelope must be derived from the same physics-based simulation used to generate synthetic training data for the control model.

REQUIREMENTS, NOT SOFTWARE

CONFORMANCE CRITERIA

What ODDC requires

ODDC is determined only when the Operational Design Domain is formally defined, evidence supports stable operation within it, and ENVELO-compliant runtime enforcement is present and auditable.

Minimum criteria

ODD formally specified

Operational Design Domain defined with objective constraints and tolerances.

Evidence of stable behavior within ODD

Convergence/stability thresholds satisfied across relevant operational regimes.

ENVELO enforcement present

Non-bypassable interlock validates actions before execution; fail-closed behavior defined.

Auditability & traceability

Signed authorization record + tamper-evident audit log reference.

Revocation & drift handling

Clear rules for suspension/revocation upon ODD violation, drift, or audit failure.

Material Deviation

Any state, trajectory, or enforcement failure that exceeds attested tolerances or violates defined invariants.

Conformance states

Enterprise-native states for operational governance.

Observe

Telemetry only; autonomy prohibited.

NO ACTUATION

Bounded

Constrained autonomy; elevated overrides and review.

LIMITED

Conformant

Autonomy permitted within declared ODD; continuous ENVELO-compliant enforcement.

CONFORMANT

Revoked

Autonomy suspended pending remediation and re-evaluation.

SUSPENDED

What ODDC Attests

ODDC attests that, at the time of determination:

The applicant has formally specified an Operational Design Domain
Evidence demonstrates stable system operation within the declared ODD
ENVELO-compliant runtime enforcement is architecturally present
Enforcement mechanisms have been verified through CAT-72
Tamper-evident audit records exist and are available for inspection

What ODDC Does Not Attest

ODDC does not determine, certify, or attest:

Functional safety of the underlying system
Regulatory compliance (safety, environmental, or otherwise)
Cybersecurity posture or resilience
System performance, accuracy, or reliability
AI model correctness or fitness for purpose
Compliance with any jurisdiction's legal requirements

ODDC does not transfer liability from the operator to Sentinel Authority. Applicants remain solely responsible for implementation quality, operational compliance, and all regulatory obligations.

CONFORMANCE PROCEDURE

Convergence Authorization Test (CAT-72)

ODDC is issued only after successful completion of the Convergence Authorization Test (CAT-72), a formal evidentiary procedure establishing bounded autonomous behavior across operational regimes.

Demonstration Requirements

72-hour continuous convergence demonstration — sustained operation within declared ODD bounds.
Multi-regime operational stress testing — performance across edge conditions and transitions.
Fail-closed ENVELO enforcement on material deviation — verified halt behavior outside ODD.
Cryptographically verifiable evidentiary record — tamper-evident demonstration log.

Issuance & Renewal

CAT-72 completion is required for both initial ODDC determination and periodic renewal. Waivers are not issued.

REQUIRED FOR CONFORMANCE

Tolerance Declaration

Applicants declare operational tolerances as part of their ODD specification prior to CAT-72 commencement. Sentinel Authority does not prescribe universal tolerances; tolerances are domain-specific and determined by the applicant based on:

Equipment manufacturer specifications
Regulatory requirements applicable to the operational domain
Risk profile and consequence severity
Industry standards and best practices

CAT-72 verifies that the system operates within the applicant's declared tolerances throughout the test period. Declared tolerances must be quantitative, bounded, and documented. Tolerance declarations cannot be modified during the CAT-72 test period.

Architectural Evidence Requirements

CAT-72 evidentiary records must demonstrate architectural consonance between the system's learned control policy and its safety enforcement mechanisms. This ensures autonomous behavior is bounded by physics-validated constraints derived from consistent modeling assumptions.

Simulation identification — platform, version, governing equations, solver configuration, geometry model reference
Training data provenance — hash of simulation configuration at generation, hash of synthetic dataset, sensor mapping, signed attestation
Safety envelope derivation — hash of simulation configuration at envelope computation, derivation methodology, signed attestation
Consonance verification — matching simulation configuration hashes, common governing equations, attestation of no independent derivation

Architectural consonance ensures the learned control policy operates within a state space inherently bounded by the same physics model that defines safety constraints. Derivation from independent simulations introduces model-safety mismatch that compromises runtime enforcement integrity.

