30-Day SDC Audit / Pick components

Pick components

Most pilots assume the modeling is the heavy work. For most domains, the components already exist.

Public component libraries on SDCStudio

SDCStudio ships with read-only public libraries that any project can reference directly. The libraries cover the domains most pilots actually care about, plus the standards-anchored ProvGov layer the audit observes. Production deployment is on Google Cloud Run, currently v4.1.0, at sdcstudio.axius-sdc.com.

Domain libraries: what your records are

Pick the one that matches your vertical. These describe the entities your decision flow handles.

NIEM Foundation

350+ components, federal vocabulary

National Information Exchange Model. The federal interoperability vocabulary. State, local, and federal agencies and their downstream consumers already speak this language.

FHIR Clinical

300+ components, FHIR R5 clinical resources

If you are in healthcare, your data already needs to map to FHIR. The library makes the mapping a reference, not a translation exercise.

NIH CDE

2000+ Common Data Elements

Research and clinical-trial work where instrument-level standardization matters. Sourced from the NIH portfolio.

Default Library

75+ general components

General data structures: people, organizations, transactions, addresses, identifiers, common business entities. The starting point when no vertical library applies cleanly.

ProvGov components: what makes the records governable

Domain components describe the entities. ProvGov components carry the governance evidence the audit actually observes: who did what, when, under what authority, with what classification, with what tamper-evident hash chain. Each family is anchored to a public standard and layers onto your domain model rather than replacing it.

Workflow States

W3C SCXML

Ordered state machines: document lifecycle, record intake, incident response, regulatory filing.

Provenance

W3C PROV-O, Activity Streams 2.0

System identifier, activity type, start and end timestamps, location. Maps to SDC4 AuditType.

Attestation

W3C Verifiable Credentials 2.0

Authority assertion, proof, delegation scope, committed timestamp. Maps to SDC4 AttestationType.

Party and Role

SDC4 PartyType, ParticipationType

Identity, organization, participation function (authorizer, reviewer, subject, provider, processor), mode.

Decision Tables

OMG DMN

Risk score, classification, actor role, severity, legal hold. The condition inputs and outcomes the DMN engine reads.

Retention

W3C DPV

Most-recent + hash, last N records, or full chain. Plus retention justification for regulatory defensibility.

Validation Hashes

SDC4 XdFileType

SHA-256 entity-state-before and entity-state-after hashes. Make the provenance chain tamper-evident.

Access Control Tags

W3C DPV

Public, Internal, Restricted, Confidential classifications, plus consent-required and access-expiry signals.

How the two layers compose

Two-layer composition diagram: four domain libraries (NIEM, FHIR, NIH CDE, Default) on the left and eight ProvGov component families (Workflow/SCXML, Provenance/PROV-O, Attestation/VC 2.0, Party and Role/SDC4, Decision Tables/DMN, Retention/DPV, Validation Hashes/SDC4 XdFileType, Access Control/DPV) on the right converge downward into a single composed SDC4 Data Model that defines the substrate the audit observes.

A worked example

A pilot model for a regulated approval flow typically pulls a Party entity from NIEM or Default, an event or encounter from FHIR or NIEM, then layers ProvGov on top: Provenance for who-did-what-when, Attestation for authority, Party and Role for the participation, Decision Table inputs for the rule the flow evaluates, Validation Hashes for tamper evidence, and Access Control Tags for classification. The Receipts the audit produces reference all of it.

Three usage patterns

  • Reference: pull a component into your model as-is, no edits. Standards alignment becomes a property of using the right component.
  • Copy and Modify: copy a component into your private project and customize it. Use this when a public component is 80% right and you need vertical-specific extensions.
  • Create Custom: build from scratch. Reserved for cases where nothing in the libraries fits, which is rarer than most teams assume going in.

The reuse syntax

Components are referenced inside your model using a Markdown-template style. Domain and ProvGov components use the same syntax:

**ReuseComponent**: @NIEM:person_given_name
**ReuseComponent**: @FHIR:Patient.identifier
**ReuseComponent**: @Default:postal_address
**ReuseComponent**: @ProvGov:activity_type
**ReuseComponent**: @ProvGov:access_level

The component travels with its provenance. Standards compliance is automatic when you compose from standards-aligned components, and the two layers compose cleanly because they were designed to.

What this means for the pilot

For a 30-day audit pilot, this is the difference between "we need to model our domain first" and "we picked four components on Monday and the agent had instances by Tuesday." Most pilots do not need a single custom component to start.

The decision flow you want to audit almost certainly involves entities (people, organizations, transactions, clinical events, claims) that the libraries already cover. Pick the library that matches your vertical, log into SDCStudio, create a private project, and compose the components you need.

Wallet reminder

SDCStudio uses a wallet-funded account model. Most pilot projects spend less than $20 across the full audit period. Fund the wallet before pointing the agents at your data sources so the introspection step does not stall mid-run.

Previous: Prerequisites Next: Choose your on-ramp