ClaraVis Medical Systems
Client Brief & Requirements
This is the single source of truth for what the Autonomous Enterprise is designed to achieve for ClaraVis.
§1 Architectural Positioning
Three systems. Zero orchestration.
ClaraVis runs Salesforce, SAP S/4HANA, and four regional Ariba instances — each a capable, well-run system within its own domain. None of them were designed to reconcile with each other. The first question any CTO or enterprise architect asks is: why build on GCP when Salesforce Einstein already does AI? That question is the sharpest version of a broader one — does any single vendor in this stack solve the actual problem? The answer, for Einstein and for SAP's and Ariba's native intelligence alike, is architectural: each optimises within its own data boundary. The Autonomous Enterprise exists in the space between those boundaries — the space none of them were built to occupy.
This argument is not unique to Quote-to-Cash. Procure-to-Pay faces its own version: Ariba scores supplier risk well within its network, but it does not read 310 supplier MSAs at clause level, and it has no mechanism to feed that contract risk into a cross-pillar financial exposure view. Supply Chain faces it too: SAP IBP forecasts demand competently, but it does not monitor 310 suppliers for geopolitical and financial distress in real time, and it cannot aggregate that risk alongside Quote-to-Cash's contract exposure and Finance Operations' treasury position. Each pillar has a sharpest-vendor-comparison of its own. The AE's claim is the same in every case: orchestration and explainability across the boundary, not a better model inside it.
§2 Organisation Profile
ClaraVis Medical Systems — the anchor client.
A composite of real regulated-industry enterprise patterns. Every requirement, constraint, and architectural decision on this page is grounded in the specific operational context of a medical imaging OEM operating under EU AI Act, FDA 21 CFR 820, and ISO 13485 simultaneously.
The estate above is disconnected. The following capabilities don't exist anywhere in the estate today, connected or not — six gaps that no current system addresses, regardless of integration state.
| Capability Gap | What's Missing |
|---|---|
| EU AI Act Article 9 continuous risk management | No system performs this today; three production models flagged non-compliant in the Q3 2025 audit |
| Supplier risk monitoring | Annual questionnaire only, no real-time signal; an 11-day-notice Tier-2 disruption is the documented consequence |
| Invoice reconciliation intelligence | 3-way match is manual today at 58% straight-through, requiring a six-person team |
| MDR Article 87 vigilance reporting | No automated device genealogy tracing or 72-hour SLA mechanism exists |
| CSRD Scope 3 Category 1/4 reporting | Manual quarterly process across six freight portals and 310 supplier questionnaires |
| Cross-pillar financial risk aggregation | No system today synthesises Quote-to-Cash, Finance Operations, and Procure-to-Pay exposure into one view |
§3 Stakeholder Register
Twelve stakeholders. Twelve different conversations.
An enterprise architecture that satisfies the CTO's infrastructure requirements but cannot answer the Compliance Officer's audit question will not be adopted. Each stakeholder below has a primary concern, a specific question the AE must answer for them, and a set of modules that address their domain directly.
§4a Value Stream Analysis
The current state — mapped precisely.
The TOGAF ADM Phase B input. Understanding where process latency and architectural debt accumulate in the current state is the prerequisite for designing the To-Be architecture. Quote-to-Cash gets the full diagnostic treatment below — the same depth each pillar's own pages give their own value stream. The three diagrams that follow hold all four pillars at once, at the altitude a portfolio decision actually needs: what they look like side by side, where the pain shows up in money, time, and effort, and how that pain was sequenced into an investment order.
