Why is the infrastructure designed fail-closed?

A governance platform that allows a responsibility transfer to proceed when evidence cannot be recorded or consent cannot be confirmed is not governing. Fail-closed means the transfer does not proceed until governance conditions are met.

Does each boundary require new infrastructure?

No. The infrastructure extends but does not change. Each new boundary adds a clinical choreography to an infrastructure that is already tested, already holds a safety case, and already carries the evidence record.

← Service design

How we work / The Infrastructure

The infrastructure is not where the platform sits. It is how the governance holds.

Q: What happens to the evidence record if the fabric is temporarily unreachable?

Governance decisions record locally, marked for reconciliation when the fabric recovers. Losing a safety signal because the recording infrastructure is unavailable is a worse outcome than a brief reconciliation delay.

Most clinical technology programmes treat infrastructure as a hosting decision - addressed after the clinical and technical design is complete. Governance designed correctly at the application level can be undermined at the infrastructure level: by availability gaps that break the evidence record, by failure modes that are not fail-closed, by security postures considered too late. Inference Clinical is engineered the other way around. The infrastructure is designed as part of the governance. The deployment topology reflects the constitutional structure of the platform.

Conventional sequence

Infrastructure after design

Application built, then deployment chosen
Governance designed at application level only
Security considered during implementation
Availability gaps handled by configuration
Safety case reconstructed after the fact

Inference Clinical

Infrastructure as governance

Deployment topology designed from governance requirements
Constitutional invariants enforced at infrastructure level
Security engineered from the first design decision
Failure modes structurally prevented, not configured around
Safety case reflects how it was actually built

The infrastructure position is part of what the assessment maps.

No two organisations start from the same place. An NHS trust operating on an established spine has different constraints from a digital GP service running on cloud infrastructure. An insurer's technology environment has different security boundaries from a community provider's. What the lighthouse deployment looks like depends on where the organisation is starting from.

The assessment maps the infrastructure position alongside the clinical choreography. Not as a separate technical workstream - as part of understanding what the boundary actually requires. The consent and alert configuration for a handover determines what the infrastructure must guarantee. The evidence fabric requirements determine what the deployment must never allow to fail. The security boundaries of the organisations involved determine how the deployment is isolated and governed.

By the time the lighthouse specification is complete, the infrastructure requirements are part of it. Not a separate procurement. Not a decision deferred to implementation. A defined, costed component of the governed boundary.

Architectural invariant

The platform does not degrade gracefully. It holds or it stops.

A clinical governance platform that fails open - that allows a responsibility transfer to proceed when the evidence fabric is unavailable, or permits a handover when consent cannot be confirmed - is not a governance platform. It is a governance platform with an exception pathway that bypasses the governance.

When the conditions for a governed handover cannot be met - because a required confirmation is absent, because the evidence record cannot be written, because a protocol condition has not been satisfied - the transfer does not proceed. The sender retains responsibility. The failure is recorded. The clinical team is notified.

This is not a configuration choice. It is an architectural property of the deployment. The constitutional invariants hold at the infrastructure level, not just at the application level.

The evidence record is always running. It is never optional.

Every responsibility transfer, every consent confirmation, every alert acknowledgement, every protocol enforcement decision is recorded in the evidence fabric. Continuously. Not as a log that can be disabled - as the primary record of what the platform did and why.

Records

Responsibility transfers

Every state change, every holder

Records

Consent confirmations

Scope, moment, parties

Records

Alert acknowledgements

Who acted, when, what triggered

Records

Protocol enforcement

Every decision, every violation

Evidence Fabric — continuous, append-only, the last thing that can fail

Clinical safety artefacts are drawn from it. Metrics are measured against it. The safety case is built on it.

The infrastructure is designed so the evidence fabric is the last thing that can fail. Governance decisions record locally if the fabric is temporarily unreachable, marked for reconciliation when it recovers. Losing a safety signal because the recording infrastructure is unavailable is a worse outcome than a brief reconciliation delay.

Engineered in. Not bolted on.

Security and clinical safety are not properties that can be added to an infrastructure after it is built. They are properties of how it is designed, what assumptions are made at each layer, and what the deployment topology enforces structurally.

Structural

Component isolation

Components that must never fail together are separated by design. The deployment topology reflects governance requirements, not hosting convenience.

Structural

Security boundaries

Network boundaries defined by governance requirements. Key material, identity verification, consent confirmation - each sits in a layer designed for its specific security and availability requirement.

Structural

Documented from design

The safety case reflects how the infrastructure was actually built. Repeatable. Tested. Documented from the point of design, not reconstructed after the fact.

The result is an infrastructure that passes clinical safety review not because it has been prepared for review, but because the review describes how it was designed.

Each boundary adds to an infrastructure that is already proven.

The programme does not re-provision infrastructure at each boundary. It composes new clinical choreography within an infrastructure that has already been tested and already carries the evidence record.

Lighthouse

Infrastructure proven

First deployment. Safety case established. Evidence fabric running. Fail-closed behaviour validated.

▶

Extension

Topology extends

New choreography added. Evidence fabric continues. Operational record grows without foundations changing.

▶

Programme

Most robust component

Each boundary has added to the operational record. The infrastructure is proven not by upgrading but by operating.

Over time, the infrastructure becomes the most robust part of the programme - not because it has been upgraded repeatedly, but because each boundary has added to its operational record without requiring its foundations to change.

The infrastructure is designed from the first conversation.

Not as a hosting question. Not as a procurement decision deferred to implementation. As part of understanding what the governance actually requires - what must never fail, what must be isolated, what the evidence record must guarantee.

That is what makes this infrastructure, not deployment.

← The Platform Our delivery model →

Infrastructure of this kind is designed from the first conversation.

We work with NHS organisations, independent providers, and insurers where the infrastructure position is part of the governance question, not separate from it.

Talk to us Start with the assessment →