ClaraVis Medical Systems
Procurement Brief & Requirements
The requirements layer of the TOGAF ADM[cite: 3]. Every architectural decision in the six P2P design modules traces back to a documented requirement on this page[cite: 3]. This is the single source of truth for what the Autonomous Procure-to-Pay is designed to achieve for ClaraVis Procurement[cite: 3].
The Autonomous Procure-to-Pay alongside SAP SRM / legacy SAP procurement — five domains that determine the boundary.
ClaraVis runs SAP S/4HANA with legacy SRM modules for procurement[cite: 3]. SAP's built-in procurement automation handles catalogue purchasing and standard PO workflows within the SAP boundary[cite: 3]. The first question any CPO or enterprise architect asks is: why build on GCP when SAP covers procurement? The answer is architectural, not commercial[cite: 3].
SAP SRM and standard S/4HANA procurement deliver automation within the SAP data model. The Autonomous Procure-to-Pay delivers intelligence across the full P2P landscape — spanning the supplier ecosystem, the contract corpus, the AP platform, and the CSRD/LkSG compliance obligations that no single ERP boundary contains[cite: 3]. Where SAP automates transactional procurement, the Autonomous Procure-to-Pay orchestrates the full Source-to-Pay-to-Compliance lifecycle, with explainability and human oversight engineered in to satisfy EU AI Act and GDPR Article 22 requirements that SAP's ML models cannot meet[cite: 3].
ADR-002 · GCP alongside SAP, not instead of it[cite: 3]
Supplier intelligence across 1,400 external counterparties
Supplier risk data, CSRD compliance signals, LkSG due diligence records, and market intelligence about 1,400 suppliers do not live in SAP and never will[cite: 3]. SAP SRM is a transactional platform, not a supplier intelligence fabric[cite: 3]. Scoring supplier risk across financial, ESG, and delivery dimensions requires Vertex AI, BigQuery, and external data enrichment pipelines — none of which SAP provides with explainability or HITL by design[cite: 3].
EU AI Act Annex III & GDPR Art. 22 — explainability that satisfies the law
GDPR Article 22 prohibits fully automated decisions with significant effects on suppliers without a human in the loop[cite: 3]. EU AI Act Annex III requires SHAP explanations per inference, written to an immutable audit log before any action commits[cite: 3]. SAP's ML models are proprietary — feature attribution is not exposed to the operator[cite: 3]. For a German medical OEM, this is a structural disqualification, not a configuration gap[cite: 3].
3-way match across SAP S/4HANA, SAP Ariba, and legacy AP
ClaraVis's 3-way match requires reconciling purchase orders from SAP S/4HANA, goods receipt notes from the warehouse system, and invoices arriving via the legacy AP platform and Ariba Network[cite: 3]. These three data sources have no common event stream[cite: 3]. SAP's standard matching operates within the ERP boundary[cite: 3]. The Autonomous Procure-to-Pay is the orchestration layer that unifies them — with exception ML, tolerance-band logic, and HITL routing built in[cite: 3].
Full-document contract and SOW intelligence
Clause-level risk scoring, non-standard term detection, and supplier MSA analysis require reasoning across the full contract document[cite: 3]. Gemini 1.5 Pro reads an entire supplier framework agreement in one pass via its 1M token context window[cite: 3]. SAP Ariba CLM operates on structured contract metadata — not the source document[cite: 3]. The gap is every non-standard clause that lives in unstructured text[cite: 3].
Cross-system P2P orchestration — the layer nobody owns
ClaraVis's procurement landscape spans SAP Ariba (sourcing), SAP S/4HANA (ERP), a legacy AP platform, a supplier portal, a document management store, and a CSRD compliance register[cite: 3]. No single vendor owns all of that[cite: 3]. The Autonomous Procure-to-Pay is the connective tissue — a coherent, explainable, human-supervised orchestration layer across every system ClaraVis operates for procurement[cite: 3].
ADR-001
via middleware
streaming
ClaraVis Medical Systems — the anchor client.
A composite of real regulated-industry enterprise patterns[cite: 3]. Every requirement, constraint, and architectural decision on this page is grounded in the specific procurement context of a medical imaging OEM operating under EU AI Act, GDPR, CSRD, and LkSG simultaneously[cite: 3].
Regulatory Environment
Procurement Systems Landscape
Strategic sourcing, RFx events, contract lifecycle management, and supplier onboarding[cite: 3]. Autonomous Procure-to-Pay integrates via Ariba REST APIs[cite: 3]. Ariba remains system of record for sourcing events[cite: 3].
