The Autonomous Quote-to-Cash  /  Page 02

ClaraVis Medical Systems
Client Brief & Requirements

This is the single source of truth for what the Autonomous Quote-to-Cash — a process pillar of The Autonomous Enterprise Platform — is designed to achieve for ClaraVis.

TOGAF Phase A Input MoSCoW Prioritisation EU AI Act · ISO 13485 9 Stakeholders 8 Use Cases
ADR-001 · ADR-002 referenced on this page

§1 Architectural Positioning

The Autonomous Quote-to-Cash alongside Salesforce Einstein — five domains that determine the boundary.

ClaraVis runs Salesforce as the system of record for its commercial operations. Salesforce Einstein provides capable AI within that boundary. The first question any CTO or enterprise architect asks is: why build on GCP when Einstein exists? The answer is architectural, not commercial.

Canonical Positioning Statement

Salesforce Einstein delivers intelligence within the Salesforce data model. The Autonomous Quote-to-Cash delivers intelligence across the enterprise — spanning the installed asset base, the ERP, the contract corpus, and the compliance obligations that no single vendor's boundary contains. Where Einstein optimises the CRM layer, the Autonomous Quote-to-Cash orchestrates the full Quote-to-Cash-to-Field-to-Compliance lifecycle, with explainability and human oversight engineered in to satisfy EU AI Act requirements that proprietary models cannot structurally meet.

ADR-002 · GCP alongside Salesforce, not instead of it
Domain — 01
Physical asset intelligence — 12,000 MRI units in the field
MRI unit telemetry, DICOM service events, sensor readings, and utilisation patterns do not live in Salesforce and never will. Salesforce is not a time-series IoT platform. Predicting Remaining Useful Life on a physical medical device requires BigQuery, Vertex AI, and a Pub/Sub streaming pipeline ingesting field events at scale.
Architectural Rationale
Constraint: Einstein has no access to DICOM telemetry, sensor streams, or regional asset systems. IoT-scale time-series prediction is outside CRM platform scope.
Response: Unified Pub/Sub ingestion pipeline → BigQuery feature store → Vertex AI RUL model. All data remains in GCP EU region.
ADR-006 · Pub/Sub event fabric · BR-03
Domain — 02
EU AI Act Annex III — explainability that satisfies Article 14
Annex III requires human-reviewable SHAP explanations per inference, written to an immutable audit log before any action commits. Einstein's models are proprietary — feature attribution is not exposed to the operator. For a German medical OEM, this is a structural disqualification for high-risk AI classification, not a configuration gap.
Architectural Rationale
Constraint: Einstein does not expose SHAP values, model internals, or feature attribution. EU AI Act Art. 13–14 compliance is structurally unavailable on proprietary hosted models.
Response: Vertex AI models with TreeExplainer/LinearExplainer SHAP pipeline. Explanation written to BigQuery audit dataset before any downstream action. Full operator transparency.
ADR-005 · XAI Layer · EU AI Act Art. 13–14
Domain — 03
Revenue recognition across SAP S/4HANA and Salesforce
ASC 606 classification — lease vs sale, single vs multiple performance obligations — requires an ML model trained on ClaraVis's contract portfolio, producing a SHAP explanation, routing through a Finance Controller HITL checkpoint, then writing to SAP S/4HANA. This flow crosses three systems. No single vendor orchestrates it.
Architectural Rationale
Constraint: No single vendor — Salesforce, SAP, or Google — owns the full Salesforce→ML→HITL→SAP GL write flow. Cross-system orchestration requires a neutral layer.
Response: RevRec AI agent orchestrates classification → SHAP → HITL checkpoint → SAP write as a single Pub/Sub-driven state machine. ASC 606 rules encoded as write-path constraints.
ADR-002 · ADR-006 · AR-08 · ASC 606
Domain — 04
Full-document contract intelligence on the raw document
Clause-level risk scoring, non-standard term detection, and negotiation brief generation require reasoning across the full contract document. Gemini 1.5 Pro reads the entire contract in one pass via its one-million-token context window. Einstein's document understanding operates on Salesforce CLM metadata — not the source document.
Architectural Rationale
Constraint: Salesforce CLM stores contract metadata, not the full document. Clause-level reasoning requires the full contract text. Einstein operates on structured CRM fields, not document corpora.
Response: GCS document ingestion → Document AI pipeline → Gemini 1.5 Pro clause classification with 1M token context window. Full document intelligence, not metadata extraction.
ADR-005 · ContractGuard · EU AI Act Annex III
Domain — 05
Cross-system orchestration — the layer nobody owns
ClaraVis's enterprise spans Salesforce, SAP S/4HANA, six regional asset telemetry systems, a document management platform, and a compliance audit store. No single vendor owns all of that. The Autonomous Quote-to-Cash is the connective tissue — a coherent, explainable, human-supervised orchestration layer across every system ClaraVis operates.
Architectural Rationale
Constraint: No vendor provides a neutral orchestration layer across Salesforce + SAP + IoT + compliance with open explainability and EU-region data sovereignty simultaneously.
Response: ADK multi-agent swarm on GCP. Pub/Sub event fabric as the integration bus. Every agent action auditable. Every ML decision explainable. EU AI Act satisfied structurally.
ADR-002 · Layer 02 Agent Orchestration · AR-11
SFDC
Salesforce
System of record
Opps · Quotes · Contracts
REST API
Developer Edition
ADR-001
Q2C
Autonomous Quote-to-Cash
Orchestration layer
Intelligence · XAI · HITL
BAPI / RFC
via middleware
SAP
SAP S/4HANA
ERP system of record
Finance · Logistics
Pub/Sub
streaming
GCP
Google Cloud
Vertex AI · BigQuery
Asset telemetry · MLOps

