Operational Design Domain Conformance

Independent conformance assessment for autonomous systems. Operational boundaries verified. Runtime assurance enforced.

Autonomous systems declare operational boundaries. Sentinel Authority verifies they cannot exceed them.

ODDC CONFORMANCE CERTIFICATE CONFORMANT
ODDC v1.0
Certificate of Conformance
CERT ODDC-2025-00847
Meridian Autonomous Systems, Inc.
MAS-Route Optimizer v2.3.1
ISSUED
14 Jan 2025
EXPIRES
14 Jan 2026
CAT-72
PASS
Urban surface roads, ≤45 mph, daylight, low-precipitation. Geofenced to metro area.
SENTINEL AUTHORITY 8f3a2b...e9d1c4
Sentinel Authority — Watch the explainer
90-SECOND OVERVIEW
The Standard
ODDC v1.0
A published conformance specification governing runtime boundary assurance for autonomous systems. The standard is structurally independent of any single assessment body.
The Certifier
Sentinel Authority
An independent conformance assessment body. Sentinel Authority certifies systems against the ODDC specification. The certifier and the standard are structurally distinct.
Who We Serve

Select Your Path

ODDC assessment serves developers, operators, regulators, and institutional buyers. Each has a distinct interest in verified boundary enforcement.

Operators & Developers
Deploying Autonomous Systems
Understand the CAT-72 assessment procedure, ENVELO Interlock integration requirements, fee schedules, and what conformance status means for your deployment and procurement positioning.
Start Your Application →
Regulators & Policy
Oversight & Framework Integration
Learn how ODDC fills the independent runtime verification gap left by existing standards. Review compatibility with NHTSA, TC Canada, and FAA regulatory frameworks.
Review Framework Documentation →
Insurers & Procurement
Risk Evaluation & Underwriting
Search the public conformance registry to verify operator conformance status, certificate validity, and ODD domain scope for any assessed system.
Search the Registry →

Autonomous systems are deployed based on manufacturer self-attestation. No independent mechanism verifies that runtime boundary assurance is architectural and active.

ODDC formalizes that missing category.

SCOPE OF ASSESSMENT

Systems Within Scope

ODDC conformance assessment applies to systems exhibiting one or more of the following characteristics.

AUTONOMOUS SYSTEM DEFINITION
Autonomous Decision Authority
Executes decisions without contemporaneous human approval.
Actuator Authority
Controls actuators, financial instruments, or execution endpoints.
Environmental Input Processing
Translates environmental inputs into operational action.
Direct Operational Effect
Outputs alter operational state, not limited to advisory functions.
RUNTIME ASSURANCE

ENVELO Interlock

An independent runtime execution gate between an autonomous system and the environment it affects. Verified by Sentinel Authority.

The ENVELO Interlock operates external to the governed system and cannot be modified or disabled by the model. All autonomous actions pass through the interlock prior to execution.

Assessment Eligibility

Systems with alternate execution paths — including direct actuator or API access — are ineligible for conformance assessment.

Model Transparency

Closed and proprietary systems remain certifiable. Sentinel Authority does not require access to internal model architecture or training data.

Boundary Enforcement

ENVELO enforces declared operational boundaries at the execution layer. Sentinel verifies that enforcement is architectural, active, and non-bypassable.

Systems lacking a non-bypassable execution control layer fall outside the scope of conformance assessment.

ACTION VERDICT MODEL ENVELO INTERLOCK GATE IDLE EXECUTE MRC HALT AUDIT · 0 CHECKED · 0 PASSED · 0 BLOCKED
NORMATIVE REQUIREMENTS
Six normative requirements govern conformance assessment eligibility. Full specification on the Requirements page.
01
RA-01  Non-Bypassable
All autonomous execution events pass through the assurance layer. No alternative execution pathways exist.
02
RA-02  Tiered Assurance
Three mandatory response tiers: self-correction, Minimum Risk Condition, and hard halt.
03
RA-03  Synchronous Validation
Boundary validation occurs synchronously at execution time.
04
RA-04  Tamper-Evident Audit Chain
Assurance events recorded in a SHA-256 hash-chained audit log. Records are immutable and independently verifiable.
05
RA-05  Boundary Event Determination
Boundary events categorized per ODDC specification. Not operator-configurable. Telemetry integrity verified before CAT-72 begins.
06
RA-06  ODD Parameter Mapping
Declared ODD parameters mapped directly to runtime execution gates. Thresholds, geofences, and rate-of-change constraints applied from operator declarations.
Conformance Determination — A system is eligible for ODDC conformance assessment only when all normative requirements are satisfied and independently verified by Sentinel Authority.

