HMIC PRODUCT · EVIDENCE LAYER

Tamper-evident evidence for consequential operations.

Evidence Layer records what was requested, what was checked, what was approved or denied, and what proof existed at the time -- without requiring sensitive operational data to leave controlled infrastructure.

View evidence model Request briefing

Hash-based integrity·Timestamped records·Witness packets·Public proof / private data·Audit-ready review

ACTION REQUEST -> DECISION RECORD -> HASHTIMESTAMPWITNESS -> AUDIT PACKET

Audit trails often show edits. They do not always prove the decision context.

In regulated and high-consequence operations, the question is not only whether a record changed. The harder question is what the operator requested, what state the system was in, what checks passed or failed, and whether the evidence existed before later dispute.

Problem 01

Records can be edited later

Hashes make alteration detectable after the fact, even when the record itself is overwritten.

Problem 02

Timestamps can be disputed

External anchors establish ordering evidence that does not depend on the operator's own clock.

Problem 03

Sensitive data cannot leave

Share proofs of integrity without exposing the full operational content of the record.

Problem 04

Audit packets are manual

Generate structured review evidence automatically at the moment of the decision, not reconstructed afterward.

Problem 05

Operator intent is missing

Record the request, the surrounding context, and the decision path -- not just the final outcome.

Every decision leaves a verifiable trace.

Evidence Layer turns a consequential action into a structured evidence packet that can be reviewed by operators, auditors, investigators, or counterparties.

Field	Purpose
Request hash	Identifies the action without exposing the full content.
Operator metadata	Shows who or what participated in the decision.
Gate outcomes	Shows why the action was approved, denied, routed, downgraded, or held.
State freshness	Shows whether the system was current enough to trust at the moment of decision.
Timestamp	Places the event in operational time.
Witness record	Records independent confirmation or co-signing by a second party or node.
External anchor	Makes later alteration of the packet detectable by an independent reviewer.
Review note	Gives auditors a human-readable explanation of the decision path.

Validity can be public. Data can stay private.

Evidence Layer separates the proof of integrity from the sensitive content itself. Full operational records remain inside controlled infrastructure. Hashes, timestamps, anchors, and permissioned packets can prove integrity without publishing regulated data.

Layer	Externally visible?	Purpose
Full operational record	No	Remains in the controlled environment.
Hash / digest	Selective	Proves content integrity without revealing content.
Timestamp / anchor	Yes	Supports ordering and existence evidence.
Witness metadata	Permissioned	Shows who or what participated, under access control.
Audit packet	Permissioned	Supports inspection, dispute, or investigation by named reviewers.

External anchoring makes later alteration detectable.

Evidence Layer can anchor cryptographic evidence to an available public network. The network does not need to contain the regulated data. It only needs enough proof material to make later changes detectable and to support an independent existence window.

Technical callout

The evidence model can support bounded timestamping: an internal record references a public chain tip, then anchors a digest in a later block. This creates evidence that the record existed after one public state and before a later public confirmation.

Anchoring is one mechanism inside a broader evidence chain. The full anchor lineage, public-network receipt detail, and reduction-to-practice records live on the Proof page, not here. Evidence Layer is the product surface; the proof receipts are the credibility surface.

Designed for audit, inspection, and dispute review.

Requirement family	Evidence Layer support
ALCOA+	Supports attributable, legible, contemporaneous, original, and accurate evidence design, with complete, consistent, enduring, and available record properties.
21 CFR Part 11	Supports electronic record and electronic signature review, audit controls, and integrity evidence for systems operating under Part 11 scope.
GxP investigations	Shows request, state, decision path, and outcome -- the four elements an investigation needs to reconstruct what happened.
Chain of custody	Supports witnessed handoff and custody movement records for samples, materials, data, and regulated artifacts.
Cyber / incident response	Separates attempted action, approved action, blocked action, and later investigation into distinct evidence layers.

ALCOA+ in full

ALCOA+ is a data-integrity framework codified in FDA, MHRA, and WHO guidance for regulated electronic records. The nine elements:

A -- Original ALCOA

Attributable

Each record points back to the person, device, or system that produced it.

L -- Original ALCOA

Legible

The record is readable and interpretable by a reviewer, now and over time.

C -- Original ALCOA

Contemporaneous

The record is created at the moment of the activity, not reconstructed afterward.

O -- Original ALCOA

Original

The first capture of the data is preserved, not a downstream copy or transcription.

A -- Original ALCOA

Accurate

The record reflects what actually happened, free of unintentional or unattributed change.

Plus

Complete

All data, including repeats, retries, and metadata, is retained -- not just the final value.

Plus

Consistent

Sequencing and chronology are preserved across the full lifecycle of the record.

Plus

Enduring

The record persists for its required retention period without degradation.

Plus

Available

The record is retrievable for review, inspection, or dispute through its retention period.

Evidence Layer is a tool. It supports ALCOA+ data-integrity design and supports 21 CFR Part 11 electronic record and signature controls. Achieving compliance is the responsibility of the operating organization using validated systems and qualified procedures -- a tool supports compliance; it does not by itself constitute compliance.

One event, multiple review surfaces.

Operator receipt

For: person executing the workflow

Plain-English outcome and next step. Strips the technical evidence and shows the operator what happened in workflow terms.

Supervisor review

For: manager or approver

Gate outcomes, route reason, witness state. Surfaces the why behind the decision without surfacing low-level cryptographic detail.

Auditor packet

For: QA, compliance, external reviewer

Timestamp, hash, decision record, evidence summary. The structured package an inspector reads cold.

Technical proof

For: security and engineering

Digest, anchor, signature, verification data. The low-level material needed to verify integrity outside the operating environment.

Pair with MMS for prevention plus proof.

MMS controls whether a consequential action can execute. Evidence Layer proves what happened around that decision.

MMS	Evidence Layer
Pre-execution control	Post-decision proof
Prevents unsafe action	Proves decision context
Gates, thresholds, denials	Hashes, timestamps, receipts
Operational authorization	Audit and compliance evidence

See MMS ->

Make your audit trail harder to dispute.

Start with one decision class: release, override, model promotion, custody transfer, or privileged approval. Evidence Layer instruments the decision and produces a structured packet that survives later review.

Request Evidence Layer briefing Discuss audit workflow