← Sentinel Authority
SA-STD-001 · ODDC Runtime Conformance Standard

Conformance Requirements

Independent conformance assessment under the ODDC Runtime Conformance Standard (SA-STD-001). Operational Design Domain Conformance verifies that an autonomous system operates within its declared boundaries under runtime-enforced, independently verified conditions.

Part I
Assessment Gates
01
ODD Declaration

Operational boundaries formally declared or auto-discovered through ENVELO's adaptive learning engine. See R-01b.

02
Stability

72+ cumulative hours of stable operation within the declared ODD under monitored conditions.

03
Interlock

ENVELO Interlock assurance verified as architecturally external and active across all declared ODD boundary conditions.

04
Evidence

Tamper-evident SHA-256 hash-chained audit record generated for all conformance events. See R-06.

05
Non-Conformance

Deploying entity executes a Conformance Agreement specifying conditions under which the certificate transitions to Non-Conformant.

Part II
Normative Requirements

Systems seeking conformance assessment under SA-STD-001 must satisfy the following requirements.

  • R-01ODD boundaries shall be defined in machine-readable format compatible with ENVELO's conformance engine, or auto-discovered and approved prior to conformance activation. Declarations shall include: (a) at least one quantitative operational parameter with defined limit values, (b) a defined geographic, environmental, or operational scope, and (c) explicit conditions under which assurance activates. Boundaries defined solely by time window, administrative classification, or other non-operational criteria do not satisfy this requirement.
  • R-01aODD declarations are subject to Pre-CAT-72 Audit Control Review. Declarations that are insufficiently specified, internally inconsistent, or define boundaries so narrow as to render the verification period non-representative will be returned with findings. Revision history is retained and published in the conformance registry.
  • R-01bThe ENVELO conformance engine supports all boundary types required to certify autonomous systems across operational domains. Supported categories include:
    Physical & Operational
    Numeric range constraints, categorical value sets, geographic geofences, polygon boundaries, temporal operating windows, rate-of-change limits, compound conditional rules, boolean sensor health, connectivity and heartbeat gap limits.
    Analytical & Statistical
    Cumulative threshold monitoring, statistical rolling-window constraints, frequency and event-count limits, baseline drift detection, multi-variable logical conditions, sequence and prerequisite assurance.
    Domain-Specific
    Exclusion zone assurance, proximity and separation minimums, redundancy thresholds, energy reserve requirements, dynamic envelope curves, contraindication rules, escalation protocols, jurisdictional constraints.
    All boundary types are evaluated synchronously at execution time. The conformance engine is extensible without changes to the conformance framework.
  • R-02Minimum of 72 cumulative hours of monitored operation without boundary violation during the CAT-72 assessment period.
  • R-03The ENVELO Interlock shall engage automatically on ODD boundary approach, initiating corrective assurance response without human intervention.
  • R-04On ODD boundary breach, the ENVELO Interlock shall activate a Minimum Risk Condition response and bring the system to a defined safe state.
  • R-05The ENVELO Interlock shall include an absolute override capability that cannot be disabled by the deploying entity, system software, or any operational command pathway.
  • R-05aThe ENVELO Interlock shall be architecturally external to the governed system. Any configuration in which the system model can directly access actuators, APIs, or execution targets without passing through the interlock — including via tool calls, function invocations, or parameter modifications — disqualifies the system from conformance assessment.
  • R-06All conformance events shall be logged with timestamps, positional context where applicable, and cryptographic hash chains linking each event to the prior record.
  • R-06aThe following actions are independently logged in the tamper-evident audit chain:
    Application submissionApplication approval / rejection Reviewer assignmentTest creation & start Specification confirmationTest completion with result Certificate issuanceAutomatic non-conformance Certificate reinstatementAPI key generation / deactivation Boundary report submissionAssurance config changes User authentication eventsProfile modifications
    Each entry records the acting user, timestamp, resource identifier, and action-specific details. Database-level triggers prevent UPDATE or DELETE on the audit log table.
  • R-07Audit logs shall be transmitted to Sentinel Authority in real time or near-real time during the CAT-72 period. Gaps exceeding 15 minutes require justification.
  • R-08The ENVELO Interlock transmits operational telemetry only. Proprietary system internals are not accessed or transmitted.
  • R-09ODD scope changes after assessment initiation require a new scope assessment and may require a new CAT-72 verification period.
  • R-10The deploying entity shall designate a primary technical contact responsible for ENVELO Interlock deployment and ongoing conformance maintenance.
  • R-11Post-certification systems are subject to continuous ENVELO Interlock assurance. Systems transition to Non-Conformant if: (a) interlock heartbeat is lost for more than 15 minutes, or (b) boundary violation rate exceeds the assurance threshold. Reinstatement requires human authorization by Sentinel Authority.

Conformance Determination — A system satisfying all normative requirements receives a conformance determination issued with certificate hash and recorded in the public registry. Issued under SA-STD-001 v1.0.

Part III
Verification Procedure
Phase 1
Application

Submit system information and select the adaptive or prescriptive ODD path.

Phase 2
Scope Assessment

Sentinel Authority reviews the application, defines test parameters, and issues a scope confirmation with fee schedule.

Phase 3
Pre-CAT-72 Audit Review

Structured evaluation of ODD boundary definition, ENVELO Interlock assurance configuration, and telemetry readiness. CAT-72 authorized only upon successful completion.

Phase 4
CAT-72 Assessment

72+ hour monitored assessment. ENVELO Interlock assurance verified across all boundary conditions. Adaptive path begins in LEARNING state; prescriptive path enters BOUNDED from the start.

Phase 5
Conformance Determination

Determination issued with certificate hash and recorded in the public conformance registry under SA-STD-001.

Phase 6
Continuous Conformance

Conformance status remains valid only while ENVELO Interlock assurance remains active. Certificate transitions to Non-Conformant on interlock failure or telemetry loss. Reinstatement requires Sentinel Authority authorization. Annual renewal required.

Part IV
Reference Documents

The ODDC Runtime Conformance Standard (SA-STD-001 v1.0) is the normative basis for all assessments conducted under this program. ENVELO Requirements, CAT-72 Procedure, ODDC Scenarios, and Assessment Guide are available in the document library.

Apply for Assessment