| Step | Owner | Action | Layer | Delay |
|---|---|---|---|---|
| 1 | Salesforce | Opportunity created (SFDC) | Salesforce layer | — |
| 2 | Manual | Config Request to App. Engineering | Manual handoff | ~3 days |
| 3 | Ops | BOM Validation (App. Engineering) | Operations / Legal | ~5 days |
| 4 | Salesforce | CPQ Quote built in Salesforce | Salesforce layer | ~4 days |
| 5 | Legal | Legal Review — no audit trail | Operations / Legal | ~7 days |
| 6 | Salesforce | Contract Signed — Salesforce CLM | Salesforce layer | ~5 days |
| 7 | Manual | Order in SAP — manual entry ERP | SAP layer | ~8 days |
total cycle time
Quote-to-Cash's value stream above is the deep dive. The other three pillars have value streams of their own — each compressed here to its representative transaction: the one with a clear start, a clear end, and a named human checkpoint, comparable in kind to Quote-to-Cash's 47-day journey.
| Pillar | Representative Value Stream | Metric |
|---|---|---|
| QTC | Opportunity → Configure/Quote → Legal/Contract → Order Entry (SAP) | 47 days · 9 handoffs |
| P2P | Sourcing/RFx → Contract/Award → PO Generation → Invoice Match | 58% straight-through · 6-person manual team |
| Supply Chain | NCR Raised → Device Genealogy Trace → Quality Director HITL → Vigilance Report Filed | 72-hour SLA · manual, no automated tracing today |
| Finance Ops | Transaction Classification → Finance Controller HITL → SAP Posting → Month-End Close | 12 days · manual ASC 606 classification |
These four numbers do not compete for the same budget line, and they should not be forced onto one chart as if they did. A 47-day CPQ cycle is a Sales Operations problem. A €95M carrying cost is a Supply Chain Finance problem. A six-person reconciliation team is a Procurement headcount problem. A 12-day close is a Controller's problem. Each stakeholder in §3 owns one of these and may never see the other three in the same room — which is exactly the fragmentation a platform-level architecture has to address structurally, not just acknowledge.
| Dimension | Quote-to-Cash | Procure-to-Pay | Supply Chain | Finance Operations |
|---|---|---|---|---|
| Time | 47-day cycle, 9 handoffs | — | — | 12-day close |
| Money | — | — | €95M carrying cost · €32M stockout exposure | — |
| Effort | — | 6-person manual reconciliation team · 42% non-straight-through | — | Manual ASC 606 classification, no ML-assisted recognition |
Given that these incentives conflict, this is how they were sequenced and reconciled. Two factors decide adoption order, consistent with the Go-to-Market Strategy (Page 08): the documented cost of leaving a pillar untouched, and the integration risk of building it given ClaraVis's existing systems.
§4b System Landscape
Every system ClaraVis runs — and where the orchestration layer is missing.
Where §4a showed process and pressure, this section shows the systems themselves — the complete current-state inventory and exactly where the integration gap sits between them.
No SHAP · No HITL · Audit flagged
No SHAP · No HITL · Audit flagged
No SHAP · No HITL · Audit flagged
§5 Requirements Catalogue
What ClaraVis requires — documented and prioritised, pillar by pillar.
Every requirement below is traceable to a stakeholder concern, a regulatory obligation, or a business pain point identified in the preceding sections. Prioritised using MoSCoW — Must Have requirements are architectural constraints on the AE design. Grouped by pillar where a requirement is pillar-specific, and by Platform/Crown where it applies structurally across all four.
