Chapter 2 — The Foundation: The Knowledge Substrate — QRA
Back to the series
Chapter 2 · The Requirements Operating Model

The Foundation

The Knowledge Substrate. The layer beneath every other layer of the operating model.

Reading time · ~15 minutes Chapter 2 of 9

The Knowledge Substrate is the foundation on which the Requirements Operating Model rests. Chapter 1 introduced the concept in summary form. This chapter develops it as a formal construct, describing the audience it serves in regulated engineering, the properties required to serve that audience, the principle governing its operation, and the conditions required for it to function within an engineering environment.

What the Substrate Is

The substrate is not a database schema, a requirements management repository, or a software product. It is a structured and computable representation of the engineering knowledge from which requirements, decisions, constraints, and evidence are derived.

Within this representation, requirements are not isolated statements. They exist alongside the source clauses from which they originate, the rationale associated with their creation, the verification methods used to assess them, the review and approval events applied to them, the change history affecting them, and the downstream engineering artifacts that depend on them.

These relationships are treated as first-class engineering objects. This allows them to be referenced, queried, and evaluated directly, rather than reconstructed during reviews, audits, or certification activities.

The substrate represents engineering knowledge in a form that can be interpreted consistently by human reviewers, automated systems, and certification authorities.

The Certifier as the Substrate's Final Audience

Most descriptions of requirements engineering assume the engineer as the primary consumer of requirements artifacts. In regulated engineering environments, this assumption is incomplete.

The final authoritative reader of the engineering record is the certification authority.

The specific form of that authority varies by domain. It may be an FDA investigator applying 21 CFR Part 820, a Federal Aviation Administration Designated Engineering Representative operating under DO-178C or DO-254, a notified body auditor assessing IEC 62304 and ISO 13485 compliance, an EASA inspector conducting certification review, or an assessor applying IEC 61508 or ISO 26262. These roles typically engage with engineering artifacts without prior exposure to the internal decision-making context of the program.

The empirical basis for this emphasis is well established in safety-critical engineering literature. Work such as Robyn Lutz's NASA-funded analysis of spacecraft software faults1 identifies requirements-related errors as a dominant contributor to safety-critical defects. Subsequent studies across regulated domains report similar distributions, particularly where system failure has high consequence.

Within this context, the substrate must support evaluation under conditions where external interpretation is the norm.

This introduces three categories of requirement for defensibility.

Traceable Provenance

Each requirement must be linked to its originating sources. These include contractual clauses, stakeholder inputs, regulatory citations, or higher-level requirements from which it is derived. In a structured substrate, these relationships are represented as explicit links. In document-based systems, they are often embedded in prose and reconstructed only during review or audit.

Explainable Derivation

Derived requirements must retain the reasoning that produced them. This includes assumptions, transformation logic, and decomposition paths from parent requirements. Certification evaluation is rarely concerned with presentation quality. It is concerned with the validity of the derivation chain. The substrate represents this chain explicitly rather than implicitly.

Auditable Human Review

Where automated systems contribute to generation or evaluation, their participation must be represented in an auditable form. This includes the identity of the actor, the ruleset applied, and the timing and lifecycle state of the event. Review events are stored as governed artifacts within the substrate, maintained under version-controlled or cryptographically verifiable integrity. This allows audit to operate directly on the engineering record rather than on reconstructed summaries.

These requirements define the conditions under which a substrate can support regulated evaluation. The properties that follow describe how those conditions are realized.

The Three Defining Properties

The substrate is defined by three properties. Each is necessary. Together, they distinguish a governed substrate from prior forms of requirements storage or management.

The three defining properties of the Knowledge Substrate: Legibility, Structure, and Completeness (visible incompleteness)
Figure 2.1 — The Substrate's Three Defining Properties

Legibility

Legibility refers to the ability of each artifact to be interpreted consistently across human and machine readers.

This is distinct from readability in natural language. A requirement may be readable while remaining ambiguous to computational evaluation. Legibility requires that key structural elements, including actors, constraints, references, and conditions, are explicitly represented.

In document-centric approaches, interpretation varies with reviewer expertise, context, and timing. A senior systems engineer reads a requirement differently than a junior engineer. A reviewer under time pressure reads it differently than the same reviewer during a formal audit. Under a structured substrate, interpretation is stabilized by representation rather than inference.

For automated systems, legibility determines whether evaluation is reproducible. Without structure, analysis is probabilistic and non-deterministic. With structure, evaluation is consistent across tools and time.

Structure

Structure refers to the explicit representation of relationships between engineering artifacts.

In document-based systems, relationships are embedded in narrative form and require reconstruction. In a substrate, they are represented as typed, queryable links.

Requirements can therefore be associated with sources, verification artifacts, parent-child relationships, and dependency chains as computable relations.

This allows traceability, dependency analysis, and impact assessment to operate as computational processes rather than manual reconstruction tasks.

