QODIQA — Non-Compliance Conditions and Failure Modes

Abstract

This document defines the invalid states, failure modes, and non-compliance conditions of systems implementing the QODIQA deterministic runtime consent enforcement model. It classifies all conditions under which a system fails to enforce consent correctly, fails to produce verifiable enforcement decisions, or otherwise violates the invariants established by the QODIQA normative corpus. This document operates exclusively as a fail-closed enforcement model: any condition not positively confirmed as compliant is treated as non-compliant. It does not provide guidance, recommendations, or implementation advice. It defines states that are impermissible, conditions that invalidate conformance, and triggers that require certification revocation.

Section 1

#Scope

This document applies to all systems claiming conformance with the QODIQA standard, including systems under evaluation, systems holding active certification, and systems in production deployment. The scope encompasses the following enforcement surfaces:

The runtime enforcement layer and all enforcement decision pathways
The policy evaluation engine and all policy resolution mechanisms
All interactions with the consent registry, including read, write, and validation operations
The enforcement gateway and all request interception and disposition mechanisms
The audit and logging subsystem and all record production pathways
The cryptographic subsystem and all signing, verification, and key management operations

This document governs failure and non-compliance states only. It does not define conformant behavior. Conformant behavior is defined in the QODIQA Core Standard and the 68-Point Enforcement Framework. This document defines the conditions under which conformance is absent, invalidated, or suspended.

This document is normative. All conditions defined herein SHALL be treated as binding constraints on systems claiming QODIQA conformance.

Section 2

#Normative Foundations

All failure conditions defined in this document derive from violations of the invariants established by the following QODIQA corpus documents. These documents are incorporated by reference and are not redefined herein:

QODIQA Core Standard for Deterministic Runtime Consent Enforcement - establishes the mandatory behavioral invariants of a conformant enforcement system.
QODIQA 68-Point Enforcement Framework - enumerates the specific enforcement obligations against which non-compliance is measured.
QODIQA Certification Framework for Deterministic Runtime Consent Enforcement - defines certification levels, assessment criteria, and revocation procedures.
QODIQA Conformance Test Suite - specifies the observable test conditions that verify or refute conformance claims.
QODIQA Threat Model and Abuse Case Analysis - defines the adversarial conditions and attack surfaces against which enforcement invariants must hold.
QODIQA Security and Cryptographic Profile - establishes the cryptographic requirements whose violation constitutes a failure condition.
QODIQA Risk and Assumption Disclosure Annex - identifies residual risk surfaces referenced in Section 12 of this document.

A failure condition is present whenever a system state, transition, or output violates an invariant established by any of the above documents. This document classifies such violations. It does not establish new invariants.

Section 3

#Definition of Non-Compliance

Non-compliance is the state of a system in which one or more required invariants are not satisfied. Non-compliance is not a gradient. A system is either compliant or non-compliant with respect to each invariant individually. Partial compliance with respect to an invariant is classified as non-compliance.

Non-compliance occurs in the following conditions:

A required invariant is not enforced by the system.
Enforcement occurs but is subsequently bypassed, overridden, or rendered ineffective.
The outcome of enforcement is indeterminate - the system cannot produce a definitive allow or deny decision.
The enforcement decision is not externally verifiable - no auditable record is produced, or existing records are insufficient for verification.

Non-compliance is categorized as follows.

3.1 Hard Non-Compliance

Hard non-compliance is a deterministic violation of a required invariant. The violation is observable, reproducible, and verifiable without inference. Hard non-compliance includes: execution proceeding without a completed consent check; a consent check returning a deny decision that is not enforced; enforcement being bypassed by an alternate execution path; and logs that are absent, truncated, or non-append-only.

Hard non-compliance results in immediate loss of conformance status. No cure period applies.

3.2 Soft Non-Compliance

Soft non-compliance is a condition in which the system cannot demonstrate that a required invariant is satisfied. The violation may not be directly observable, but the absence of verifiable proof of compliance constitutes non-compliance. Soft non-compliance includes: enforcement decisions that are not signed or cryptographically attributable; audit logs that exist but cannot be verified for integrity; and consent states that are asserted but not backed by registry-confirmed records.

Soft non-compliance results in loss of conformance status. A system cannot claim conformance on the basis of undemonstratable compliance.

3.3 Conditional Non-Compliance

Conditional non-compliance is a violation that is contingent on system state, operational context, or input conditions. The system may satisfy an invariant under nominal conditions but fail under specific states. Conditional non-compliance includes: enforcement decisions that diverge when the consent registry is unavailable; policy evaluation that produces different results for structurally identical inputs across execution instances; and audit logging that fails under high throughput or degraded infrastructure conditions.

Conditional non-compliance results in loss of conformance status for all states in which the invariant is violated. A conformant system MUST satisfy all required invariants under all defined operating conditions, including degraded conditions.

Section 3A

#Failure State Transition Model

This section defines the four discrete states in which a QODIQA-conformant system may exist with respect to compliance status, and the deterministic conditions that govern transitions between those states. State transitions are not discretionary. Each transition is triggered by a defined condition and results in a required system response.