| ID | Requirement | Description | MoSCoW | AE Module |
|---|---|---|---|---|
BR-01 | Quote-to-Cash cycle acceleration | The end-to-end Q2C cycle — from Opportunity creation to revenue posting in SAP — must be orchestrated with defined SLAs per transition and an immutable audit record at every handoff. The current 47-day average is the primary commercial pain point for VP Sales. | Must | CCAI Sales Agent · ContractGuard · RevRec AI |
BR-02 | ASC 606 revenue recognition automation | Lease vs sale classification and performance obligation identification must be handled by an ML model trained on ClaraVis's contract portfolio, with every classification producing a SHAP explanation and routing through a Finance Controller HITL checkpoint before posting to SAP. | Must | RevRec AI · SAP Integration |
BR-03 | Customer contract clause intelligence and risk scoring | Every inbound customer contract must be analysed at clause level — liability caps, indemnification, governing law, IP ownership — with non-standard terms flagged to Legal with a risk score, precedent references, and a draft counter-position before any countersigning event. | Must | ContractGuard |
BR-04 | CCAI Sales Agent for inbound MRI inquiries | An intelligent sales agent must handle the first stages of an inbound MRI inquiry autonomously — qualification, clinical configuration fit, pricing estimate — and escalate to a Senior AE with a full briefing document when commercial terms are required. Autonomy boundary specified in HITL spec. | Should | CCAI Sales Agent · Salesforce Integration |
BR-05 | Unified asset telemetry and predictive maintenance | The six regional asset telemetry systems must feed a single streaming pipeline enabling fleet-level RUL prediction and unit-level anomaly detection. The warranty reserve over-provision is a direct consequence of the inability to model failure probability at scale. | Must | Asset IQ · Pub/Sub Pipeline |
| ID | Requirement | Description | MoSCoW | AE Module |
|---|---|---|---|---|
BR-06 | Procure-to-Pay straight-through automation | The full source-to-pay lifecycle — sourcing, contract award, PO generation, and invoice reconciliation — must be orchestrated end-to-end with defined risk classifications and named human checkpoints at each stage. ClaraVis runs 310 active suppliers across 22 countries through four regional Ariba instances at a 58% straight-through match rate today, requiring a six-person manual reconciliation team to close the gap. This is the Procure-to-Pay equivalent of BR-01's Q2C acceleration mandate. | Must | Sourcing Agent · Contract Agent · PO Agent · 3-Way Match Agent |
| ID | Requirement | Description | MoSCoW | AE Module |
|---|---|---|---|---|
BR-07 | Continuous supply chain risk and demand intelligence | Supplier financial distress, geopolitical exposure, and sub-tier concentration risk must be monitored continuously rather than via an annual questionnaire — the current process gave zero advance warning when a Tier-2 sole-source supplier went dark with 11 days' notice. Demand forecasting must improve from a 34% MAPE baseline toward ≤12% by reading SAP IBP, Salesforce pipeline, and external signals together. Related telemetry signal: see BR-05 (Asset IQ), which feeds inventory and field-service planning from a different system boundary within Quote-to-Cash. | Must | DemandIQ · SupplierSentinel · ProcureGuard · InventoryOrchestrator |
BR-08 | MDR Article 87 vigilance automation | Non-conformance reports must trace full device genealogy across S/4HANA and ISO 13485 records and produce a draft vigilance report within the regulator-mandated 72-hour SLA. This is currently a manual process with no automated genealogy tracing, met through overtime rather than systemic capability. Every report routes through Quality Director HITL before filing. | Must | QualityTrace |
| ID | Requirement | Description | MoSCoW | AE Module |
|---|---|---|---|---|
BR-09 | EU AI Act compliance across all production and forthcoming models | All three existing ML models — revenue recognition, asset failure, contract risk — must be brought into EU AI Act Annex III compliance, requiring SHAP explanations, documented HITL checkpoints, and a versioned risk management system before the next compliance review. This obligation is not unique to the three current models: every model reaching production in Procure-to-Pay (Contract Agent, 3-Way Match) and Supply Chain (DemandIQ, SupplierSentinel, ProcureGuard, ContractIntelligence, InventoryOrchestrator, QualityTrace) carries the same Annex III classification and the same continuous risk-management obligation under Article 9 from the moment it goes live. | Must | RevRec AI · Asset IQ · ContractGuard · XAI Layer (platform-wide, applies to all current and future models) |