Autonomous Procure-to-Pay reads and writes via Ariba APIs — augments, does not replace[cite: 3]
Purchase orders, goods receipt notes, accounts payable, general ledger, and payment execution[cite: 3]. Source of truth for financial transactions[cite: 3]. Autonomous Procure-to-Pay writes PO and payment instructions via middleware after HITL approval[cite: 3].
Autonomous Procure-to-Pay writes to SAP only after HITL checkpoint — immutable audit record created first[cite: 3]
Built by ClaraVis data science team[cite: 3]. Both classified as high-risk under EU AI Act Annex III and GDPR Art. 22[cite: 3]. Neither produces SHAP explanations[cite: 3]. Neither has documented HITL checkpoints[cite: 3]. Flagged in Q3 2025 audit[cite: 3].
Both models require Autonomous Procure-to-Pay XAI and HITL retrofit before next compliance review[cite: 3]
Standalone AP platform handling invoice capture, 3-way match (manual), and payment scheduling[cite: 3]. No integration with Ariba or SAP event streams[cite: 3]. 3-way match done in spreadsheets by a team of six[cite: 3].
3-Way Match Agent addresses this domain — replaces manual spreadsheet process[cite: 3]
Basic self-service portal for onboarding forms and document uploads[cite: 3]. No integration with Ariba vendor master or SAP supplier records[cite: 3]. Onboarding cycle averages 18 days[cite: 3]. No automated compliance checks[cite: 3].
Supplier Onboarding Agent addresses this domain — automated compliance screening at intake[cite: 3]
Manual spreadsheet maintained by a two-person compliance team[cite: 3]. Annual supplier questionnaires[cite: 3]. No real-time monitoring[cite: 3]. 63% of suppliers not assessed in 18 months[cite: 3].
Supplier Performance Agent + CSRD continuous monitoring addresses this domain entirely[cite: 3]
Nine stakeholders. Nine different conversations.
An autonomous procurement architecture that satisfies the CPO's efficiency requirements but cannot answer the Compliance Officer's audit question will not be adopted[cite: 3]. Each stakeholder has a primary concern, a specific question the Autonomous Procure-to-Pay must answer, and the modules that address their domain[cite: 3].
The current state — mapped precisely.
The TOGAF ADM Phase B input[cite: 3]. Understanding where process latency and architectural debt accumulate in the current state is the prerequisite for designing the To-Be architecture[cite: 3]. The diagrams below represent ClaraVis procurement as it operates today[cite: 3].
Requisitions · RFx · Contracts[cite: 3]
PO · GRN · AP · GL[cite: 3]
Manual 3-way match · Batch payment[cite: 3]
No SHAP · No HITL · Audit flagged Q3 2025[cite: 3]
18-day avg. onboarding · No compliance check[cite: 3]
63% suppliers not assessed — 18 months[cite: 3]
What ClaraVis requires — documented and prioritised.
Every requirement below is traceable to a stakeholder concern, a regulatory obligation, or a procurement pain point[cite: 3]. Prioritised using MoSCoW[cite: 3].
| ID | Requirement | Description | MoSCoW | Pillar Module |
|---|---|---|---|---|
| BR-01 | P2P cycle time reduction | The end-to-end P2P cycle must be orchestrated with defined SLAs per transition and an immutable audit record at every handoff[cite: 3]. The current 11-day invoice cycle and 28-day sourcing cycle are the primary operational pain points[cite: 3]. | Must | PO Agent · 3-Way Match · Payment Agent[cite: 3] |
| BR-02 | EU AI Act & GDPR compliance | Both procurement ML models must be brought into EU AI Act Annex III and GDPR Art. 22 compliance — SHAP explanations per inference, documented HITL checkpoints, and a versioned risk management system before next compliance review[cite: 3]. | Must | Supplier Performance · XAI Layer[cite: 3] |
| BR-03 | 3-way match automation | The manual 3-way match process — PO vs GRN vs invoice — must be automated with tolerance-band logic, exception ML classification, and HITL routing[cite: 3]. Target: >90% straight-through processing[cite: 3]. Current first-time match rate: 58%[cite: 3]. | Must | 3-Way Match Agent[cite: 3] |
| BR-04 | CSRD / LkSG monitoring | Supplier due diligence obligations must be satisfied continuously[cite: 3]. Every supplier must have a real-time compliance score[cite: 3]. Threshold breaches must trigger automated HITL escalation to the Compliance Officer with a full evidence brief[cite: 3]. | Must | Supplier Performance · Sourcing Agent[cite: 3] |
