OSF Pre-Registration · International Audit Trial · Q2 2026

Independent External Evaluation of Post-Export
Clinical Research Package Integrity

An independent, external evaluation of Proof-of-Unchanged under real institutional governance. Each participating institution receives one non-extendable 10-week evaluation window, with the activation date chosen by the institution between 01 Apr 2026 and 30 Jun 2026. Non-clinical, non-interventional. No transfer of participant data outside institutional controls. No regulatory approval, clearance, or endorsement is claimed or implied.

Disclosure policy: Aggregate-only; no institutional attribution or endorsement.

Mode: Zero-Custody · Human-Verified · Machine-Deterministic. Anchoring System: AuditLog.AI. Auditing System: QMS Auditor (v5).

Canonical references

• OSF Pre-Registration — Independent External Evaluation of Post-Export Clinical Research Package Integrity
• C17 — Proof-of-Unchanged Global Application Matrix (Ordinal 16)
• Ordinal 15 — Proof-of-Unchanged Zero-Custody Audit Reproducibility Trial
• C12 — AuditLog.AI Global Compliance Matrix

1. The problem

Validated trial and registry systems generate high-fidelity records during data capture. After export, however, integrity is generally assumed rather than verified. There is currently no established, system-independent method to determine whether an exported clinical research package remains unchanged between export and later use — pre-analysis curation, statistical analysis, manuscript preparation, archive, or submission.

2. Purpose of the audit trial (research questions)

Regulatory inspections routinely rely on evidence that has been exported from validated systems and subsequently retained, transformed, or re-used. The critical inspection question is:

Can exported clinical research evidence be reproducibly verified as unchanged, or shown to have changed, without custody transfer of sensitive data?

Operational examples of validated systems warranting post-export integrity assurance:

• CROs: eTMF extracts, EDC exports, or database-lock snapshots.
• Research institutions: validated registry exports, or clinical trial data at point of hand-off across institutions for multi-site studies.

The practical question is whether exported evidence from these systems can be deterministically verified as unchanged at a later inspection timepoint — often months or years after export, when original personnel, systems, or logs may no longer be available and reconstructive investigation is costly or infeasible.

This audit trial evaluates whether Proof-of-Unchanged, a custody-boundary verification methodology, can function as a system-independent, institution-agnostic verification primitive applicable to audit contexts under independent, external governance conditions.

3. Trial design overview

3.1 Design type

• Independent, external institution-executed methodology evaluation (audit evidence verification).
• Non-clinical and non-interventional. No change to patient care, no change to trial conduct, no transfer of participant data outside institutional controls.
• No clinical diagnosis or therapy support. Software does not inform medical decisions.
• No PHI / PII ingestion. Proof-only, hash-based zero-custody data flow.
• No randomization, no clinical treatment arms.
• Unit of participation: institutions (CROs / eligible research institutions). Unit of analysis: verification sessions.

3.2 Verification methodology

The method performs a paired comparison of two frozen, time-anchored evidence states (typically 1–10,000 files per state) and verifies:

• Evidence integrity: whether individual file bytes are unchanged.
• Membership integrity: whether the grouping of files within a package is unchanged.

Outputs are machine-deterministic audit artefacts (HVT-A) for human verification, showing either:

• MATCH: proof-of-unchanged.
• DIVERGENCE: altered / missing / extra items enumerated for review.

These can be re-executed at any time with reproducible results.

3.3 Scope boundary

The trial assesses post-export evidence verification only. PASS reduces reconstructive effort; divergence bounds proportional human review toward the minimal delta set. The methodology establishes integrity facts only — it does not evaluate clinical meaning, statistical validity, compliance, intent, or root cause. No claim of regulatory classification, clearance, endorsement, or procurement suitability is made or implied.

3.4 Eligibility

• Contract Research Organizations (CROs), and
• Accredited academic or research institutions.

Participants must have custodial responsibility for clinical, regulated, inspectable, or compliance-relevant evidence.

3.5 What independent institutions retain control over

• data custody;
• governance and execution environment;
• choice of controls / challenges;
• interpretation of results;
• any decision to expand testing.

Institutions may run unlimited internal tests and controls during the evaluation window.

3.6 Minimum external evaluation requirement (Track A, primary)

1. Select one post-export research package.
2. Locally freeze three evidence states using the Anchoring System (AuditLog.AI):
   • (a) Reference state — immediately post-export.
   • (b) Positive control — re-execution of locally frozen reference state (unchanged copy).
   • (c) Integrity challenge — controlled modification.

   The Anchoring System freezes each state locally with complete provenance logs, and records a compact hash-only public timestamp commitment.

3. Use the Verification System (QMS Auditor v5) to perform paired comparisons of evidence states:
   • (a) Reference vs Positive control — expected MATCH.
   • (b) Reference vs Integrity challenge — expected MISMATCH with divergence enumerated.
   • (c) Positive control vs Integrity challenge — expected MISMATCH with divergence enumerated.

3.7 Optional additional disclosure

• Human Verification Time (HVT-A): the Verification System can register and timestamp START / END of human verification, from which summary statistics may be derived (seconds / file).
• Qualitative notes on divergence sources and classes.