Completeness (Visible Incompleteness)

Completeness refers to the representation of absence as a first-class property of the system.

In a structured substrate, missing elements are not implicit. A requirement without a linked source, verification method, or rationale is identifiable as incomplete within the system itself.

The distinction from a conventional database is instructive. A database stores what is added to it. A substrate expects what belongs in it and flags what does not.

Under this arrangement, incompleteness is treated as a property that can be surfaced continuously rather than as a discovery activity during review or audit.

In conventional systems, absence is typically inferred during external evaluation. In a substrate, absence can be queried directly.

The Separation Principle

The substrate operates under a structural constraint. The function that generates a requirement and the function that evaluates it must be architecturally separate systems.

This is the Separation Principle: generation and evaluation cannot share the same system.2

The generation function is responsible for authoring, refinement, and decomposition. The evaluation function is responsible for rule enforcement, completeness checking, and structural validation. These functions must remain distinct regardless of whether they are implemented by individuals, tools, or automated systems.

The Separation Principle: Transformations layer (generation function) and Governance layer (evaluation function) both operate on the shared Knowledge Substrate
Figure 2.2 — The Separation Principle

The principle appears across domains in which artifacts are subject to external validation. Legal drafting and adjudication, accounting preparation and audit, and scientific authorship and peer review all exhibit this separation.

The structural rationale is consistent: when generation and evaluation are combined, evaluation inherits the constraints of generation. The result is systematic drift toward artifacts that satisfy internal fluency or procedural constraints rather than external defensibility.

In requirements engineering, this failure mode is observable in two contemporary arrangements. Peer review conducted under schedule pressure produces artifacts that satisfy the reviewer's immediate objectives rather than the standards of external evaluation. AI systems asked to both generate and evaluate requirements produce responses that satisfy the model's fluency criteria rather than the evaluator's completeness criteria. In both cases, evaluation converges toward surface validity rather than structural completeness.

Within the operating model, this separation is implemented through architectural layering: the Transformations layer (generation) and the Governance layer (evaluation), both operating on the same substrate but performing distinct functions over it.

Where the Substrate Must Live

The substrate is an architectural construct, but it also has an operational location within an engineering environment.

If separated from the systems where requirements are authored and maintained, it functions as a reporting layer rather than an operational one. In that configuration, it is updated asynchronously and does not participate in day-to-day engineering activity. Governance is retrospective rather than continuous.

For the operating model to function, the substrate must be embedded within the systems where engineering work occurs, with both read and write capability, and governed synchronization across tool boundaries where multiple systems of record exist.

Its placement is therefore not an implementation detail but a structural design decision.

Organizations designing such a system should therefore ask:

Where does the substrate physically reside relative to authoring and lifecycle work?

Is synchronization bidirectional, durable across change events, and governed under the same rules as the artifacts it represents?

Is the integration a first-class architectural property, or an external overlay that can degrade silently?

The answers determine whether governance is operational or merely descriptive.

What the Substrate Enables

When the substrate satisfies the properties described above, several capabilities are supported.

Governance can operate continuously rather than periodically. Evaluation occurs at the point of change rather than at review gates.

Automated systems can participate in evaluation under defined constraints, because inputs and outputs are structured and auditable.

Certification is a direct interrogation of a structured record rather than a reconstruction of evidence.

Change can be treated as computable rather than inferential. Impact propagates through dependency structures as explicit system behavior rather than as manual coordination.

These are not additional features. They are consequences of structure.

The Substrate and the Existing Framework

The Knowledge Substrate does not displace existing requirements engineering standards.

EARS defines patterns for requirement expression. ISO/IEC/IEEE 29148 defines requirements engineering practice. The INCOSE Guide to Writing Requirements defines properties of well-formed requirements. Sector standards define domain constraints.

These frameworks operate at the level of artifact definition.

The substrate operates at the level of representation and execution context. It defines the environment in which those artifacts are stored, related, and evaluated.

Standards therefore remain unchanged. What changes is the mechanism of enforcement: from manual interpretation to structured evaluation.

Chapter 3 describes the first of the four process layers that operate on the substrate. The Inputs layer determines what enters the operating model, how it is classified, and how it is made substrate-legible before the layers above it act on it. A substrate is only as strong as the artifacts it holds. The artifacts it holds are only as legible as the Inputs layer makes them.

Footnotes
  1. Robyn R. Lutz, "Analyzing Software Requirements Errors in Safety-Critical, Embedded Systems," in Proceedings of the IEEE International Symposium on Requirements Engineering (San Diego, CA: IEEE Computer Society Press, 1993), 126–133.
  2. This principle has been referenced as Scribe-and-Gavel in earlier QRA writing, from the scribe as historical author of documents and the gavel as instrument of judgment. This book uses the literal formulation throughout.
Series All Chapters