Compliant State

A system is in the Compliant State when all of the following conditions are simultaneously satisfied: all required invariants are enforced; all enforcement decisions are deterministic, signed, and auditable; the consent registry is reachable and synchronized within the permitted staleness threshold; the audit log is append-only, integrity-protected, and externally verifiable; and no failure mode defined in Section 4 is active. Certification is valid and operative in this state.

Degraded State

A system enters the Degraded State when one or more operational conditions are impaired but no enforcement invariant has yet been violated. Conditions that may produce a Degraded State include: elevated registry synchronization latency approaching the staleness threshold; key management system response times approaching the defined timeout; or audit log write latency approaching the maximum permitted delay. A system in the Degraded State MUST alert governance and MUST apply heightened monitoring. If any impaired condition crosses its defined threshold, the system MUST immediately transition to the Non-Compliant State. The system MUST NOT remain in the Degraded State indefinitely. The Degraded State does not permit execution on a permissive basis; fail-closed requirements remain fully operative.

Non-Compliant State

A system enters the Non-Compliant State when one or more invariants are violated, as defined in Section 3 and Section 4. The Non-Compliant State is triggered by any active failure condition classified under the taxonomy in Section 4, or by any deterministic trigger condition defined in Section 5. Upon entering the Non-Compliant State, the system MUST deny all execution requests, MUST produce an observable signal identifying the failure condition, and MUST NOT resume enforcement without completing the re-validation process defined in Section 11. Certification is suspended upon entry to the Non-Compliant State. The severity of the non-compliance condition, as classified in Section 7, determines whether the transition is from suspension to revocation.

Certification Revoked State

A system enters the Certification Revoked State when a Level 1 non-compliance condition is confirmed, or when a Level 2 condition is not remediated within the period specified by the Certification Framework, resulting in escalation. In this state, the system has no valid certification. The system MUST NOT represent itself as QODIQA-conformant or reference its prior certification. No auto-recovery, operator action, or remediation restores certification status in this state. A new certification process, initiated under the QODIQA Certification Framework, is the sole path to re-entering the Compliant State from the Certification Revoked State.

Deterministic Transition Rules

The following transitions are defined and are non-discretionary:

Compliant to Degraded: One or more operational conditions approach but have not crossed a defined invariant threshold. Triggered by monitoring signals. Does not require external notification.
Compliant or Degraded to Non-Compliant: An invariant threshold is crossed or a failure condition defined in Section 4 becomes active. Triggered deterministically by the conditions in Table 5-A. Requires immediate fail-closed enforcement and certification suspension notification.
Non-Compliant to Compliant: All failure conditions are resolved and the system has completed the re-validation process under Section 11. Requires positive confirmation by the certification body. Not achievable through self-attestation.
Non-Compliant to Certification Revoked: A Level 1 condition is confirmed, or a Level 2 condition is not remediated within the required period. Triggered by the certification body under the Certification Framework. Requires initiation of a new certification process to exit.
Certification Revoked to Compliant: Only achievable through successful completion of a full re-certification process under the QODIQA Certification Framework. All prior enforcement records from the revocation period are considered invalid.

Section 4

#Failure Mode Taxonomy

The following taxonomy classifies all failure modes recognized within the QODIQA enforcement model. Each failure mode class identifies distinct categories of invariant violation. A system may simultaneously exhibit failures across multiple classes.

4.1 Enforcement Failure

Enforcement failure occurs when the enforcement layer does not produce or apply a correct enforcement decision for an incoming execution request.

EF-1 - Consent Check Absent

Condition An execution request proceeds to the target system without a consent check having been completed by the enforcement gateway.

Detection Audit log contains an execution record with no corresponding consent evaluation record. Enforcement gateway emits no decision artifact for the request.

Resulting State Unauthorized execution. Hard non-compliance. Immediate loss of conformance status.

Referenced Invariant INV-ENF-01 (Core Standard Section 4.1 - Mandatory Consent Evaluation)

Conformance Test CTS-EF-01

EF-2 - Consent Checked but Not Enforced

Condition A consent check is completed and produces a deny decision, but the request is permitted to proceed.

Detection Audit log contains a deny decision record followed by an execution record for the same request identifier within the same session context.

Resulting State Enforcement decision ignored. Hard non-compliance. Immediate loss of conformance status.

Referenced Invariant INV-ENF-02 (Core Standard Section 4.2 - Enforcement Decision Binding)

Conformance Test CTS-EF-02

EF-3 - Enforcement Decision Ignored

Condition The enforcement gateway produces a decision artifact, but downstream components do not act on that decision.

Detection Enforcement gateway log shows decision issued; execution log shows request completed without reference to enforcement decision artifact.

Resulting State Enforcement bypassed at downstream boundary. Hard non-compliance.

Referenced Invariant INV-ENF-03 (68-Point Framework Section 1.3 - Downstream Enforcement Obligation)

Conformance Test CTS-EF-03

4.2 Decision Integrity Failure

Decision integrity failure occurs when the policy evaluation engine produces incorrect, inconsistent, or non-deterministic outputs for a given input set.

DI-1 - Policy Evaluation Inconsistency

Condition Structurally identical inputs to the policy engine produce different decisions across two or more evaluation instances under identical policy state.