If the physics-based simulation is updated after initial ODDC, both training data and safety envelope must be re-derived and new CAT-72 completion is required.

GRANT INSTRUMENT

What ODDC confers

ODDC is structured to support underwriting review as a first-class risk control for autonomous infrastructure.

Conformance Rights

Declared Operational Design Domain — facility + domain scope definition.
Bounded autonomous actuation rights — permitted actions within declared ODD.
Signed evidence artifact — for regulators, insurers, and counterparties.
Defined validity term — time-bounded conformance window.
Revocable upon evidence of deviation or drift — continuous conformance requirement.

Conformance terms are issued based on operational scope, ODD complexity, and domain risk profile.

Scope Exclusions

ODDC does not determine or attest: functional safety, regulatory compliance, cybersecurity posture, system performance, AI model accuracy, or fitness for any particular use. ODDC attests only that evidence supports operation within declared ODD bounds with ENVELO-compliant enforcement present and auditable. All other determinations remain the responsibility of operators, regulators, and qualified assessors.

RUNTIME ENFORCEMENT

How ENVELO enforcement works

ENVELO requires a non-bypassable control boundary between decision logic and action: predict → evaluate → execute. The system is architected such that out-of-domain actions are prevented, even under autonomous decision pressure. Sentinel Authority defines the requirement; operators implement it.

Illustrative enforcement flow. Actual implementations are designed, deployed, and operated by system owners and licensed implementers.

Phase 01

Signal interception

Model outputs are routed through the interlock before reaching actuator interfaces.

Phase 02

ODD validation

Proposed actions are evaluated against the declared ODD and trajectory limits.

Phase 03

Fail-closed enforcement

Out-of-domain actions are blocked or overridden; events are logged for auditability.

AUDITABLE EVIDENCE

Conformance record

An ODDC record binds scope, criteria satisfaction, and conformance state. It is designed to be tamper-evident, independently verifiable, and structured for post-incident evidentiary clarity.

ODDC RECORD — NON-NORMATIVE EXAMPLE

ILLUSTRATIVE

Verify via Protocol →

Authority

Sentinel Authority

Conformance ID

SA-ODDC-2026-0001

Issued (UTC)

2026-01-04T00:00:00Z

Validity

2026-01-04T00:00:00Z → 2027-01-04T00:00:00Z

Scope

Autonomous control permitted within declared ODD only

Evidence

CAT-72 convergence + stability across regimes — PASS (illustrative)

Enforcement

ENVELO fail-closed interlock; block/override + audit

Record hash

8f2a…c91d

Signature

SA-SIG-1

Audit log ref

SA-LOG-2026-0001

This is an illustrative example for format only. Production deployments should populate domain-specific envelope parameters, validity window, and audit log reference. Record hash is computed over the record fields in canonical order; verification instructions appear in the Evidence Schema & Audit Format specification.

What the record proves

Scope — what autonomous actions are permitted within the declared ODD.
Criteria — what evidence was satisfied at conformance determination time.
Enforcement — how ENVELO-compliant mechanisms enforce the ODD at runtime.
Auditability — how third parties verify integrity and traceability.
Revocation — how conformance can be suspended upon evidence of changed conditions.

CONFORMANCE PROCESS

Process & Fees

From initial inquiry to conformance determination: timeline, requirements, and fee structure.

Conformance Timeline

Initial Inquiry

Submit conformance review request via email. Response within 5 business days.

Scope Assessment

Sentinel Authority evaluates operational scope, ODD complexity, and domain risk profile. Deliverable: scope assessment and fee estimate. Timeline: 10 business days.

Documentation Review

Applicant submits ODD specification and ENVELO implementation documentation. Review for completeness and requirement alignment. Timeline: 15-30 business days.

CAT-72 Scheduling

Test window coordination and pre-test configuration verification. Scheduled within 30 days of documentation approval.

CAT-72 Execution

72-hour minimum continuous test period. Real-time monitoring by applicant; evidentiary record generation.

Conformance Determination

Evidentiary record review and analysis. Pass/fail determination against published criteria. Timeline: 10 business days from test completion.

Issuance

Conformance record issued with validity period. Listing in Sentinel Authority conformance registry. ODDC mark authorization granted.

Total timeline: 60-90 days from initial inquiry to conformance determination (assumes no deficiencies).