| BR-05 | Contract clause intelligence | Every inbound supplier contract must be analysed at clause level — indemnity caps, liability exclusions, IP ownership, governing law — with non-standard terms flagged to Legal with a risk score, precedent references, and a draft counter-position before countersigning[cite: 3]. | Must | Contract Agent[cite: 3] |
| BR-06 | Data sovereignty constraint | All supplier PII, contract data, pricing data, and procurement transaction records must remain within the EU GCP region boundary[cite: 3]. Enforcement must be architectural — VPC-SC — not policy-based[cite: 3]. | Must | Layer 04 Infra · VPC-SC[cite: 3] |
| BR-07 | Early payment discount | The Payment Agent must identify early payment discount opportunities on every eligible invoice and schedule payment within the discount window when cash position permits[cite: 3]. Estimated annual savings: €280K[cite: 3]. | Should | Payment Agent · Spend Analytics[cite: 3] |
| BR-08 | Tail spend visibility | The ~23% of spend currently classified as unmanaged tail spend must be made visible, categorised, and routed to preferred suppliers where possible[cite: 3]. Tail Spend Intelligence module addresses this domain with spend classification ML and policy enforcement[cite: 3]. | Should | Tail Spend Intelligence[cite: 3] |
| ID | Requirement | Description | MoSCoW | Regulatory Basis |
|---|---|---|---|---|
| AR-01 | SHAP explanation per inference | Every ML model inference informing a procurement decision must produce a SHAP explanation identifying the top contributing features, their directional effect, and the model confidence score — written to the audit log before any downstream action executes[cite: 3]. | Must | EU AI Act Art. 13 & 14[cite: 3] |
| AR-02 | HITL as formal state node | Every high-risk procurement decision must route through a named human approver via a formal HITL state with defined entry condition, presentation contract, decision interface, timeout behaviour, and immutable audit record[cite: 3]. HITL is a first-class architectural component, not a process note[cite: 3]. | Must | EU AI Act Art. 14 · GDPR Art. 22[cite: 3] |
| AR-03 | Immutable audit trail | Every agent action — tool call, state transition, HITL event, model inference — must be written to an immutable audit store (Firestore) before the action is considered complete[cite: 3]. The audit record must be queryable but not modifiable[cite: 3]. | Must | EU AI Act Art. 12 · GDPR[cite: 3] |
| AR-04 | SAP Ariba system of record | The Autonomous Procure-to-Pay reads from and writes back to SAP Ariba via REST API[cite: 3]. Ariba remains the source of truth for sourcing events and contract metadata[cite: 3]. Any data written to Ariba by the Autonomous Procure-to-Pay is tagged with the agent action ID that produced it[cite: 3]. | Must | ADR-001 · ADR-002[cite: 3] |
| AR-05 | Model Cards for architecture | Every model in production must have a Model Card documenting intended use, training data summary, evaluation metrics, known limitations, bias analysis, and the HITL checkpoint specification[cite: 3]. Versioned alongside the model in Vertex AI Model Registry[cite: 3]. | Must | EU AI Act Art. 11[cite: 3] |
| AR-06 | VPC-SC perimeter tracking | All data processing must occur within a VPC-SC perimeter configured to prevent data exfiltration outside the EU GCP region[cite: 3]. The perimeter is enforced at the infrastructure layer via Terraform — not a network policy overridable by application configuration[cite: 3]. | Must | GDPR · EU DPDP · BR-06[cite: 3] |
| AR-07 | CMEK encryption setup | All data at rest and in transit must be encrypted using Customer-Managed Encryption Keys via Cloud KMS[cite: 3]. ClaraVis retains key custody[cite: 3]. Key rotation policy: 90 days[cite: 3]. | Must | ISO 27001 · GDPR[cite: 3] |
| AR-08 | 3-way tolerance rules | Tolerance rules — ±2% price variance, ±5% quantity variance — encoded as write-path constraints applied at match time, before any payment action executes[cite: 3]. Configurable per category by the AP Manager without a code deployment[cite: 3]. Out-of-tolerance invoices route to HITL automatically[cite: 3]. | Must | P2P Domain · BR-03[cite: 3] |
| AR-09 | Atomic vendor master sync | Every new supplier approved in Ariba must write simultaneously to the SAP vendor master, the CSRD compliance register, and the Autonomous Procure-to-Pay supplier risk profile — in a single atomic transaction[cite: 3]. Vendor activation in SAP must not precede CSRD screening completion[cite: 3]. | Must | CSRD · LkSG · BR-04[cite: 3] |