Detection Replay of a recorded request against the same policy version yields a different decision than the original evaluation log records.

Resulting State Non-deterministic enforcement. Hard non-compliance.

Referenced Invariant INV-DEC-01 (Core Standard Section 5.1 - Deterministic Policy Evaluation)

Conformance Test CTS-DI-01

DI-2 - Non-Deterministic Output

Condition The policy engine returns an output that is neither a definitive allow nor a definitive deny for a valid, well-formed input.

Detection Decision artifact is absent, malformed, null, or contains an unrecognized decision value. Conformance test suite DI-series tests fail.

Resulting State Indeterminate enforcement state. System MUST apply deny. Soft non-compliance if deny is applied; hard non-compliance if execution proceeds.

Referenced Invariant INV-DEC-02 (Core Standard Section 5.2 - Binary Decision Requirement)

Conformance Test CTS-DI-02

DI-3 - State Desynchronization

Condition The policy engine evaluates against a consent state that does not match the current consent registry state due to cache staleness, replication lag, or partial update failure.

Detection Consent record timestamp in enforcement decision artifact predates the most recent registry update for the subject consent identifier.

Resulting State Enforcement based on stale state. Conditional non-compliance. Decisions issued against desynchronized state are invalid.

Referenced Invariant INV-DEC-03 (Core Standard Section 5.3 - Registry State Currency)

Conformance Test CTS-DI-03

4.3 Data Integrity Failure

Data integrity failure occurs when the consent state, registry data, or enforcement inputs have been corrupted, altered, or cannot be verified as authentic.

DAI-1 - Corrupted Consent State

Condition The consent record for a subject cannot be read, is structurally invalid, or fails integrity verification at the time of policy evaluation.

Detection Consent record fails schema validation or cryptographic integrity check. Policy engine cannot complete evaluation.

Resulting State Consent resolution failure. System MUST apply deny. Hard non-compliance if execution proceeds.

Referenced Invariant INV-DAT-01 (Core Standard Section 6.1 - Consent Record Integrity)

Conformance Test CTS-DAI-01

DAI-2 - Stale Registry Data

Condition The enforcement layer operates against registry data that has exceeded the maximum permitted staleness threshold defined in the QODIQA Core Standard.

Detection Registry synchronization timestamp in enforcement context exceeds permitted staleness window. Registry replication health check fails.

Resulting State Conditional non-compliance. All decisions issued during the staleness window are invalid and must be treated as unenforced.

Referenced Invariant INV-DAT-02 (Core Standard Section 6.2 - Maximum Staleness Threshold)

Conformance Test CTS-DAI-02

DAI-3 - Tampered Inputs

Condition Enforcement inputs - including request context, subject identity claims, or consent token - have been modified after initial capture and before policy evaluation.

Detection Input bundle signature verification fails. Hash of enforcement input context does not match the hash recorded at capture time.

Resulting State Enforcement decision issued on invalid inputs. Hard non-compliance. Decision artifact is void.

Referenced Invariant INV-DAT-03 (68-Point Framework Section 2.4 - Input Bundle Integrity)

Conformance Test CTS-DAI-03

4.4 Control Plane Failure

Control plane failure occurs when a critical system component required for enforcement is unavailable, degraded, or not responding within the permitted time constraints.

CP-1 - Registry Unavailable

Condition The consent registry is unreachable or returns no valid response within the maximum resolution timeout defined in the Core Standard.

Detection Registry health check returns failure. Enforcement gateway cannot complete consent resolution. Execution queued or attempted without resolved consent state.

Resulting State Consent unresolvable. System MUST apply deny to all requests during the unavailability window. Any execution permitted during this window constitutes hard non-compliance.

Referenced Invariant INV-CTL-01 (Core Standard Section 7.1 - Registry Availability Requirement)

Conformance Test CTS-CP-01

CP-2 - Policy Engine Unavailable

Condition The policy evaluation engine is unreachable, non-responsive, or produces no output for submitted evaluation requests.

Detection Policy engine health endpoint returns failure or timeout. No decision artifact is produced for incoming enforcement requests.

Resulting State Enforcement decision impossible. System MUST apply deny. Any execution permitted constitutes hard non-compliance.

Referenced Invariant INV-CTL-02 (Core Standard Section 7.2 - Policy Engine Availability Requirement)

Conformance Test CTS-CP-02

CP-3 - Key Management Failure

Condition The key management system is unavailable, returns invalid material, or cannot issue keys required for signing or verification of enforcement artifacts.

Detection Signing operations fail. Verification operations return invalid results. Key material retrieval timeout or error.

Resulting State Enforcement artifacts cannot be cryptographically attributed. All decisions issued without valid signatures are void. Soft non-compliance transitions to hard non-compliance if execution proceeds.

Referenced Invariant INV-CTL-03 (Security and Cryptographic Profile Section 3.1 - Key Material Availability)

Conformance Test CTS-CP-03

4.5 Audit Failure

Audit failure occurs when the audit and logging subsystem fails to produce complete, verifiable, and tamper-evident records of all enforcement operations.