Fee Schedule

Fees determined by operational scope, ODD complexity, and domain risk profile.

Scope Assessment — $2,500 (standard) / $5,000 (complex systems). Applied toward conformance fees if proceeding.
Single-ODD Conformance — $15,000 - $35,000
Multi-ODD System — $35,000 - $75,000
Enterprise/Fleet — Custom quotation
On-site Witness Testing — $5,000 + travel (optional)
Annual Maintenance — $2,500/year (registry listing, mark authorization, mid-cycle review)
Renewal — 50% of original fee (required per renewal schedule: 6-24 months based on risk)

Payment terms: 50% upon documentation submission, 50% upon determination. Fees non-refundable upon failed determination.

Evidence Schema

CAT-72 evidentiary records must contain the following sections:

Header Block — Conformance ID, applicant/facility identification, ODD reference, test timestamps
ODD Specification — Declared boundaries, tolerance specifications, constraint definitions, safe states
Telemetry Log — Continuous state recordings (min 1 Hz critical variables), hash-chain linked
Interlock Event Log — All activations with timestamp, trigger, action, outcome
Fail-Closed Record — Deviation events, interlock response timing, safe state confirmation
Convergence Metrics — Mean values, variance, boundary proximity, regime transitions
Architectural Evidence Block — Simulation identification, training data provenance, safety envelope provenance, consonance verification
Integrity Block — SHA-256 hash, signing authority, timestamp, public key reference

Format: JSON preferred. All timestamps UTC ISO 8601. Maximum 10 GB uncompressed.

INQUIRIES

Contact

For conformance inquiries, licensing discussions, or partnership opportunities.

General inquiries

info@sentinelauthority.org

Conformance & licensing

conformance@sentinelauthority.org

GOVERNANCE ARTIFACTS

Published documents

Sentinel Authority maintains the normative documents defining the ODDC program.

Program Identity

Program ODDC

Spec Version v1.1 (Jan 2026)

Status Draft

Change Control Errata + versioning

Contact conformance@sentinelauthority.org

Public Documents

ODDC Overview v1.1 (Jan 2026) — conceptual introduction to ODD Conformance Determination.
PDF View
ENVELO Requirements v1.1 (Jan 2026) — runtime enforcement requirements for implementers.
PDF View
CAT-72 Procedure v1.1 (Jan 2026) — convergence test requirements and format.
PDF View
Errata Log — version history and corrections.

Restricted Documents

Normative Technical Specification v1.1 — full implementation requirements.
Evidence Schema & Audit Format v1.1 — record structure and verification procedures.
ODD Definition Templates — domain-specific operational design domain guides.

LICENSED IMPLEMENTERS ONLY

Licensed implementers are third-party system integrators authorized to implement ENVELO-compliant enforcement architectures.

Publications

Framework documents addressing technical, regulatory, and legal questions. These are reference materials, not normative specifications.

ODDC Framework: Critical Q&A (v1.0 · Jan 2026)
Formal response to the hardest technical, regulatory, and legal objections to runtime enforcement of autonomous systems.

PDF Download

Suggested citation: Sentinel Authority. ODDC Framework: Critical Q&A. Version 1.0, January 2026.

CERTIFICATION MARK

ODDC Mark

Conformant operators are authorized to display the ODDC mark. Each mark includes a unique conformance ID verifiable against the Sentinel Authority registry.

Each conformance ID (e.g., SA-2026-0001) can be verified at sentinelauthority.org/verify

Mark Authorization

Granted upon conformance — mark authorization included with ODDC determination.
Unique conformance ID — each mark displays a verifiable ID tied to the conformance record.
Validity period — mark authorization valid for the conformance term (6-24 months).
Revocable — unauthorized use or conformance suspension terminates mark rights.

ANNUAL MAINTENANCE: $2,500

Usage Guidelines

Minimum size — 70px height for digital, 0.75" for print.
Clear space — maintain padding equal to the height of "ODDC" text on all sides.
Approved formats — SVG (preferred), PNG with transparency. Do not alter colors or proportions.
Placement — equipment labels, system dashboards, documentation, contracts, insurance submissions.
Prohibited — use on non-conformant systems, after expiration, or to imply regulatory approval.

Mark assets provided upon conformance determination. Unauthorized use constitutes trademark infringement.