Contact us to incorporate ODDC conformance assessment into your procurement evaluation criteria.

FOR REGULATORS & GOVERNMENT

A Mechanism Existing Frameworks Do Not Provide

Current regulatory approval processes for autonomous systems rely on manufacturer self-assessment. No independent mechanism exists to verify that runtime boundary enforcement is architecturally present and active at the moment of execution. ODDC formalizes that missing category.

THE CURRENT GAP
Existing frameworks — including NHTSA voluntary guidance, Transport Canada autonomous vehicle policy, and FAA UAS integration rules — accept operator-declared operational boundaries without independent verification that those boundaries are enforced at runtime. Self-attestation is the standard. Independent architectural verification does not exist as a defined category.
WHAT ODDC PROVIDES
ODDC is a conformance specification for independent runtime boundary verification. It is designed to complement — not replace — existing regulatory frameworks. ODDC conformance status provides regulators with a third-party-verified, tamper-evident record of boundary enforcement behavior that no current mechanism produces.
FRAMEWORK COMPATIBILITY
NHTSA Automated Vehicle Framework
ODDC conformance assessment aligns with NHTSA's stated objective of independent safety verification for automated driving systems. ENVELO audit records are directly usable in NHTSA safety reporting contexts.
Transport Canada Connected and Automated Vehicles Policy
ODDC addresses the independent verification gap identified in Transport Canada's autonomous vehicle regulatory consultations. Tamper-evident audit records satisfy documentation requirements under Canadian motor vehicle safety frameworks.
EU AI Act — High-Risk System Requirements
ODDC conformance documentation is compatible with EU AI Act Article 9 risk management obligations and Article 17 quality management requirements for high-risk autonomous systems deployed in the European market.
FAA UAS Integration Pilot Program
ENVELO Interlock architecture and CAT-72 verification are compatible with FAA operational boundary requirements for UAS Beyond Visual Line of Sight operations and urban air mobility conformance frameworks.

ODDC conformance cuts both ways. It provides verified differentiation for compliant operators — and produces a tamper-evident public record of non-conformance for those who are not.

Regulatory Integration Inquiry →
The Verification Gap

Why Self-Attestation Is Not Enough

Across autonomous and AI-enabled systems, the same structural failure has recurred: operators declared operational boundaries that their systems exceeded — without independent verification that enforcement was architecturally active at runtime.

2018 — Autonomous Vehicle Incident
Autonomous Vehicle Boundary Failure
The automated system disengaged emergency braking in conditions outside its declared operational parameters. Internal assurance did not independently verify enforcement at runtime.
Boundary exceedance: undetected at runtime.
ODDC: Tier 2 MRC trigger on ODD envelope exit.
2018–2019 — Flight Control Automation Failure
Flight Control Envelope Exceedance
A flight control system operated outside its declared flight envelope parameters. Internal assurance processes did not independently verify runtime enforcement of boundary limits. Self-attestation was accepted in place of independent architectural verification.
Self-attestation accepted without independent runtime verification.
ODDC: Hard halt on AoA sensor exceedance threshold.
San Francisco — October 2023
Urban AV Operational Boundary Drift
An autonomous vehicle continued operating in conditions outside its declared parameters. Investigation revealed gaps between declared operational boundaries and actual runtime behavior under edge conditions.
Declared ODD vs. actual runtime behavior: unverified gap.
ODDC: Continuous surveillance log surfaces behavioral drift.

In each case, the boundary existed on paper. What was absent was an independent, non-bypassable architectural mechanism that verified enforcement at the moment of execution — and produced a tamper-evident record that regulators, insurers, and courts could rely on. That is precisely the gap ODDC and ENVELO exist to close.

CERTIFICATION SCOPE

What ODDC Does Not Certify

ODDC conformance assessment is limited to runtime boundary assurance.

EXPLICIT EXCLUSIONS
No Model Evaluation
ODDC does not assess model accuracy, training methodology, or inference quality.
No Bias Audit
Fairness, bias detection, and demographic impact analysis are outside ODDC scope.
No Accuracy Validation
ODDC does not assess output correctness, performance quality, or functional adequacy.
No Cybersecurity Certification
Network security, penetration testing, and vulnerability assessments are not part of ODDC conformance.
No Regulatory Approval
Sentinel Authority is an independent conformance assessment body and does not function as a regulatory authority. ODDC conformance assessment does not constitute regulatory clearance, licensure, or government endorsement.
SECURITY ARCHITECTURE

Access Isolation Model

The interlock introduces no inbound access paths and no remote execution capability.

