Why Chain of Custody Matters for Bearing Failure Data
When a critical bearing fails on a marine propulsion shaft, a railway axle, or a high-value industrial drive, the technical cause of failure is only half the story. The other half—often the more expensive half—is proving what happened, when it happened, and that nobody tampered with the evidence after the fact. This is where chain of custody for bearing failure data becomes essential. Without a verifiable, unbroken chain of custody, even the most compelling vibration data can be dismissed in a warranty dispute, insurance claim, or contractual disagreement.
For reliability engineers and maintenance directors managing assets where a single bearing failure can trigger six- or seven-figure disputes, understanding how to establish and maintain chain of custody for failure data is no longer optional—it is a core operational requirement.
What Is Chain of Custody in the Context of Bearing Failure?
Chain of custody is a legal and procedural concept borrowed from forensic science. It refers to the documented, chronological history of evidence—who collected it, when it was collected, how it was stored, and whether it remained unaltered throughout its lifecycle. In criminal investigations, a broken chain of custody can render physical evidence inadmissible. The same principle applies to industrial bearing failure investigations, though the stakes are financial rather than criminal.
In bearing condition monitoring, the “evidence” consists of vibration waveforms, temperature logs, acoustic emission data, and operational parameters captured by sensors mounted on or near the bearing housing. For this data to carry weight in a post-failure dispute, every link in its journey—from sensor to storage—must be documented and verifiable. A gap in that chain, or any possibility that the data was modified after collection, undermines its credibility entirely.
This concept is closely related to forensic bearing failure evidence capture, but chain of custody specifically addresses the integrity of the data after it has been recorded.
The Problem with Standard Monitoring Data
Most predictive maintenance systems are designed to detect developing faults and trigger maintenance actions before catastrophic failure occurs. They do this job well. However, these systems were never designed to produce evidence that would survive scrutiny in a dispute.
The typical predictive maintenance data pipeline introduces multiple chain-of-custody vulnerabilities. Data is often collected at relatively low sampling rates—perhaps a few hundred hertz for trend monitoring—then transmitted to a cloud platform where it is aggregated, filtered, and sometimes decimated to reduce storage costs. Timestamps may be applied by the receiving server rather than the sensor itself, creating uncertainty about when measurements were actually taken. Data may pass through multiple software layers, any of which could introduce modifications. And crucially, there is usually no cryptographic mechanism to verify that the data stored today is identical to the data originally captured.
As explored in our analysis of why predictive maintenance data fails as bearing failure evidence, these systems produce data that is useful for maintenance scheduling but fundamentally unsuitable for forensic purposes.
Common Gaps in the Data Chain
Several specific failure points commonly undermine the chain of custody in bearing monitoring data. First, timestamp integrity is frequently compromised. When a sensor transmits data to a gateway or cloud server, the timestamp is often assigned at the point of receipt rather than at the point of measurement. Network latency, buffering, and clock synchronization errors can introduce seconds or even minutes of uncertainty. In a failure investigation, the precise timing of events—the sequence in which fault indicators appeared—can determine whether a bearing failed due to a manufacturing defect, an installation error, or an operational overload.
Second, data completeness is rarely guaranteed. Most monitoring systems use threshold-based or scheduled data collection. They capture snapshots at fixed intervals or when alarm levels are exceeded, but they discard the continuous raw waveform data that would show exactly what happened in the minutes and hours surrounding a failure event. The most forensically valuable data—the high-frequency waveform that captures the actual moment of failure onset—is precisely the data that most systems are designed to throw away.
Third, access controls on stored data are often inadequate. If multiple parties—the equipment operator, the bearing manufacturer, the maintenance contractor, and the insurance provider—can each point to different versions of the same dataset, or if any party had the opportunity to modify stored data without detection, the entire dataset becomes unreliable as evidence.
Requirements for Forensic-Grade Chain of Custody
Establishing a chain of custody that will withstand scrutiny in a bearing failure dispute requires addressing each of the vulnerabilities described above. The requirements fall into four categories: data acquisition integrity, transmission security, storage immutability, and access documentation.
Data Acquisition Integrity
The chain of custody begins at the sensor. Every measurement must carry a timestamp generated by a clock source synchronized to a traceable reference—GPS time or a calibrated NTP source with documented accuracy. The sampling rate must be sufficient to capture the bearing defect frequencies of interest. For a bearing with a ball pass frequency outer race (BPFO) of 120 Hz, meaningful envelope analysis requires sampling at a minimum of 10 times the highest frequency of interest, including harmonics. This means acquisition rates of 10 kHz or higher are often necessary for forensic-quality data, compared to the few hundred hertz typical of trend monitoring systems.
The sensor itself should have a documented calibration history, including sensitivity (typically expressed in mV/g for accelerometers), frequency response range, and the date and certificate number of its most recent calibration against a traceable standard such as those specified in ISO 16063.
Transmission Security
Data in transit between the sensor and the storage system must be protected against both interception and modification. This means encrypted communication channels, but also integrity verification—each data packet should carry a hash or digital signature that allows the receiving system to confirm the data was not altered during transmission. Any packet loss or transmission error must be logged rather than silently ignored, because a gap in the data record is itself a forensically significant event.
Storage Immutability
Once data reaches its storage destination, it must be locked against modification. This is perhaps the most critical element of the chain of custody, and the one most often overlooked in conventional monitoring systems. Tamper-evident data storage uses cryptographic hashing to create a verifiable record that any post-collection modification would be detectable. The most robust implementations use hash chains—where each data block’s hash incorporates the hash of the previous block—creating a structure where altering any single record would require recalculating every subsequent hash, making undetected tampering computationally infeasible.
