21-EFT.WP.Metrology.Sync v1.0 | Chapter 13 — Compliance, Contracts & Audit

Home ／ Docs-Technical WhitePaper ／ 21-EFT.WP.Metrology.Sync v1.0

Chapter 13 — Compliance, Contracts & Audit

One-line objective: Use contracts as gates and audit as provenance to build a verifiable, signed, and replayable compliance loop for synchronization systems—ensuring that ts/tau_mono, servos, and protocols meet SLOs and statutory logging before and after release.

I. Scope & Objects

1. Coverage
   • Endpoints, boundary clocks, masters/slaves, and distributed graph sync in PTP/NTP/SyncE/White Rabbit domains.
   • Contract-style validation and trace logging for ts publication, tau_mono computation, offset/skew/J, and arrival T_arr.
   • R&D / test / production states and rollback paths.
2. Inputs
   • Metric streams: offset(t), skew(t), J(t), asym(t), dual-form T_arr and delta_form.
   • Runtime state: gm_id, domain_id, link_mode, servo_state, holdover_state.
   • Policies & thresholds: tol_sync, skew_max, J_rms_max, tol_asym, tol_Tarr, t_failover_max.
   • Metadata: TraceID, build_id, config_hash, key_id, operator.
3. Outputs
   • Compliance report & assertion outcomes: contract_report.
   • Release manifest & signatures: manifest.sync.*, signature, hash_sha256(blob).
   • Immutable audit trail of events, evidence, and metrics.

II. Terms & Variables

• Time & link: ts, tau_mono, offset, skew, J (jitter), asym (asymmetry).
• Arrival & medium: T_arr, n_eff, c_ref, gamma(ell), delta_form.
• SLO thresholds: tol_sync, skew_max, J_rms_max, tol_asym, tol_Tarr, p99_window.
• Audit & signatures: TraceID, manifest.sync, signature, key_id, audit_event.

III. Axioms P613- **

• P613-1 (Contracts before release): No external ts publication without contract pass; failing systems may not freeze_release.
• P613-2 (Dual-form arrival mandatory): T_arr must be computed in both forms and delta_form recorded, enforcing delta_form ≤ tol_Tarr.
• P613-3 (Dimensional integrity): All expressions in assertions must pass check_dim(expr).
• P613-4 (Traceable evidence): Persist compliance evidence with hash_sha256(blob) and signature; allow re-verification and recomputation.
• P613-5 (Least privilege & isolation): Compliance/audit writes go to independent channels; once frozen, manifests are append-only.
• P613-6 (SLO alignment): Contract thresholds and dashboard SLOs share the same configuration source to avoid dual standards.
• P613-7 (Fail-safe rollback): Every failed contract has a defined rollback action and timing; no “pass by omission”.

IV. Minimal Equations S613- **

• S613-1 (Synchronization error)
  sync_error(t) = | ts_ref(t) - ts_local(t) |
  check_dim( sync_error ) → unit "s"
• S613-2 (Frequency & jitter)
  skew(t) = d ts_local / dt - d ts_ref / dt
  J_rms = sqrt( mean( ( offset(t) - mean(offset) )^2 ) )
• S613-3 (Asymmetry metric)
  asym = | ( delay_master_to_slave - delay_slave_to_master ) |
• S613-4 (Dual-form arrival delta)
  delta_form = | ( 1 / c_ref ) * ( ∫ n_eff d ell ) - ( ∫ ( n_eff / c_ref ) d ell ) |
• S613-5 (Release criterion)
  pass = ( p99(sync_error) ≤ tol_sync ) ∧ ( p99(|skew|) ≤ skew_max ) ∧ ( J_rms ≤ J_rms_max ) ∧ ( asym ≤ tol_asym ) ∧ ( delta_form ≤ tol_Tarr )

V. Flow M60-13 (Compliance → Contracts → Audit → Release)

1. Readiness
   • Aggregate last-p99_window metrics for offset/skew/J/asym and dual-form T_arr; validate units/dimensions.
   • Bind metadata build_id/config_hash/key_id/TraceID and reference identity.
2. Contract evaluation
   Compute S613-5 pass and extended C60-13x; attach root-cause labels and rollback advice for any failures.
3. Audit & signature
   Bundle evidence into a blob; compute hash_sha256(blob); sign with key_id; emit audit_event.
4. Release freeze
   freeze_release_sync(ds, tag) produces manifest.sync, sealing the immutable version and upstream hash chain.
5. Rollback & re-verify
   On failure: execute rollback (de-weight, switch, holdover), record MTTR, and trigger a re-verification window.

VI. Contracts & Assertions (Excerpt C60-13x)

• C60-130 (Dimensional integrity): check_dim(expr) on all expressions; failures block release.
• C60-131 (Sync SLO): p99(sync_error) ≤ tol_sync.
• C60-132 (Skew cap): p99(|skew|) ≤ skew_max.
• C60-133 (Jitter RMS): J_rms ≤ J_rms_max.
• C60-134 (Asymmetry threshold): asym ≤ tol_asym.
• C60-135 (Dual-form arrival): delta_form ≤ tol_Tarr.
• C60-136 (Holdover/failover budgets): t_failover ≤ t_failover_max ∧ time_in_holdover ≤ holdover_budget.
• C60-137 (BMCA trace): Any gm_id change must be accompanied by audit_event consistent with BMCA decisions.
• C60-138 (Evidence completeness): Evidence package contains metrics.csv, events.json, config.yaml, manifest.prev.hash.
• C60-139 (Slew limiting): |d offset/dt| ≤ slew_max; unaudited steps forbidden.
• C60-13A (Config closure): Runtime config hash must equal config_hash, else block release.

VII. Implementation Bindings I60-13*

• calc_sync_metrics(ds, window) -> {sync_error_p50,p95,p99,skew_p99,J_rms,asym}
• evaluate_sync_contracts(metrics, rules) -> contract_report
• bundle_evidence(artifacts) -> blob
• sign_and_attest(blob, key_id) -> {hash_sha256, signature}
• export_sync_manifest(context, metrics, report) -> manifest.sync
• freeze_release_sync(manifest, tag) -> manifest'
• audit_log_sink(event) -> ack
• Invariants: evidence hash equals manifest hash; only pass=true may freeze; audit events are append-only.

VIII. Cross-References

• Delay & asymmetry modeling: Chapter 7.
• Servo modeling & filtering: Chapter 6.
• Holdover & failover mechanisms: Chapter 10.
• Arrival & path consistency: EFT.WP.Metrology.TimeBase v1.0 Chapter 9.
• Compliance manifests & releases: Methods.Cleaning v1.0 Chapter 10.
• Statistical contracts & error control: Methods.CrossStats v1.0 Chapter 14.

IX. Quality Metrics & Risk Control

1. Key indicators: sync_error_p99, skew_p99, J_rms, asym_p95, delta_form_breach_rate, t_failover, time_in_holdover, audit_gap_rate, mttr.
2. Risk strategies:
   • Tiered mitigation “de-weight → switch → holdover → isolate”.
   • Escalate path re-measurement and medium calibration when delta_form trends upward.
   • Block releases on audit gaps and enforce re-verification.
   • Periodically sample-verify manifest.sync and certificate validity.

Summary