REQUEST TELEMETRY MODEL ENVELO SENTINEL AUTHORITY REGISTRY
01
ODD
Established
Declared operational boundaries
02
SUSTAINED ASSURANCE
Assurance Verified
72 cumulative hours of assured operational exposure
03
ENVELO INTERLOCK
Assurance Active
Non-bypassable runtime
04
AUDIT
Tamper-Evident
Cryptographic records
05
DRIFT DETECTION
Drift Protocol
Clear non-conformance path
Gate 01
ODD Established
Declared operational boundaries
Gate 02
Sustained Assurance Verification
Minimum 72 cumulative hours of assured operational exposure
Gate 03
ENVELO Interlock
Non-bypassable runtime assurance active
Gate 04
Audit
Cryptographic, tamper-evident records
Gate 05
Drift Detection & Non-Conformance Protocol
Clear non-conformance path
CONFORMANCE STATES
● LEARNING ● BOUNDED ● CONFORMANT ● NON-CONFORMANT
ODDC ATTESTS TO
ODD defined with quantitative boundaries
Stable operation within defined ODD
ENVELO assurance architecturally present
CAT-72 verification completed
Tamper-evident audit records available
ODDC DOES NOT ATTEST TO
Functional safety of underlying system
Regulatory or legal compliance
Cybersecurity posture or resilience
System performance or accuracy
AI model correctness or fitness
BOUNDARY EXCEEDANCE

Any assurance failure exceeding attested tolerances constitutes a boundary exceedance and initiates conformance review.

ENVELO Interlock Technical Specification Security Architecture & Threat Model →
CONFORMANCE PROCEDURE

CAT-72

Sustained verification of runtime boundary assurance across representative ODD conditions.

INTERLOCK 0h ODD BOUNDARY 12h 24h 36h 48h 60h 03h 4% OF 72H MINIMUM · ENFORCEMENT EXPOSURE
01
Sustained Assurance Exposure
A minimum of 72 cumulative hours of system operation under active interlock assurance within the declared ODD. Higher-risk operational domains may require extended verification periods as determined during the Pre-CAT-72 Audit Control Review.
02
Telemetry Integrity Verification
Cryptographic audit chain maintained across all operational intervals. Each assurance event is hash-chained and timestamped, producing a tamper-evident record of interlock activity throughout the verification period.
03
Pre-CAT-72 Audit Control Review
Before CAT-72 testing is authorized, Sentinel Authority conducts a structured ODDC Audit Control Review — a formal evaluation of ODD boundary definition, ENVELO Interlock assurance configuration, and telemetry readiness. Systems that do not meet the audit threshold are returned to the applicant with findings. This gate is the primary mechanism by which Sentinel Authority screens systems before they enter the verification period.
04
Conformance Determination
Upon completion of the verification period, Sentinel Authority reviews telemetry records, validates audit chain integrity, and issues a conformance determination recorded in the public registry.
POST-CERTIFICATION CONTINUOUS SURVEILLANCE
Certification remains valid only while assurance remains active. Certified systems are subject to continuous conformance surveillance.
01
Continuous Conformance Scoring
Each certified system maintains a real-time conformance score computed from assurance telemetry. Status levels are determined automatically from verified thresholds.
02
Automatic Non-Conformance
Systems are automatically marked non-conformant upon verified assurance failure or telemetry loss. Determination is immediate and requires no human approval.
03
Mandatory Human Reinstatement
Reinstatement requires documented human authorization. All state transitions are recorded in the tamper-evident audit chain and the public registry.
ASSESSMENT PROCEDURE

Conformance Process

The ENVELO Interlock records and assures system operation within the declared ODD, verifies boundary adherence per the CAT-72 procedure, and accumulates not less than seventy-two (72) cumulative assurance hours.

1 APPLY 3 FIELDS 2 ACCEPT PAYMENT 3 DEPLOY ONE COMMAND 4 REVIEW AUTO-BOUNDARIES 5 CAT-72 72 HOURS CONFORMANT AUTOMATED
CONFORMANCE ASSESSMENT PROGRAM

Fee schedules, program tiers, and the Inaugural Assessment Cohort are documented in the Conformance Program.

Conformance Program →
STANDARDS & SPECIFICATIONS

Governing Specifications

ODDC and ENVELO normative documents are published in the Sentinel Authority Publications Library.

Normative Documents →
RUNTIME ASSURANCE
ENVELO Interlock
Non-bypassable execution-layer assurance of operator-declared operational boundaries. Normative specification and deployment requirements are published in the Standards Library.
Regulatory Integration Documentation → REQUIRED FOR ODDC
Operational Scenarios
Common Questions

Frequently Asked

Answers to questions Sentinel Authority receives most often from operators, regulators, and insurers evaluating ODDC conformance.