Storage systems should also implement write-once semantics, where data can be appended but never overwritten or deleted during the retention period. This approach, sometimes called WORM (Write Once Read Many) storage, ensures that the original data remains available regardless of any subsequent events.
Access Documentation
Every access to the stored data must be logged: who accessed it, when, what they accessed, and what they did with it. This audit trail must itself be tamper-evident. If an expert witness downloads a dataset for analysis, that download event must be permanently recorded. If a maintenance team reviews historical data during a root cause analysis, that review must be documented. The goal is to ensure that at any point in a dispute, any party can reconstruct the complete history of the data from the moment of capture to the present.
Chain of Custody in Practice: A Failure Scenario
Consider a practical example. A large double-row spherical roller bearing on a paper mill dryer section fails after 14 months of service, well short of its calculated L10 life of 60 months. The failure causes three days of unplanned downtime, costing the mill approximately $180,000 per day in lost production. The bearing manufacturer claims the failure resulted from misalignment during installation by the mill’s maintenance contractor. The maintenance contractor claims the bearing had a subsurface inclusion—a manufacturing defect. The mill’s insurance provider is evaluating whether to subrogate against either party.
Without chain-of-custody-compliant data, this dispute plays out as a battle of expert opinions, with each party’s metallurgist interpreting the physical evidence to support their client’s position. Physical evidence degrades from the moment of failure—corrosion, handling damage, and post-failure operation can obscure the original failure initiation site. The dispute may take months or years to resolve, and the outcome often depends more on negotiation leverage than on technical truth.
With chain-of-custody-compliant vibration data, the picture changes fundamentally. Tamper-evident, timestamped, high-frequency waveform data from the weeks preceding failure can show exactly when the defect first became detectable, how it progressed, and what the bearing’s operating conditions were at each stage. If the defect frequencies indicate an outer race fault that appeared immediately after installation and progressed steadily—a signature consistent with a brinelling event during mounting—the data supports the manufacturer’s position. If instead the data shows a sudden onset characteristic of a subsurface fatigue crack, with no prior indication visible in the vibration spectrum, that supports the installer’s position.
Critically, because the data carries a verifiable chain of custody, neither party can claim the data was fabricated or modified after the fact. The dispute can be resolved on its technical merits, typically in weeks rather than months. This is precisely the type of scenario that forensic bearing evidence was designed to address.
Industry Standards and Legal Considerations
While no single international standard currently addresses chain of custody for bearing condition monitoring data specifically, several existing frameworks provide relevant guidance. ISO 17025 establishes general requirements for the competence of testing and calibration laboratories, including requirements for data integrity and record keeping that align closely with chain-of-custody principles. ISO 27001 provides a framework for information security management that addresses data integrity, access controls, and audit trails.
In legal proceedings, the admissibility of digital evidence is generally governed by rules similar to those for physical evidence. In the United States, the Federal Rules of Evidence (particularly Rule 901 on authentication and Rule 702 on expert testimony) establish the framework within which bearing failure data would be evaluated. The key question is always whether the proponent of the evidence can demonstrate that it is what they claim it is—and a documented, verifiable chain of custody is the most effective way to meet that burden.
ISO 10816 and ISO 20816, which define vibration severity evaluation criteria for various machine types, provide the technical baseline for interpreting vibration data. But these standards assume the data is accurate and unmodified—an assumption that chain-of-custody procedures are designed to validate.
Implementing Chain of Custody for Your Bearing Assets
For organizations looking to implement chain-of-custody procedures for their critical bearing assets, the process begins with identifying which assets carry sufficient financial risk to justify forensic-grade data collection. Not every bearing warrants this level of attention—but any bearing whose failure could trigger a warranty claim, an insurance dispute, or a contractual penalty is a candidate.
The next step is evaluating whether your existing monitoring infrastructure can support chain-of-custody requirements, or whether purpose-built forensic capture systems are needed. Key questions to ask include: Does your system timestamp data at the point of acquisition with a traceable time source? Does it capture raw waveforms at sufficient sampling rates? Does it provide tamper-evident storage with cryptographic verification? Does it maintain a complete access audit trail?
If your current system cannot meet these requirements—and most conventional predictive maintenance systems cannot—the solution is not necessarily to replace your entire monitoring infrastructure. Forensic evidence capture can operate alongside existing predictive systems, using the same sensor locations but capturing and storing data through a parallel, forensic-grade pipeline. This dual-architecture approach preserves your existing maintenance workflows while adding the evidentiary capability that protects your organization when failures lead to disputes.
Conclusion
Chain of custody for bearing failure data is the bridge between collecting vibration measurements and using those measurements to resolve disputes definitively. Without it, even the most sophisticated condition monitoring data is vulnerable to challenges about its authenticity, completeness, and integrity. For any organization operating high-value rotating machinery where bearing failure disputes carry material financial consequences, establishing a verifiable chain of custody is not a practical necessity that directly impacts your ability to recover costs, enforce warranties, and demonstrate operational due diligence.
The organizations that recognize this early—before a failure occurs—are the ones that resolve disputes quickly and on favorable terms. Those that discover the importance of chain of custody only after a failure has already happened are left trying to reconstruct evidence from systems that were never designed to provide it.