AF-1 - Missing Logs

Condition An enforcement operation completes but no corresponding audit record is produced, or the produced record is absent from the audit store.

Detection Reconciliation of enforcement gateway event count against audit store record count reveals a deficit. Request identifiers present in execution logs are absent from audit logs.

Resulting State Unverifiable enforcement. Soft non-compliance for each unlogged operation. Operations without audit records cannot be treated as conformant.

Referenced Invariant INV-AUD-01 (Core Standard Section 8.1 - Complete Audit Coverage)

Conformance Test CTS-AF-01

AF-2 - Non-Append-Only Logs

Condition The audit store permits modification, deletion, or overwrite of existing records.

Detection Audit store configuration audit reveals write permissions other than append. Hash-chain verification of log sequence fails at one or more positions.

Resulting State Audit integrity structurally compromised. Hard non-compliance. The entire audit record for the affected period is considered invalid.

Referenced Invariant INV-AUD-02 (Core Standard Section 8.2 - Append-Only Log Requirement)

Conformance Test CTS-AF-02

AF-3 - Tampered Logs

Condition One or more audit records have been modified after initial write.

Detection Hash-chain verification failure. Record signature verification failure. Audit record timestamp inconsistency.

Resulting State Audit integrity breach. Hard non-compliance. All records in the affected sequence are invalid.

Referenced Invariant INV-AUD-03 (Core Standard Section 8.3 - Audit Record Immutability)

Conformance Test CTS-AF-03

AF-4 - Non-Verifiable Logs

Condition Audit records exist but cannot be externally verified due to absent or invalid signatures, unavailable verification keys, or missing hash-chain anchors.

Detection External audit verification process returns failure or cannot complete. Verification keys are not available to the verifying party.

Resulting State Soft non-compliance. Records that cannot be externally verified do not satisfy the auditability invariant.

Referenced Invariant INV-AUD-04 (68-Point Framework Section 3.4 - External Verifiability)

Conformance Test CTS-AF-04

4.6 Cryptographic Failure

Cryptographic failure occurs when the cryptographic mechanisms required for enforcement artifact integrity, audit log integrity, or consent state authentication do not operate correctly.

CF-1 - Invalid Signatures

Condition An enforcement decision artifact, consent token, or audit record carries a digital signature that fails verification.

Detection Signature verification returns invalid. Verification key does not correspond to the signing key referenced in the artifact header.

Resulting State Artifact authenticity cannot be established. The artifact is void. If the artifact is a decision, that decision is invalid. Hard non-compliance if voided decision was acted upon.

Referenced Invariant INV-CRY-01 (Security and Cryptographic Profile Section 4.1 - Artifact Signature Validity)

Conformance Test CTS-CF-01

CF-2 - Broken Trust Chain

Condition The chain of cryptographic trust from the enforcement artifact to the trust anchor defined in the Security and Cryptographic Profile is broken at one or more links.

Detection Trust chain traversal fails. An intermediate certificate or key attestation in the chain is absent, expired, or revoked.

Resulting State Unattributable enforcement. Hard non-compliance. All artifacts dependent on the broken chain are void.

Referenced Invariant INV-CRY-02 (Security and Cryptographic Profile Section 4.2 - Trust Chain Continuity)

Conformance Test CTS-CF-02

CF-3 - Key Misuse

Condition A cryptographic key is used outside its defined purpose, scope, or validity period as specified in the Security and Cryptographic Profile.

Detection Key usage field in certificate or key attestation does not permit the operation performed. Key is expired or its defined scope does not include the signing context.

Resulting State Cryptographic invariant violated. All artifacts produced using the misused key are void. Hard non-compliance.

Referenced Invariant INV-CRY-03 (Security and Cryptographic Profile Section 4.3 - Key Usage Constraints)

Conformance Test CTS-CF-03

4.7 Boundary Failure

Boundary failure occurs when enforcement is bypassed by an execution path that does not pass through the enforcement gateway, or when execution occurs in a context that is not subject to enforcement evaluation.

BF-1 - Enforcement Bypass via Alternate Path

Condition An execution request reaches the target system via a path that does not include the enforcement gateway.

Detection Execution records exist for requests with no corresponding enforcement gateway entry. Network topology analysis reveals direct access routes to protected systems that bypass the enforcement plane.

Resulting State Complete enforcement bypass. Hard non-compliance. All executions occurring via the bypassed path are unauthorized.

Referenced Invariant INV-BND-01 (Core Standard Section 9.1 - Enforcement Boundary Completeness)

Conformance Test CTS-BF-01

BF-2 - Shadow Execution Path

Condition An execution context exists within the system boundary that does not emit observable signals to the enforcement or audit subsystem and is not subject to consent evaluation.

Detection System boundary analysis identifies execution contexts without enforcement plane registration. Audit log coverage analysis reveals gaps corresponding to specific execution contexts.

Resulting State Unmonitored execution surface. Hard non-compliance. The existence of a shadow path constitutes a violation independent of whether unauthorized execution has occurred.