| AR-10 | ADR documentation rules | Every significant architectural decision must be documented as an Architecture Decision Record with status, context, decision, alternatives considered, and consequences[cite: 3]. ADRs are version-controlled and linked from the relevant module page[cite: 3]. | Must | TOGAF ADM · Portfolio Standard[cite: 3] |
| AR-11 | Pub/Sub event bus bus | All cross-system procurement events — Ariba sourcing events, SAP PO confirmations, GRN receipts, invoice arrivals — must be published to a Pub/Sub topic before downstream systems consume them[cite: 3]. Decouples producers from consumers and enables event replay for audit purposes[cite: 3]. | Should | Architecture Principle · BR-01[cite: 3] |
| AR-12 | Drift detection pipelines | Both procurement ML models must have Vertex AI monitoring jobs configured to detect data and concept drift[cite: 3]. Drift beyond threshold triggers an alert and routes to the ML Engineer HITL checkpoint before any automated retraining executes[cite: 3]. | Should | EU AI Act Art. 9 · MLOps Standard[cite: 3] |
| ID | Constraint | Description & Impact on Design | MoSCoW | Source |
|---|---|---|---|---|
| C-01 | Zero additional software cost | The Autonomous Procure-to-Pay portfolio is a demonstration system built on free-tier and open-source components[cite: 3]. No paid API subscriptions, no commercial data connectors, no licensed dataset providers[cite: 3]. All GCP services operate within the free tier or GCP credits until the build phase begins[cite: 3]. | Must | Portfolio Constraint[cite: 3] |
| C-02 | SAP Ariba REST integration | Ariba integration uses the Ariba Network APIs and SAP Open Connectors pattern only — no paid middleware, no licensed SAP BTP integration flows[cite: 3]. The integration pattern must be demonstrable with Ariba Developer sandbox data (ADR-001)[cite: 3]. | Must | ADR-001 · C-01[cite: 3] |
| C-03 | SAP S/4HANA middleware abstraction | Direct SAP S/4HANA integration is not implemented in the portfolio demo (SAP license cost)[cite: 3]. The Autonomous Procure-to-Pay design shows the integration architecture — BAPI/IDoc via middleware — and the demo uses BigQuery tables seeded with SAP-schema data to represent the ERP layer[cite: 3]. | Must | C-01 · ADR-002[cite: 3] |
| C-04 | EU data residency limits | All GCP resources must be provisioned in europe-west3 or europe-west4 only[cite: 3]. No multi-region configurations including non-EU endpoints[cite: 3]. Enforced via Terraform variable and Organisation Policy constraint[cite: 3]. | Must | GDPR · BR-06 · AR-06[cite: 3] |
| C-05 | MVP-plus build context | Each module is built to demonstrate one complete end-to-end P2P flow — sufficient to demonstrate to a CPO or enterprise architect in a live session[cite: 3]. Production hardening is out of scope for the portfolio phase[cite: 3]. | Must | Portfolio Scope[cite: 3] |
| C-06 | Preserve existing ERP layer | The Autonomous Procure-to-Pay does not replace SAP Ariba or SAP S/4HANA[cite: 3]. Both systems remain in place and the Autonomous Procure-to-Pay augments them[cite: 3]. Any design decision that requires replacing either system is out of scope[cite: 3]. The Autonomous Procure-to-Pay is the orchestration and intelligence layer (ADR-002)[cite: 3]. | Must | ADR-002 · BR-06[cite: 3] |
| C-07 | SAFe delivery frameworks | The Autonomous Procure-to-Pay modules map to Agile Release Trains consistent with SAFe 6.0 principles[cite: 3]. Full Program Board and PI Planning artifacts are documented at the architectural level but not operationally executed for the portfolio build[cite: 3]. | Could | SAFe · Delivery Governance[cite: 3] |
Where ClaraVis Procurement stands today — five dimensions.
The AI Readiness Assessment is the input to the TOGAF Architecture Vision[cite: 3]. It defines the starting position across five procurement-specific dimensions and frames the gap the Autonomous Procure-to-Pay is designed to close[cite: 3]. Scored 1–5[cite: 3].
Ariba and SAP S/4HANA maintain structured spend data for strategic categories[cite: 3]. The gap is the ~23% tail spend — fragmented across purchasing cards, direct requisitions, and non-PO invoices with no common classification[cite: 3]. BigQuery spend fabric is not deployed[cite: 3].
Action: Unified Pub/Sub spend event pipeline + BigQuery spend fabric + tail spend classification model as Day 1 infrastructure[cite: 3].
Supplier master data is fragmented across Ariba, SAP, the supplier portal, and the compliance register[cite: 3]. No golden supplier record exists[cite: 3]. Deduplication is manual[cite: 3]. 18% of supplier records have conflicting data across systems[cite: 3].