3.8 Optional extension (Track B)

Participation in Track B is optional and remains under institutional governance. Unlimited additional tests and controls may be introduced, with analyses extended to qualitative comparison against current standard operating protocols (time, effort, review scope, accuracy).

By default, no Track B data will be requested, collected, pooled, or published. If an institution voluntarily elects to disclose Track B observations for aggregate reporting, prior written approval is required and all disclosures must remain institution-agnostic and system-agnostic.

4. System characteristics and definitions

Zero custody

Software execution is performed locally. No raw data, filenames, directory paths, or study metadata leave the local environment. Only the following proof-only artefacts are transmitted or retained by AuditLog.AI:

• cryptographic digest (SHA-256 / RIPEMD-160) of an evidence state's provenance log, which is then anchored to Bitcoin mainnet via OP_RETURN;
• public anchoring receipts (Bitcoin TXID, block height);
• UTC timestamps associated with the anchoring event; and
• pseudonymous session identifiers (non-reversible meta-IDs) used solely to correlate verification events.

Session-level cryptographic commitments are blockchain anchored solely to establish existence at time. OpenTimestamps proofs are optionally implemented at the evidence level.

No personal identifiers, study identifiers, file names, directory structures, content metadata, or contextual attributes are transmitted, retained, or processed.

Hash-only, offline, independent verifiability

Verification relies exclusively on dual-hash cryptographic digests of evidence files (SHA-256 and RIPEMD-160(SHA-256)) — not the raw data itself. Verification can be repeated locally from retained exports, or hash-only export packets can be generated locally by the Verification System for independent off-site verification without disclosure of sensitive data. Verification does not require ongoing system participation. The Verification System automates verification at scale; however, independent auditors may recompute hashes using open-source tools without vendor access.

Human governance

All critical system actions — particularly the anchoring of data to a public ledger — require explicit operator confirmation under controlled institutional authentication. Human primacy is enforced through a layered authorization model:

• (i) institutional authenticated account (enterprise identity; unique login and password); and
• (ii) unique user account (username + password and optional 2FA), where approval is bound to the specific record via record-linking fields including the reviewer's unique user meta-ID, UTC timestamp, meaning of signature, and the SHA-256 digest of the approved material.

Fail-closed architecture

Runtime execution is governed by Compliance Management Enforcement (CME) rules, including a 300-second execution threshold. If process integrity constraints are violated, the system rejects the session rather than producing an unreliable result.

For detailed regulatory mapping, see C12 — AuditLog.AI Global Compliance Matrix.

5. What is provided to independent institutions

Registered institutions receive unrestricted access to the anchoring and verification software for methodology evaluation, including initial setup and ongoing support during trial conduct. Software access and induction are provided by Cardiovascular Diagnostic Audit & AI Pty Ltd (Melbourne, Australia).

6. Local operational requirements

1. Software download and registration. The Anchoring System has been designed in alignment with global regulatory standards (FDA / EMA / TGA; C12 — AuditLog.AI Global Compliance Matrix). Institutional authentication registration is required for provenance logs (provenance logs remain local; not exported).
2. Operating computer (local). The methodology runs on standard modern workstations. For larger datasets (5,000+ files per state), increased specifications / RAM improves hashing throughput. The Anchoring System copies and freezes evidence states locally for long-term reproducibility (local data storage; frozen protections against accidental modification only).
3. Internet connection. Required for blockchain timestamping.
4. Processing time. Anchoring an evidence state takes approximately 15 minutes. Verification is typically near-instantaneous. Both depend on data size and workstation specifications.

7. Current status

A single-site study comprising five audit stages with increasing difficulty has been completed. In the current blinded, multi-operator proof-of-concept, 230,253 evidence files and 21,966 evidence-set fingerprints were deterministically verified, with 100% sensitivity, no false positives, and a mean verification time of 0.076 seconds per file.

The manuscript titled "Verification of post-export clinical trial evidence using a custody-boundary, system-independent model: a blinded, multi-operator, single-site proof-of-concept study" is under governance review prior to peer-review submission. Independent external replication is now the next priority.

8. Regulatory and assurance framework references

This methodology is positioned under electronic records and audit documentation frameworks. Detailed clause-level mapping is provided in C12 — AuditLog.AI Global Compliance Matrix. Referenced frameworks include:

• FDA 21 CFR Part 11 — electronic records and electronic signatures;
• EMA Annex 11 + GCP Guideline Integration (2023) — computerized systems and data integrity;
• TGA / PIC/S PE 009-17 — harmonized GMP computerized systems;
• PCAOB AS 1105 / AS 1215 (including AS 1105.10A — external electronic information reliability evaluation, effective for fiscal years beginning on or after December 15, 2025);
• ISA 230 / ISA 500 / ISA 240 (Revised 2025) — international audit documentation and evidence standards.

These references reflect methodological alignment and evidence mapping, not regulatory acceptance or certification. No regulatory authority has reviewed, classified, or endorsed this methodology.

This methodology is not clinical decision support, is not a medical device, and does not provide patient-level treatment recommendations.

Contact

Dr. Fernando Telles, BMedSc (Adv), MD(Dist) — Fernando.Telles@AuditLog.AI

Methodology Lead for AuditLog.AI Research Initiative · Director, Cardiovascular Diagnostic Audit & AI Pty Ltd · Melbourne, Australia.