Referenced Invariant INV-BND-02 (68-Point Framework Section 4.2 - Execution Context Registration)

Conformance Test CTS-BF-02

BF-3 - Side-Channel Execution

Condition An action with material effect on the consent-protected resource is achieved through a mechanism other than the protected execution interface, and that mechanism is not subject to enforcement evaluation.

Detection Threat model coverage analysis identifies effect-equivalent access paths not covered by enforcement evaluation. Conformance test suite BF-series tests fail.

Resulting State Enforcement model incomplete. Hard non-compliance. The protected resource is not fully under enforcement control.

Referenced Invariant INV-BND-03 (Threat Model Section 5.3 - Side-Channel Attack Surface)

Conformance Test CTS-BF-03

Section 5

#Deterministic Failure Conditions

The following conditions are defined as deterministic triggers for fail-closed behavior. Each condition is expressed as a verifiable system state. Upon detection of any of these conditions, the system MUST apply the specified resulting state immediately and without exception.

Table 5-A - Deterministic Failure Trigger Conditions

ID	Trigger Condition	Detection Mechanism	Required System Response	Referenced Invariant	Test Mapping
FC-01	Consent record for subject cannot be resolved within maximum timeout	Registry resolution timeout event	MUST deny execution. MUST log unresolvable consent condition.	INV-DAT-02, INV-CTL-01	CTS-CP-01, CTS-DAI-02
FC-02	Policy evaluation returns indeterminate or null output	Decision artifact absent or contains invalid decision value	MUST deny execution. MUST NOT treat null as allow.	INV-DEC-02	CTS-DI-02
FC-03	Enforcement decision artifact signature fails verification	Signature verification returns invalid	MUST void the artifact. MUST deny execution. MUST log signature failure.	INV-CRY-01	CTS-CF-01
FC-04	Consent registry is unreachable at time of evaluation	Registry health check failure; no response within timeout	MUST deny all execution requests until registry is reachable and verified.	INV-CTL-01	CTS-CP-01
FC-05	Policy engine is unavailable at time of evaluation request	Policy engine health failure; no decision artifact produced	MUST deny all execution requests until policy engine is available and verified.	INV-CTL-02	CTS-CP-02
FC-06	Audit log write fails for an enforcement operation	Audit subsystem returns write error or no confirmation	MUST deny the associated execution. MUST NOT proceed without a confirmed audit record.	INV-AUD-01	CTS-AF-01
FC-07	Consent record fails integrity check at evaluation time	Record hash or signature verification failure	MUST deny execution. MUST treat record as invalid. MUST log integrity failure.	INV-DAT-01	CTS-DAI-01
FC-08	Enforcement input bundle has been modified after capture	Input bundle hash mismatch at evaluation time	MUST void the evaluation. MUST deny execution. MUST log tampering condition.	INV-DAT-03	CTS-DAI-03
FC-09	Audit log sequence hash-chain verification fails	Hash-chain traversal returns inconsistency at one or more positions	MUST flag entire affected sequence as compromised. MUST NOT treat affected records as valid evidence of compliance.	INV-AUD-03	CTS-AF-03
FC-10	Execution request arrives via path not registered with enforcement gateway	Source path not present in enforcement boundary registry	MUST deny execution. MUST log boundary violation. MUST alert governance.	INV-BND-01	CTS-BF-01

No failure condition defined in this table permits a fallback to permissive behavior. The absence of a positive, verified enforcement decision is equivalent to a deny decision. Systems MUST be designed such that the default state under uncertainty is execution denial.

Section 6

#Fail-Closed Requirements

The QODIQA model is a fail-closed enforcement model. The requirements in this section are absolute. No operational condition, system constraint, availability target, or performance requirement overrides these requirements.

Requirement FC-R1 - No Fallback to Permissive State

A system MUST NOT transition from an enforcement state to a permissive state as a result of any failure condition. A system experiencing a failure condition MUST remain in a deny state until the failure condition is resolved and the system has returned to a verified compliant state.

Requirement FC-R2 - No Degraded Permissive Operation

A system operating in a degraded mode MUST NOT permit execution of consent-protected requests during that degraded mode. There is no defined degraded operational mode that allows execution. A system that cannot fully enforce consent MUST deny all execution.

Requirement FC-R3 - No Silent Bypass

A system MUST NOT permit execution to proceed without a completed enforcement decision, regardless of whether that bypass is caused by a configuration error, infrastructure failure, component unavailability, or operator action. Silent bypass is a hard non-compliance condition independent of its cause.

Requirement FC-R4 - Default Deny Under Uncertainty

A system MUST default to denying execution under any condition of uncertainty. Uncertainty includes: inability to resolve consent, inability to evaluate policy, inability to verify enforcement artifact integrity, and inability to write an audit record. No uncertainty condition permits execution.

These requirements apply without exception to all system states, including startup, shutdown, maintenance, degraded operation, failover, and recovery. A system that satisfies fail-closed requirements under nominal operation but not under exceptional conditions is non-conformant.

Section 7

#Non-Compliance Severity Levels

Non-compliance conditions are classified into three severity levels. Severity level determines the immediate required outcome and the certification impact. Severity levels are assigned per the conditions specified below and are not subject to operator interpretation or reclassification.

