Operational Governance Controls

All production changes SHALL follow a documented change control process with approval workflow.

A documented change control process SHALL be enforced for all modifications to the certified system.

Versioned release logs SHALL document all production changes with description, rationale, risk assessment, and responsible party.

Production promotion gates SHALL require defined testing, review, and approval before any change reaches production.

An incident response procedure SHALL be defined and maintained for reliability failures in production.

The system SHALL maintain a current risk register reviewed and updated at least quarterly.

Segregation of duties SHALL be implemented between development, testing, and production operations.

All operational documentation SHALL reflect the current system state and be updated within defined timelines after changes.

Access control policies for production systems and data SHALL be defined and enforced.

Periodic governance reviews SHALL assess the adequacy and effectiveness of operational controls.

Rollback procedures SHALL be documented and tested for all production deployments.

Pre-deployment testing SHALL include regression testing against existing ACR compliance.

Emergency change procedures SHALL be defined with post-hoc review requirements.

The system SHALL maintain a configuration management database tracking all production components and their versions.

Incident response exercises SHALL be conducted at intervals defined by the certification level.

Post-incident reviews SHALL be conducted for all significant reliability incidents with documented findings.

Third-party dependencies SHALL be inventoried, risk-assessed, and monitored for security advisories.

Business continuity and disaster recovery plans SHALL be documented and tested for the autonomous system.

Personnel with operational responsibility for the autonomous system SHALL have documented qualifications and training.

System health metrics SHALL be monitored with defined thresholds for operational alerts.

Compliance status SHALL be tracked and reported to designated governance stakeholders at defined intervals.

Governance documentation SHALL be reviewed and approved by designated authorities before publication.

Where a Deployment Certification claims Certification Inheritance from a Platform-Certified product, the deploying organization SHALL document the configuration match between the deployment and the Platform Cert reference environment. The AVB SHALL verify this match and attest to it in the Deployment Cert evaluation report.

The deploying organization SHALL notify the platform vendor and ARAF within 14 days of any deployment-side configuration change that affects inherited ACR coverage. Changes that invalidate inherited coverage SHALL trigger a delta evaluation of affected ACRs.

If the deploying organization materially changes the system's operational context in a manner that would increase the Risk Classification (e.g., expanding from internal to customer-facing deployment, adding life-safety use cases, or entering a regulated domain), the organization SHALL notify ARAF and the evaluating AVB within 14 days. The AVB SHALL conduct a Risk Classification reassessment to determine whether the Assurance Class must be elevated.