Action: Supplier master data unification is a prerequisite for the Supplier Risk Model and CSRD monitoring — blocks all supplier intelligence modules[cite: 3].
Ariba automates RFx publishing and basic approval routing[cite: 3]. SAP handles standard PO workflow[cite: 3]. Everything else — 3-way match, exception resolution, contract redlining, compliance checks, payment scheduling — is manual[cite: 3]. Straight-through processing rate across the full P2P cycle is below 30%[cite: 3].
Action: 3-Way Match Agent and PO Agent are the highest-ROI Day 1 automations — they address the two largest manual effort concentrations[cite: 3].
ISO 27001 and GDPR baseline compliance is established[cite: 3]. AI-specific obligations under EU AI Act Annex III and GDPR Article 22 are not addressed for the two production ML models[cite: 3]. CSRD/LkSG supplier monitoring is manual and 18 months behind[cite: 3]. Q3 2025 audit flagged structural non-compliance across all three domains[cite: 3].
Action: XAI layer + HITL spec + Model Cards + CSRD continuous monitoring — all required before next compliance review[cite: 3]. Blocks production deployment of any new ML model[cite: 3].
CPO and CFO are active sponsors[cite: 3]. The AP Manager team is enthusiastic about eliminating manual 3-way match[cite: 3]. Legal and Compliance are cautious but engaged following the Q3 2025 audit[cite: 3]. Category Management requires assurance that the Sourcing Agent enhances, not replaces, strategic sourcing discipline[cite: 3].
Action: HITL visibility and the SHAP explanation interface are the organisational unlock for Legal and Compliance[cite: 3]. Demonstrate them first[cite: 3]. Expand second[cite: 3].
Eight flagship use cases — one per module.
Each use case is a specific, demonstrable P2P capability the Autonomous Procure-to-Pay delivers for ClaraVis[cite: 3]. Structured for stakeholder mapping, regulatory classification, and MoSCoW priority[cite: 3].
How ClaraVis Procurement will know the Autonomous Procure-to-Pay is working.
Observable architectural outcomes — not percentage projections[cite: 3]. Each criterion is measurable at the system level and traceable to a specific requirement[cite: 3].
- Every ML inference above a defined risk threshold produces a SHAP explanation written to the audit log before the downstream action executes[cite: 3]
- Every high-risk supplier decision routes through a named human approver via a formal HITL state — no exceptions, no bypasses[cite: 3]
- Every model in production has a versioned Model Card in Vertex AI Model Registry, reviewed and approved before promotion[cite: 3]
- A compliance audit query returns a complete, unbroken decision trail for any procurement inference made in the last 24 months[cite: 3]
- Every state transition in the P2P flow has a defined SLA — the agent tracks elapsed time and escalates automatically on breach[cite: 3]
- Every handoff produces an immutable audit record in Firestore before the next state is entered[cite: 3]
- Invoice cycle time reduced from 11 days to under 3 days for straight-through invoices[cite: 3]
- Ariba sourcing event status and SAP PO status synchronised via the platform event bus — no manual re-keying[cite: 3]
- First-time match rate above 90% — measured against PO, GRN, and invoice data from the live Pub/Sub event stream[cite: 3]
- Every exception classified by the Match ML model with a confidence score before routing to HITL[cite: 3]
- Every tolerance-band approval written to the audit log with the rule that triggered it[cite: 3]
- Every HITL exception resolution actioned within the SLA defined in the AP Manager's HITL contract[cite: 3]
- Every active supplier has a current compliance score updated on every new compliance signal[cite: 3]
- Every threshold breach triggers an automated HITL escalation to the Compliance Officer within the defined SLA[cite: 3]
- Every new supplier screened against CSRD, LkSG, and EUDR criteria before SAP vendor master activation[cite: 3]
- The compliance register is a query against the operational log — not a manually maintained spreadsheet[cite: 3]
- VPC-SC perimeter provisioned via Terraform — data residency constraint is in infrastructure code, not network policy[cite: 3]
- CMEK keys provisioned and owned by the ClaraVis Cloud KMS project[cite: 3]
- All GCP resources deployed to europe-west3 or europe-west4 — enforced by Organisation Policy constraint[cite: 3]
- Every module page links to the ADRs that govern its design decisions — no component exists without a traceable decision record[cite: 3]
- Every ADR states the alternatives considered and the reasoning for the choice made[cite: 3]
- The ADR index is maintained as a living document — updated when decisions change[cite: 3]
Requirements captured. Architecture follows[cite: 3].
The following pages take every requirement above and express it as concrete architecture artifacts — agent state machines, ML pipeline designs, and module-level technical specifications[cite: 3].