7.1 Level 1 - Critical Non-Compliance

Critical A Level 1 condition is a direct violation of a mandatory enforcement invariant that results in unauthorized execution, undetected bypass, or irrecoverable audit failure. Level 1 conditions require no remediation period. They result in immediate loss of conformance status and immediate initiation of certification revocation proceedings.

Conditions classified as Level 1:

Execution proceeding without a completed consent check (EF-1)
A deny decision not enforced and execution permitted (EF-2)
Execution bypassing the enforcement gateway via an alternate path (BF-1)
Execution via a shadow path not registered with the enforcement plane (BF-2)
Audit log records found to be modified after initial write (AF-3)
Audit store configuration permitting non-append-only writes (AF-2)
Enforcement proceeding on a voided or signature-invalid decision artifact, where execution was permitted (CF-1, CF-2)

Required outcome: Immediate suspension of conformance status. Initiation of certification revocation under the QODIQA Certification Framework. No continued operation as a QODIQA-conformant system. Re-certification required before any compliance claim may be renewed. Each condition listed above SHALL be traceable to its originating invariant and validated through the corresponding Conformance Test Suite mapping.

7.2 Level 2 - Major Non-Compliance

Major A Level 2 condition is a violation of a required invariant that does not result in proven unauthorized execution but renders the system's enforcement decisions unverifiable, unreliable, or structurally unsound. Level 2 conditions result in loss of conformance status and require remediation and re-assessment before conformance status may be restored.

Conditions classified as Level 2:

Policy evaluation returning inconsistent results for structurally identical inputs (DI-1)
State desynchronization between enforcement layer and consent registry (DI-3)
Consent registry unavailable, without confirmed fail-closed response (CP-1)
Policy engine unavailable, without confirmed fail-closed response (CP-2)
Key management failure preventing signing or verification of artifacts (CP-3)
Audit records missing for one or more enforcement operations (AF-1)
Non-verifiable audit records due to absent or invalid signatures (AF-4)
Trust chain broken at one or more links (CF-2)
Side-channel execution path identified and not covered by enforcement evaluation (BF-3)

Required outcome: Immediate suspension of conformance status. System is considered non-conformant until the condition is remediated and independently re-assessed. No conformance claim may be maintained while a Level 2 condition is present. Each condition listed above SHALL be traceable to its originating invariant and validated through the corresponding Conformance Test Suite mapping.

7.3 Level 3 - Minor Non-Compliance

Minor A Level 3 condition is a violation of a structural or procedural requirement that does not directly break enforcement or produce unverifiable decisions, but represents a deviation from normative specification requirements. Level 3 conditions do not by themselves result in loss of conformance status, but MUST be remediated within the timeframe specified in the Certification Framework. A Level 3 condition that is not remediated within the specified period is reclassified as Level 2.

Conditions classified as Level 3:

Enforcement decision artifacts that satisfy functional requirements but do not conform to the normative artifact schema
Audit records that satisfy content requirements but do not conform to the normative record format
Registry interaction that satisfies functional requirements but uses a non-normative protocol binding
Documentation or configuration artifacts that do not satisfy corpus reference requirements

Required outcome: Documented finding against the conformance record. Remediation plan required within the period specified by the Certification Framework. No immediate suspension of conformance status, subject to escalation conditions above. Each condition listed above SHALL be traceable to its originating invariant and validated through the corresponding Conformance Test Suite mapping.

Section 8

#Certification Impact

Failure conditions map to certification outcomes as defined in the QODIQA Certification Framework. The following table specifies the required certification action for each severity level and condition class.

Table 8-A - Failure Severity to Certification Impact Mapping

Severity Level	Condition Class	Certification Action	Re-Certification Required
Level 1 - Critical	EF-1, EF-2, BF-1, BF-2, AF-2, AF-3, CF-1 (with execution), CF-2 (with execution)	Immediate revocation	Yes - full re-certification at applicable level
Level 2 - Major	DI-1, DI-3, CP-1, CP-2, CP-3, AF-1, AF-4, CF-2 (no execution), BF-3	Immediate suspension	Yes - re-assessment against all affected framework points
Level 3 - Minor	Structural and procedural deviations	Documented finding; remediation required within specified period	No - unless reclassified to Level 2 due to non-remediation
Level 2 (escalated from Level 3)	Any Level 3 condition not remediated within specified period	Immediate suspension	Yes - re-assessment against affected framework points

Certification suspension is distinct from certification revocation. Suspension is a temporary state from which reinstatement is possible upon successful re-assessment. Revocation is a permanent invalidation of the certification record. A revoked certification cannot be reinstated; a new certification process must be initiated.

The certification body operating under the QODIQA Certification Framework is the sole authority for determining certification status. Operator self-assessment does not constitute certification status restoration. A system remains non-conformant until the certification body issues a positive conformance determination.

Any misrepresentation of certification status following revocation or suspension, including continued use of conformance claims or QODIQA compliance attestations, constitutes a violation of the Governance Charter and the terms of certification.

Section 9

#Detection and Verifiability Constraints

A failure condition that cannot be detected is not exempt from non-compliance classification. The inability to detect a failure condition is itself a non-compliance condition. The following requirements govern detection and verifiability of all failure states.