BR-10 | Data sovereignty — no data leaves EU boundary | All PII, PHI, device configuration data, and commercially sensitive contract data must remain within the EU GCP region boundary. This is a hard constraint from the CISO and a GDPR requirement. Enforcement must be architectural — VPC-SC — not policy-based. | Must | Layer 03 Infrastructure · VPC-SC |
BR-11 | Executive strategy dashboard with full-platform OKR visibility | C-suite requires a unified view of portfolio performance — pipeline health, asset fleet status, revenue recognition posture, compliance status — in a single dashboard. Current state requires pulling from Salesforce, SAP, Ariba, and six regional systems manually. Procure-to-Pay and Supply Chain panels are on the Strategy Dashboard's own roadmap as those pillars reach the same data-fabric contract Quote-to-Cash already satisfies — this requirement is platform-wide in intent, current in delivery for Quote-to-Cash only. | Should | Strategy Dashboard · BigQuery |
| ID | Requirement | Description | MoSCoW | Regulatory Basis |
|---|---|---|---|---|
AR-01 | SHAP explanation per ML inference | Every ML model inference that informs a business decision must produce a SHAP explanation identifying the top contributing features, their directional effect, and the model confidence score. The explanation must be written to the audit log before any downstream action executes. | Must | EU AI Act Art. 13 & 14 |
AR-02 | HITL checkpoint as formal state machine node | Every high-risk decision must route through a named human approver via a formal HITL state — with defined entry condition, presentation contract, decision interface (approve/reject/escalate), timeout behaviour, and immutable audit record. HITL is a first-class architectural component, not a process note. | Must | EU AI Act Art. 14 |
AR-03 | Immutable audit trail for all agent actions | Every agent action — tool call, state transition, HITL event, model inference — must be written to an immutable audit store (Firestore) before the action is considered complete. The audit record must be queryable but not modifiable. Deletion requires a separate access-controlled process with its own audit trail. | Must | EU AI Act Art. 12 · ISO 13485 |
AR-05 | Model Cards for every ML model | Every model in production must have a Model Card documenting intended use, training data summary, evaluation metrics, known limitations, bias analysis, and the HITL checkpoint specification. Model Cards are versioned alongside the model in Vertex AI Model Registry and reviewed as part of the promotion gate. | Must | EU AI Act Art. 11 · Google Model Cards |
AR-06 | VPC-SC perimeter for data sovereignty | All data processing must occur within a VPC-SC perimeter configured to prevent data exfiltration outside the EU GCP region. The perimeter is enforced at the infrastructure layer via Terraform — it is not a network policy that can be overridden by application configuration. | Must | GDPR · EU DPDP · BR-10 |
AR-07 | CMEK encryption — ClaraVis key custody | All data at rest and in transit must be encrypted using Customer-Managed Encryption Keys via Cloud KMS. ClaraVis retains key custody — Google cannot access encrypted data without ClaraVis key authorisation. Key rotation policy: 90 days. | Must | ISO 27001 · GDPR |
AR-10 | ADR documentation for every significant decision | Every significant architectural decision must be documented as an Architecture Decision Record with status, context, decision, alternatives considered, and consequences. ADRs are version-controlled in the repository and linked from the relevant module page. This portfolio currently has ADR-001 and ADR-002 active. | Must | TOGAF ADM · Portfolio Standard |
AR-11 | Pub/Sub event fabric as the integration bus | All cross-system events — asset telemetry, Salesforce opportunity updates, SAP posting confirmations, Ariba sourcing events — must be published to a Pub/Sub topic before downstream systems consume them. This decouples producers from consumers, enables replay for audit purposes, and provides the foundation for the streaming ML feature pipeline. | Should | Architecture Principle · BR-05 |
AR-12 | Drift detection and automated retraining trigger | Every model in production must have a Vertex AI monitoring job configured to detect data drift and concept drift against a baseline. Drift beyond a defined threshold must trigger an alert, generate a retraining recommendation, and route to the ML Engineer HITL checkpoint before any automated retraining executes. | Should | EU AI Act Art. 9 · MLOps Standard |
