A frac stage overpressure event.
Court-defensible by construction.
Write a frac stage event to Chronicle. Get a signed receipt. Replay it a year later — identical output, identical signature. Tamper with one byte of the underlying chain — replay fails immediately. This is what "the answer is on the record, not in someone's memory" actually looks like.
No cd commands.
No clone. Just click.
An API 16FI overpressure event on Stage 12.
Wireline truck on the pad. Stage 12 is being fracked. At 14:32:07 UTC, surface treating pressure spikes to 12,400 psi on Pump-3 — above the iron rating. The VAM logs the event, the Reflex layer initiates a soft shutdown, the substrate writes the chain record. One year later, the operator's insurance carrier wants the record. The chain has the answer.
Four steps. No fake numbers.
Write the event to the chain
VAM detects pressure exceedance on Pump-3 at 14:32:07.412 UTC. The full event — pressure trace, all four pump signatures at the same moment, the Reflex shutdown command, the operator-on-shift identity — gets composed into one signed record.
chronicle.audit.write_event({
"event_id": "FRAC-2026-145-S12-OVP-001",
"pad": "Permian-NorthDelta-09",
"well": "ND09-2H",
"stage": 12,
"timestamp": "2026-05-26T14:32:07.412Z",
"pump_id": "P03",
"channel": "surface_treating_pressure_psi",
"value": 12400.7,
"iron_rating_psi": 11000,
"reflex_action": "soft_shutdown_pump_03",
"operator": "user:jraney@valiance.example",
"vam_serial": "VAM-OFC-A7F3-2891",
"fleet_peers": ["P01:8920", "P02:8915", "P04:8941"]
})
# Returns:
{
"chain_position": 41722,
"signed_hash": "b3a91f7c8e2d4..."
"prev_hash": "9c0a72f15a83e..."
"library_root": "fa7c3e8d1b9f0..."
}
Signed at write time. The record is now part of the chain. Cannot be removed without invalidating every subsequent record.
Replay one year later — record verifies
2027-05-26. Insurance investigator requests the Stage 12 overpressure event chain for a deductible-recovery filing. Operator runs chronicle.audit.replay("FRAC-2026-145-S12-OVP-001").
chronicle.audit.replay("FRAC-2026-145-S12-OVP-001")
# Returns the original record AND verifies:
# ✓ chain_position 41722 still exists
# ✓ signed_hash recomputes identically
# ✓ prev_hash matches the previous record's signed_hash
# ✓ library_root matches the chain's substrate fingerprint
# ✓ event payload unchanged byte-for-byte
# Verification status: PASSED
# Records traversed: 47,891 (a full year of chain growth)
# Verification time: 38 ms on commodity CPU
Same record. Same signature. Same answer. The investigator gets the original event AND a cryptographic proof the chain hasn't been altered since the event was written.
Tamper with one byte — chain detects
Adversary modifies one byte of one record somewhere in the chain — flips the pressure value from 12400.7 to 12000.7, hoping to make the exceedance look like a routine high reading.
# Adversary edits raw store file directly:
# - "value": 12400.7,
# + "value": 12000.7,
chronicle.audit.replay("FRAC-2026-145-S12-OVP-001")
# ✗ signed_hash recompute MISMATCH
# Expected: b3a91f7c8e2d4f1a... (original write-time signature)
# Computed: 7e2af1d8b9c30a64... (re-hash of tampered payload)
# Verification status: FAILED
# Tamper detected at chain_position 41722
# Tamper detected within: 4 ms of replay invocation
Tamper detected immediately. Replay does not return the tampered value — it returns a tamper-detection failure. The chain has done its job.
Verifiable forget on demand
A year later still, a regulator requests deletion of a specific record (PII, customer request, retention policy). Chronicle removes the record AND signs the deletion itself.
chronicle.audit.forget("FRAC-2026-145-S12-OVP-001",
reason="customer_retention_request_2027-08-14")
# Returns a signed deletion record:
{
"forgotten_id": "FRAC-2026-145-S12-OVP-001",
"forgotten_at": "2027-08-14T09:11:32Z",
"deletion_signed": "f4e2b1c9a8d7...",
"reason": "customer_retention_request_2027-08-14",
"prev_hash": "...",
}
# The record is gone.
# The deletion is provable.
# The chain remains intact AROUND the deletion.
You can prove what was removed AND when AND why. No cloud-trained ML model can do this — once a training example is baked into model weights, it cannot be selectively removed without retraining the entire model.
sealed binary · all signing operations are SHA-256 chain-hashing in pure CPU.The chain either passes or it tells you something is wrong.
✓ HONEST RECORD
Original record returned. Chain integrity confirmed. Court-grade evidence.
✗ TAMPERED RECORD
Tamper detected at the offending position. Original is unrecoverable but the chain proves something changed.
Why this matters in oilfield
API Standard 16FI (released January 2026) requires frac iron overpressure events to be logged with attributable, tamper-evident records. The traditional answer is a PDF report exported from the SCADA historian — signed by an operator's name, trusted by everyone, verifiable by no one.
Chronicle's signed-record chain is the same evidence, made cryptographically verifiable. The lawyer asks where the data came from — the answer is a signed chain that recomputes identically on any commodity CPU, anywhere, anytime.
One sealed binary. One signed chain. Every event accountable by protocol — not by the vendor's word.
- API Standard 16FI (January 2026) — frac iron overpressure event response standard; mandates auditable event records. api.org
- EPA NSPS OOOOa / OOOOb — methane emissions monitoring with auditable records of detected emission events.
- BSEE 30 CFR 250 — offshore well control event documentation requirements.
- BOEM NTL 2023-G06 — well integrity event reporting.
- State commission rules — Railroad Commission of Texas, COGCC Colorado, NMOCD New Mexico — each with growing audit-trail requirements for frac operations.
A signed Chronicle chain answers every one of these requirements with the same primitive: a tamper-evident record that anyone can verify on any commodity CPU.
Five roles, five wins.
HSE / regulatory
Every event signed at the moment it happened. Discovery-ready. Tamper-evident by construction.
Operations supervisor
When an event matters in court, the chain has the original. Not a screenshot, not a PDF — a verifiable record.
Insurance carrier
Continuous third-party-verifiable event log. Premium math gets sharper because the evidence gets harder.
Joint-venture partner
The other operator's word is no longer the proof. The signed chain is.
Privacy / retention
Forget on demand, verifiably. The deletion itself is signed. You can prove what was removed.
In outcomes.
Court-defensible by default
The chain is intact when the call comes. No retrofit needed.
Tamper detection in ms
One altered byte and the chain refuses to verify. Detection happens at replay time, not after the audit.
Verifiable forget
Regulatory delete requests get a signed deletion record back. Provable removal of provable data.