Requirement DV-R1 - External Testability

All failure conditions defined in this document MUST be externally testable. The Conformance Test Suite defines the test procedures for each condition. A system that cannot be subjected to these test procedures is non-conformant with respect to verifiability requirements, independent of whether any failure condition is present.

Requirement DV-R2 - Observable Signals

All failure conditions MUST produce observable signals. These signals include: enforcement decision artifacts, audit log records, health status outputs, and error responses. A failure condition that occurs without producing any observable signal constitutes a silent failure and is classified as hard non-compliance (see Section 10).

Requirement DV-R3 - No Hidden Failure States

A system MUST NOT contain operational states in which a failure condition exists but produces no externally observable indication. All system states MUST be enumerable and testable. The existence of internal states not observable through defined interfaces is a boundary failure condition (BF-2).

Requirement DV-R4 - Failure Signal Integrity

Failure signals themselves MUST be integrity-protected. A system that can suppress, forge, or delay failure signals is considered to be in a state of hard non-compliance with respect to the failure condition that the signal would have indicated.

Section 10

#Prohibited System Behaviors

The following behaviors are prohibited in all systems claiming QODIQA conformance. These prohibitions are absolute. No operational justification, performance requirement, or system constraint constitutes a basis for exception.

Prohibited Behavior PB-1 - Silent Failure

A system MUST NOT fail to enforce consent without producing an observable signal indicating that enforcement did not occur. Silent failure includes: timeout expiry with no recorded outcome; component crash with no logged state transition; and audit write failure with no system-level alarm or fallback.

Prohibited Behavior PB-2 - Implicit Allow

A system MUST NOT default to allowing execution in the absence of an explicit, verified allow decision. The absence of a deny decision does not constitute an allow decision. An allow decision MUST be explicitly issued, signed, and recorded before execution is permitted.

Prohibited Behavior PB-3 - Partial Enforcement

A system MUST NOT enforce consent for a subset of requests while permitting uninspected requests to proceed. Partial enforcement is not a degraded mode of operation. It is a non-conformant configuration in which the enforcement boundary is incomplete.

Prohibited Behavior PB-4 - Logging Without Integrity

A system MUST NOT produce audit log records that are not integrity-protected. Unprotected log records satisfy the volume requirement of logging but not the integrity requirement. Production of unprotected records does not constitute audit compliance.

Prohibited Behavior PB-5 - Runtime Overrides

A system MUST NOT implement or expose any mechanism by which an enforcement decision can be overridden, bypassed, or suppressed at runtime by an operator, administrator, or automated process. The enforcement decision issued by the policy engine is final for its evaluated context. Runtime override capability constitutes a structural non-compliance condition independent of whether it is exercised.

Prohibited Behavior PB-6 - Compliance Claims Under Suspension or Revocation

A system MUST NOT assert QODIQA conformance, reference QODIQA certification, or represent itself as meeting QODIQA requirements while its certification is suspended or revoked.

Section 11

#Recovery Constraints

Recovery from a failure condition does not restore conformance status. Recovery and compliance are distinct states. A system that has experienced a failure condition and subsequently returned to operational function has not demonstrated conformance unless it has re-entered a verified compliant state through the processes defined in this section.

Requirement RC-R1 - Recovery is Not Compliance

A system that resolves a failure condition through automated restart, failover, or operator intervention has not restored conformance. Recovery denotes a return to operational function. Compliance denotes a verified state in which all required invariants are satisfied. These are distinct and recovery does not imply compliance.

Requirement RC-R2 - Re-Entry into Verified Compliant State

A system MUST re-enter a verified compliant state following any Level 1 or Level 2 failure condition. Re-entry requires: a complete integrity check of all enforcement subsystems; verification that all failure conditions have been resolved; confirmation that no data from the failure period is being treated as valid enforcement evidence; and, for Level 1 conditions, initiation of the re-certification process with the certification body.

Requirement RC-R3 - No Auto-Recovery Without Re-Validation

A system MUST NOT automatically resume enforcement operations following a Level 1 or Level 2 failure condition without an explicit re-validation step. Auto-recovery mechanisms MUST halt at a deny-all state and require explicit operator confirmation of system integrity before resuming enforcement. An auto-recovery sequence that resumes enforcement without re-validation constitutes an implicit allow condition and is classified as hard non-compliance under PB-2.

Requirement RC-R4 - Failure Period Records

All enforcement operations attempted during a failure period MUST be treated as unenforced, regardless of whether they completed successfully from an application perspective. Audit records produced during a failure period that cannot be independently verified are not valid evidence of enforcement.

Section 12

#Residual Failure Surfaces

The QODIQA Risk and Assumption Disclosure Annex identifies residual risk surfaces that are acknowledged as present within the QODIQA model and that cannot be fully eliminated through system design. This section defines how such residual surfaces interact with the non-compliance and failure classification framework.

The existence of a residual failure surface does not constitute permission for that surface to produce non-fail-closed behavior. The following requirements apply to all residual surfaces identified in the Disclosure Annex.

