Manufacturing

In a manufacturing audit, you must prove not just what your quality records show, but when they were true.

A CAPA raised before a non-conformance and one raised after it are forensically identical. immut proves the difference.

The problem

Compliant records and backdated ones are forensically identical.

ISO 9001:2015 Clause 7.5.3 requires documented information to be protected from unintended alteration, but altering a file leaves no detectable trace unless an independent timestamp of the original already exists. When a product recall, HSE inspection, or product liability claim demands to know when your risk assessment was last reviewed, when that CAPA was closed, or whether your supplier qualification was current at the time of manufacture, file metadata is the only answer, and it is editable by any system administrator in seconds.

13,200+
HSE workplace inspections in 2024/25, up 47% on the previous year, with manufacturing among the most inspected sectors
Source: HSE Annual Report and Accounts 2024–2025.
Real consequences

Companies have already paid the price.

US DOJ
Boeing
$487M2024
HSE
Tata Chemicals Europe
£1.125M + costs2024
German public prosecutors
Volkswagen AG
€1B2019
Use cases

Where immut earns its keep in manufacturing.

Every one of these activities already happens in your quality, safety, and production teams. immut adds a layer of independently verifiable proof to each one.

Use casePotential impact
Current process

Producing and maintaining COSHH and PUWER risk assessments for every hazardous substance and piece of work equipment across the site.

How immut helps

Timestamp each risk assessment at the point of sign-off. When an incident occurs and the investigation asks whether the risk assessment was adequate and in force at the time, the blockchain record shows its exact date of existence, independently of the file's own metadata, which any administrator can alter.

Bottom line

Tata Chemicals Europe was fined £1.125M (HSE, June 2024) after an investigation found that no permit was in place for hazardous work and risks had not been properly assessed. The company had previous prosecutions for the same site. The question in every HSE prosecution is not whether you have risk assessments today, but whether they existed and were adequate at the time.

Source: HSE press release, 5 June 2024.
How it works

Three steps. Seconds per file.

01

Hash the file.

immut generates a SHA-256 hash of your file on our servers. For sensitive workloads, dedicated servers are available so files stay inside infrastructure you control.

e.g. a risk assessment, CAPA record, or batch release certificate
02

Record on the public ledger.

The hash is committed to the XRP Ledger, a public blockchain, with a precise timestamp.

e.g. XRP Ledger, precise timestamp
03

Timestamped certificate.

immut returns a certificate of the record and its timestamp. Blockchain-anchored evidence of this kind has been accepted in courts across 88 countries and 171 jurisdictions.

e.g. anchored to the XRP Ledger, a public blockchain
Works with your whole stack

immut sits under the records your quality and safety teams already produce, in any tool. Files stay where they live; immut writes the proof that anyone can verify.

Source systems
TeamsSlackSharePointDriveGmailNotionGitHubFigmaSalesforceDropboxVanta
The proof layer
immutHash · Anchor · Verify
Verifiers
CustomerCourt / JudgeRegulatorAuditorInvestorInsurer
The four properties

Proof that satisfies the four properties regulators and courts require.

01
Contemporaneous

Timestamped at the moment of creation.

02
Tamper-evident

Any change after creation is detectable by mathematics.

03
Independently verifiable

A regulator, auditor, or court can verify without trusting you or your vendor.

04
Court-ready

Blockchain-anchored timestamps of this kind have been accepted as legal evidence in 88 countries across 171 jurisdictions.

Secondary benefit · IP

Prove it without publishing it.

Because only the hash is ever made public, tooling designs, process parameters, and manufacturing know-how can be proven to exist on a given date without disclosing the underlying file. Public proof. Private work.

How immut protects manufacturing IP
FAQ

Common questions about immut in manufacturing.

Your file is hashed with SHA-256 on immut's servers. Only the hash is committed to the XRP Ledger, a fixed-length string that cannot be reversed to recover the original file. No file content, no process specifications, and no commercially sensitive information is ever stored externally. For sensitive workloads such as proprietary formulations or tooling designs, immut offers dedicated servers so files stay inside infrastructure you control.

ISO 9001:2015 Clause 7.5.3 requires documented information to be protected from unintended alteration. Blockchain-anchored timestamps provide independent, third-party-verifiable evidence that a document existed in a specific form at a specific point in time. Auditors applying the four-criteria test (contemporaneous, tamper-evident, independently verifiable, and court-ready) find that blockchain-anchored evidence meets all four in a way that file metadata controlled by the organisation does not.

immut is an independent layer alongside your QMS, LIMS, and production systems, not a replacement for them. Your QMS audit trail is controlled by your own infrastructure. A determined auditor, insurer, or opposing expert can question whether it was altered. immut's timestamp lives on a public blockchain that neither you, your vendor, nor immut itself can change. It adds the independent verification that internal audit trails structurally cannot provide.

Because the proof lives on the XRP Ledger, a public blockchain no single party controls, every certificate already issued remains independently verifiable by any court, regulator, auditor, or insurer. This continues indefinitely, without immut's continued existence.

Start

Start proving your records today.

Only the hash is ever made public.