ISO 26262 addresses functional safety in automotive systems. UL 4600 provides a framework for safety cases for autonomous products. SOTIF addresses intended functionality under foreseeable misuse. None independently verify that runtime boundary enforcement is architecturally present and active at the moment of execution. ODDC does not replace these standards — it fills the specific gap they leave: independent, third-party confirmation that the declared ODD is enforced at runtime, with a tamper-evident audit record.
ENVELO is an architectural interlock, not a model modification. It is deployed as an external enforcement layer between the system's decision output and its execution interface — whether physical actuation, API calls, or financial order routing. The underlying model remains unchanged. ENVELO intercepts the intent signal before it reaches the execution layer and applies declared boundary constraints. Integration documentation is provided during the Pre-CAT-72 Audit Control Review.
ODDC conformance assessment does not require source code disclosure. Sentinel Authority assesses the enforcement architecture — specifically whether ENVELO is correctly deployed and whether the audit chain accurately records boundary enforcement events. The assessment is behaviorally and architecturally based, not source-code based. This is intentional: it allows conformance verification of commercial, defense, and proprietary systems without compromising intellectual property.
Non-conformance triggers an automatic status transition in the public registry — the system's conformance status changes to NON-CONFORMANT without manual intervention. This is enforced architecturally, not administratively. Sentinel Authority initiates a non-conformance review. Depending on the severity and nature of the exceedance, reinstatement may require a full re-assessment or a targeted remediation audit. All non-conformance events and their resolution status are permanently recorded in the audit chain and public registry.
Conformance status provides underwriters with structured, third-party-verified data on boundary enforcement behavior — boundary exceedance frequency, enforcement tier activations, and longitudinal conformance record. This data is not available through self-attestation or internal audits. For procurement, ODDC conformance status functions as an independently verifiable differentiation signal in RFP responses — analogous to how SOC 2 Type II or CMMC certification operates in IT and defense procurement.
An ODDC conformance certificate attests to a specific, verifiable fact: that the system's declared operational boundaries were enforced through an independent, non-bypassable architectural control, and that this enforcement was verified under the CAT-72 protocol and recorded in a tamper-evident audit chain.

It does not attest that the declared boundaries are sufficient for safe deployment in every circumstance. It does not evaluate the underlying model's accuracy, judgment, or fitness for a particular use. It does not by itself authorize deployment or constitute regulatory approval.

Determination of operational suitability, deployment authority, and regulatory approval remains with the operator and the relevant governmental authority.

What the certificate provides — and what conventional self-attestation does not — is independent confirmation that the operational boundary the operator declared was real, architecturally enforced, and auditable. If the system remained within that boundary, the record will show that. If it exceeded that boundary, the record will show that too.
Annual maintenance covers continuous ENVELO Interlock assurance verification, tamper-evident audit record maintenance, annual conformance renewal assessment, and ongoing public registry status maintenance. Certification remains valid only while assurance is active. Systems are subject to continuous conformance surveillance following initial certification. Removal or disablement of the ENVELO Interlock automatically transitions the associated system to Non-Conformant status.
CONTACT

Contact Sentinel Authority

Contact Sentinel Authority for conformance inquiries, regulatory integration, or application submission.

GENERAL INQUIRIES
info@sentinelauthority.org
Questions about ODDC, the framework, or how conformance works.
CONFORMANCE ASSESSMENT
conformance@sentinelauthority.org
Conformance assessment inquiries and application submissions.
APPLY
APP.SENTINELAUTHORITY.ORG →
Access the conformance application portal.
Governance

Standards Governance

ODDC is a published conformance specification. Sentinel Authority is an independent conformance assessment body certifying against that specification. The standard and the certifier are structurally distinct. Revisions are versioned, publicly documented, and subject to independent review.

STANDARD
ODDC — published
conformance specification
CERTIFIER
Sentinel Authority — independent
conformance assessment body
PUBLIC RECORD
All revisions and governing
documents publicly archived
GOVERNANCE & AUDITOR INDEPENDENCE
AUDITOR INDEPENDENCE
Structural separation between conformance reviewers and business development. Zero financial interest in determination outcomes.
CONFLICT OF INTEREST
No equity, advisory relationship, or revenue-sharing with any applicant or conformant operator. Fees are fixed and non-contingent on outcome.
NON-CONFORMANCE & APPEALS
Written notification with findings. Defined response period. Independent review of submitted evidence. Final determination recorded in the public registry.
TELEMETRY PROVENANCE
Sentinel Authority verifies assurance behavior against telemetry as received. The operator bears sole responsibility for sensor accuracy, calibration, and data integrity.