Requirement RS-R1 - Fail-Closed Behavior Required Despite Residual Surface

A system MUST apply fail-closed behavior on all residual failure surfaces. The acknowledgment of a residual surface in the Disclosure Annex documents its existence; it does not authorize execution in the presence of that surface. If a residual surface manifests as an active failure condition, the system MUST deny execution.

Requirement RS-R2 - Residual Surfaces Must Be Observable

All residual failure surfaces MUST produce observable signals when active. A residual surface that activates without producing an observable signal constitutes a silent failure under PB-1 and is classified as hard non-compliance.

Requirement RS-R3 - Residual Surface Manifestation Triggers Non-Compliance Classification

When a residual failure surface manifests as an active failure condition, the condition is classified under the taxonomy in Section 4 and receives a severity level under Section 7 as if it were any other failure condition. The residual nature of the surface does not modify the severity classification or the required certification impact.

The distinction between a residual surface and an unmitigated vulnerability is determined by the Disclosure Annex. A failure condition not identified in the Disclosure Annex as a residual surface is classified as an unmitigated vulnerability and is treated as a Level 1 non-compliance condition unless assessment indicates otherwise.

Section 13

#Conformance Requirements

A system is conformant with this document if and only if all of the following conditions are simultaneously satisfied. Partial satisfaction of the conditions below does not constitute conformance.

Conformance Condition CC-1 - Absence of Defined Failure Modes

None of the failure modes defined in Section 4 are present in the system. A conformant system has no active enforcement failures, no active decision integrity failures, no active data integrity failures, no active control plane failures, no active audit failures, no active cryptographic failures, and no active boundary failures.

Conformance Condition CC-2 - Fail-Closed Under All Failure Triggers

All deterministic failure conditions listed in Section 5 result in fail-closed behavior. The system MUST deny execution in response to each trigger condition. Verification of this condition is performed through the Conformance Test Suite failure-condition test series.

Conformance Condition CC-3 - Observable and Auditable Failures

All failure conditions that occur produce externally observable signals and are recorded in the audit log in a manner that satisfies the integrity requirements of Section 4.5. No failure condition occurs silently. No failure produces an audit record that cannot be independently verified.

Conformance Condition CC-4 - Absence of Prohibited Behaviors

None of the behaviors enumerated in Section 10 are implemented or achievable in the system. The system contains no silent failure paths, no implicit allow mechanisms, no partial enforcement configurations, no logging without integrity, no runtime override mechanisms, and no capability to misrepresent certification status.

Conformance Condition CC-5 - Recovery Compliance

The system satisfies all recovery constraints in Section 11. No automated recovery mechanism exists that could restore permissive execution without an explicit re-validation step.

Conformance with this document is a necessary component of QODIQA certification at any level defined in the Certification Framework. Conformance with this document alone does not constitute full corpus conformance. Systems asserting QODIQA certification MUST satisfy this document in conjunction with all other normative corpus documents.

Final Conformance Statement

A system is QODIQA-conformant with respect to this document if and only if conditions CC-1 through CC-5 are all satisfied simultaneously, as verified by the QODIQA Conformance Test Suite under the assessment procedures of the QODIQA Certification Framework. The burden of demonstrating conformance rests with the system operator. The absence of demonstrated non-compliance does not constitute demonstrated compliance.

Document Status

#Document Status and Corpus Alignment

This document is a normative component of the QODIQA specification corpus. It defines the invalid states, failure modes, non-compliance conditions, and certification invalidation triggers applicable to all systems implementing the QODIQA deterministic runtime consent enforcement model.

This document does not define conformant behavior. It defines exclusively the conditions under which conformance is absent, invalidated, or suspended. It must be read in conjunction with the normative corpus documents from which its failure conditions are derived.

This document should be read together with the following related specifications:

QODIQA — Core Standard for Deterministic Runtime Consent Enforcement
QODIQA — 68-Point Enforcement Framework for Deterministic Runtime Consent Enforcement
QODIQA — Certification Framework for Deterministic Runtime Consent Enforcement
QODIQA — Conformance Test Suite Specification for Deterministic Runtime Consent Enforcement
QODIQA — Threat Model and Abuse Case Specification
QODIQA — Security and Cryptographic Profile for Runtime Consent Enforcement
QODIQA — Residual Risk and Assumption Disclosure Annex
QODIQA — Reference Architecture for Deterministic Runtime Consent Enforcement

Version 1.0 represents the initial formal release of this document as part of the QODIQA standard corpus.

For strategic inquiries, architectural discussions, or partnership exploration:

Bogdan Duțescu

bddutescu@gmail.com

0040.724.218.572

Document Identifier QODIQA-FCM-2026-001

Title Non-Compliance Conditions and Failure Modes - Deterministic Runtime Consent Enforcement

Subtitle Formal Classification of Invalid System States, Enforcement Failures, and Certification Invalidation Conditions

Publication Date April 2026

Version 1.0

Document Type Failure Classification Specification

Document Status Normative

Governing Authority QODIQA Governance Charter

Integrity Notice Document integrity may be verified using the official SHA-256 checksum distributed with the QODIQA specification corpus.

QODIQA Non-Compliance Conditionsand Failure Modes