| ID | Requirement | Description | MoSCoW | Regulatory Basis |
|---|---|---|---|---|
AR-04 | Salesforce as system of record — AE augments | The AE reads from and writes back to Salesforce via Developer Edition REST API. Salesforce remains the source of truth for commercial data. The AE does not maintain a parallel CRM. Any data written to Salesforce by the AE is tagged with the agent action ID that produced it (ADR-001, ADR-002). | Must | ADR-001 · ADR-002 |
AR-08 | ASC 606 rules as write-path constraints | Revenue recognition classification rules must be encoded as write-path constraints in the data model — applied at transaction time, before any posting. Recognition logic is not a reporting layer applied after the fact. Every transaction is tagged with the performance obligation it satisfies at the time of writing. | Must | ASC 606 · IFRS 15 · BR-02 |
AR-09 | Device History Record atomic write | Every MRI device shipment event must write simultaneously to the Salesforce Order, the SAP logistics record, and the ISO 13485 Device History Record — in a single atomic transaction. Partial writes are not acceptable. The DHR must be created before the shipment is considered confirmed. | Must | FDA 21 CFR 820 · ISO 13485 |
| ID | Requirement | Description | MoSCoW | Regulatory Basis |
|---|---|---|---|---|
AR-13 | Ariba and SAP IBP as systems of record — AE augments | The AE reads from and writes back to Ariba and SAP IBP via the same augment-not-replace principle established for Salesforce (AR-04). Ariba remains the source of truth for sourcing, RFx, and purchase order data; SAP IBP remains the source of truth for demand planning. The AE does not maintain a parallel procurement or planning system. Any data written by the AE to either system is tagged with the agent action ID that produced it, consistent with AR-04's pattern. | Must | ADR-002 · AR-04 (parallel pattern) |
| ID | Requirement | Description | MoSCoW | Regulatory Basis |
|---|---|---|---|---|
AR-14 | A2A protocol mandate boundary for autonomous agent negotiation | Where agents negotiate directly with counterparty agents over the A2A protocol — ContractIntelligence and ProcureGuard's supplier negotiation capability — the autonomy boundary must be explicit and enforced at the protocol layer, not the application layer. Agents may negotiate standard delivery, payment, and warranty terms autonomously. Any deviation in jurisdiction, liability cap, IP, or indemnification terms must halt the negotiation and route to Legal HITL before any commitment is made. Counterparty authentication uses mutual Workload Identity Federation and signed Agent Cards — an unverified counterparty agent cannot enter a negotiation at all, regardless of term content. | Must | EU AI Act Art. 14 (parallel to AR-02, applied to agent-to-agent rather than human-facing HITL) |
| ID | Constraint | Description & Impact on Design | MoSCoW | Source |
|---|---|---|---|---|
C-01 | Zero additional software licensing cost | The AE portfolio is a demonstration system built on free-tier and open-source components. No paid API subscriptions, no commercial data connectors, no licensed dataset providers. Salesforce Developer Edition and the Ariba developer/sandbox account (free, permanent) are the only external dependencies. All GCP services will operate within the free tier or GCP credits until the build phase begins. | Must | Portfolio Constraint |
C-02 | Salesforce Developer Edition as integration pattern | Salesforce integration uses Developer Edition REST API only — no Enterprise or Unlimited Edition features, no paid connectors, no ISV AppExchange dependencies. The integration pattern must be demonstrable on a free Developer Edition org with sample data. Schema is Salesforce standard objects only (ADR-001). | Must | ADR-001 · C-01 |
C-03 | SAP integration via middleware abstraction | Direct SAP API integration is not implemented in the portfolio demo (SAP license cost). The AE design shows the integration architecture — BAPI/RFC via middleware, or BTP event mesh — and the demo uses a BigQuery table seeded with SAP-schema data to represent the ERP layer. The architecture is correct; the live integration is deferred to the client engagement phase. | Must | C-01 · ADR-002 |
C-08 | Ariba developer/sandbox as integration pattern | Ariba integration uses a live developer/sandbox account — Ariba remains the system of record for sourcing, RFx, and purchase order data, demonstrated against this consistent with the Salesforce Developer Edition pattern (C-02). No paid Ariba Network subscription tier, no production supplier data. Schema is Ariba standard objects only. | Must | C-01 · parallel pattern to C-02 |
