Data Integrity & 21 CFR Part 11
Document reference: GFTCL-DI-001 · Framework: GAMP 5 · 21 CFR Part 11 · EU Annex 11 · ALCOA+
FortressAI Research Institute · Norwich, Connecticut
Patents: USPTO 19/460,960 · USPTO 19/096,071 — © 2026 Richard Gillespie
How the system meets data-integrity and electronic-records/electronic-signatures
expectations. The substrate's persistence model is data-integrity-by-construction:
append-only, tamper-evident, attributable, and re-verifiable.
---
ALCOA+ mapping
| Principle | How the substrate satisfies it |
|---|---|
| Attributable | Every row carries daemon_session_id and a signature_quintet federation cosignature naming the signing cell. |
| Legible | Rows are structured columns + a canonical witness string; the Schema Catalog documents every field. |
| Contemporaneous | Each row stamps composed_at_iso at the moment of composition. |
| Original | The append-only SQLite store is the system of record; receipts are sealed copies, not substitutes. |
| Accurate | Exact-rational (IntRational) arithmetic; floating-point value amounts refused at the column level. |
| Complete | No row is deleted; the full history persists, including refusals and rolled-back states. |
| Consistent | Deterministic composition + sealed anchors give bit-exact replay across runs. |
| Enduring | Witness hashes + cosignatures let a row be re-verified years later. |
| Available | Read-only access through the CLI and the Python client; receipts retained in-repo. |
Audit trail
Every substrate operation is its own audit-trail record:
- Append-only —
BEFORE UPDATEandBEFORE DELETEtriggersRAISE(ABORT)on
every table; there is no privileged path that edits history.
- Tamper-evident —
canonical_witness→witness_hash_sha256(SHA-256). Any byte
change to a sealed row breaks its hash.
- Broadcast — each row declares
nats_subject_sealedand is broadcast to the
federation mesh, so the audit trail exists beyond the single host.
Electronic records & signatures (Part 11 / Annex 11)
| Part 11 expectation | Mechanism |
|---|---|
| Record protection over retention period | Append-only store + retained sealed receipts |
| Audit trail of operator actions | V204 comms-projection rows record operator↔Franklin interactions |
| Electronic signature binding | signature_quintet (five federation contexts) bound to the record's canonical witness |
| Signature non-repudiation | Quintet verifies against the signing cell's pinned federation context public key |
| Copy generation for inspection | gaiaftcl wiki sign manifests + Python client read-side export |
Re-verification
Any record or qualification receipt is independently re-verifiable: recompute the
SHA-256 of the stored canonical_witness and compare to witness_hash_sha256; verify
the signature_quintet against the federation public key. The
PQ replay command exercises this across an anchor chain.
---
*Cross-references: Security, Backup & Recovery ·
Encryption & Effective Irreversibility.*
*Federation cosignature: pending — gaiaftcl wiki sign --section GAMP5.*
49c3cce4a3f86080c496764fd4a427baa2a29f9fe14403a699b7e5942add81e7.
This page serves with a substrate-honest pending-signature notice until the operator's Franklin signer cosigns it.