C-04 | EU data residency — GCP europe-west3 (Frankfurt) | All GCP resources must be provisioned in europe-west3 (Frankfurt) or europe-west4 (Netherlands) only. No multi-region configurations that include non-EU endpoints. This is enforced via Terraform variable and Organisation Policy constraint — not configurable at the application layer. | Must | GDPR · BR-10 · AR-06 |
C-05 | MVP-plus build standard | Each module is built to demonstrate one complete end-to-end flow — sufficient to impress a hiring manager or enterprise architect in a live demo. Production hardening (multi-region failover, 99.99% SLA engineering, load testing) is out of scope for the portfolio phase. Architecture is designed for production; the implementation is scoped for demonstration. | Must | Portfolio Scope |
C-06 | Existing Salesforce, SAP, and Ariba investments preserved | The AE does not replace Salesforce, SAP, or Ariba. All three systems remain in place and the AE augments them. Any design decision that requires replacing any of the three is out of scope. The AE is the orchestration and intelligence layer — the systems of record stay (ADR-002). | Must | ADR-002 · BR-10 |
C-07 | SAFe delivery governance — light touch | The AE modules map to Agile Release Trains consistent with SAFe 6.0 principles. Full Program Board and PI Planning artifacts are documented at the architectural level (Page 04) but are not operationally executed for the portfolio build. The SAFe mapping demonstrates delivery governance understanding; it is not a live programme management process. | Could | SAFe Page 04 |
§6 AI Readiness Assessment
Where ClaraVis stands today — five dimensions.
The AI Readiness Assessment is the input to the TOGAF Architecture Vision. It defines the starting position across five dimensions and frames the gap the AE is designed to close. Scored 1–5. Findings are actionable, not evaluative.
§7 Strategic Decisions Enabled
Not a catalogue of capabilities — a record of decisions no single pillar could support alone.
A portfolio is not a catalogue of capabilities — each pillar's own pages already do that job, in full depth. A portfolio is the evidence base for decisions that no single pillar could support alone. The four decisions below are not things the AE does; they are things ClaraVis's leadership can now decide, where the evidence to decide them previously didn't exist in one place, or didn't exist at all.
Now: FinRisk Sentinel's governance-level scope synthesises all three into a single cross-domain risk posture, refreshed on a cadence appropriate for board-level reporting — not real-time, not reconstructed, continuously current. The CFO opens one view instead of requesting three.
Now: Compliance Command Centre holds all nine regulatory frameworks in one posture view across all four pillars, refreshed every 15 minutes, and is built to surface an amber flag honestly rather than round it up to green. The Board gets one number, not four reassurances.
Now: The portfolio holds all four pillars' cost-of-inaction and integration-risk profiles on one framework (§4a), making the trade-off — and the cases where pillars' incentives genuinely conflict — visible before the funding decision is made, not after it's regretted.
Now: Because Data Governance, the HITL framework, and the XAI layer are Horizon 1 foundation — not Horizon 3 features — by the time of any review, the audit trail has months of immutable, continuously-accumulated records across every pillar that has gone live, not a hastily-assembled file. Leadership can show a regulator a practice, not a performance.
§8 Success Criteria
How ClaraVis will know the AE is succeeding — at the level Lean Portfolio Management funds it.
Success criteria at the portfolio level answer a different question than success criteria at the module level. A module either works or it doesn't — that detail lives on each pillar's own pages. At the portfolio level, the question is whether the three Strategic Themes that Lean Portfolio Management funds (Page 04) are actually delivering the outcome they were funded for. Each criterion below is owned by the same Epic Owner named in the Theme's funding record, observable at the system level, and reviewed at the Portfolio Sync — not a one-time before/after snapshot.
§9 Next in the Portfolio
Requirements captured. Architecture follows.
This document is the input to TOGAF Phase A — Architecture Vision. Every diagram, decision record, and architecture component in the pages that follow traces back to a requirement, constraint, or stakeholder concern documented here.