§2 Organisation Profile

ClaraVis Medical Systems — the anchor client.

A composite of real regulated-industry enterprise patterns. Every requirement, constraint, and architectural decision on this page is grounded in the specific operational context of a medical imaging OEM operating under EU AI Act, FDA 21 CFR 820, and ISO 13485 simultaneously.

Organisation Facts
Legal name
ClaraVis Medical Systems GmbH
Headquarters
Munich, Bavaria, Germany
Revenue
€1.2B (FY2025)
Employees
4,200 across 12 countries
Product portfolio
MRI-7T, MRI-3T, CT-Premium, mobile MRI units
Installed base
12,000+ units across 34 countries
Sales cycle
14–20 months · 9 stakeholders per enterprise deal
Regulatory Environment
EU AI Act
Annex III high-risk — 3 ML models flagged in Q3 2025 audit
FDA 21 CFR 820
Quality System Regulation — Device History Records required
ISO 13485
Medical Devices QMS — full device lifecycle traceability
ASC 606 / IFRS 15
Revenue recognition — lease vs sale classification required
GDPR / EU DPDP
No PHI leaves EU boundary — data residency enforced
ISO 27001
Information security — zero-trust architecture required
Live
Salesforce
CRM · CPQ · CLM — System of Record
Opportunities, Accounts, Quotes, Contracts, and CPQ line items. Sales pipeline, forecasting, and contract workflow. The Autonomous Quote-to-Cash integrates via REST API using Salesforce Developer Edition pattern (ADR-001).
The Autonomous Quote-to-Cash reads and writes via Salesforce REST API — augments Einstein, does not replace it
Live
SAP S/4HANA
ERP — Finance · Logistics · Revenue
General ledger, revenue posting, logistics execution, and procurement. Source of truth for financial transactions. The Autonomous Quote-to-Cash writes revenue recognition decisions to SAP via middleware after HITL approval.
The Autonomous Quote-to-Cash writes to SAP only after Finance Controller HITL checkpoint — immutable audit record created first
EU AI Act Risk
3 ML Models in Production
Revenue Recognition · Asset Failure · Contract Risk
Built by ClaraVis data science team. All three classified as high-risk under EU AI Act Annex III. None currently produce SHAP explanations. None have documented HITL checkpoints. Flagged in Q3 2025 audit.
All three models require Autonomous Quote-to-Cash XAI and HITL retrofit before next compliance review
6 Systems
Regional Asset Telemetry
Field Service · IoT · DICOM Events
Six disconnected regional platforms receiving MRI unit telemetry — DICOM service events, error codes, utilisation data. No common schema. No unified query interface. Predictive maintenance is architecturally unavailable.
Unified Pub/Sub ingestion pipeline required — Asset IQ module addresses this domain entirely
Legacy
Document Management
Contract Storage · Compliance Records
On-premise document store for contracts, compliance certificates, and device history records. No full-text search. No clause-level intelligence. Contracts are stored but not analysed.
ContractGuard ingests raw documents via GCS — no dependency on existing DMS structure
Disconnected
Finance Reporting Stack
Revenue · Compliance · Audit
Combination of SAP FI/CO reports, Excel-based revenue schedules, and manual audit packs. Revenue recognition classification performed manually by Finance team. No ML-assisted recognition. Month-end close takes 12 days.
RevRec AI targets this domain — ASC 606 rules encoded as write-path constraints, not reporting logic

§3 Stakeholder Register

Nine stakeholders. Nine different conversations.

An enterprise architecture that satisfies the CTO's infrastructure requirements but cannot answer the Compliance Officer's audit question will not be adopted. Each stakeholder below has a primary concern, a specific question the Autonomous Quote-to-Cash must answer for them, and a set of modules that address their domain directly.

S-01 · Executive Sponsor
Chief Technology Officer
Technology & Innovation
Primary Concern
Architectural coherence across a multi-vendor enterprise stack. Whether the Autonomous Quote-to-Cash creates new technical debt or resolves existing fragmentation.
Question it must answer
How does this sit alongside Salesforce and SAP without creating a third system of record?
All ModulesADR-002Layer Architecture
S-02 · Risk & Compliance
Chief Compliance Officer
Legal & Regulatory Affairs
Primary Concern
EU AI Act Annex III exposure. Whether the three production ML models can be brought into compliance before the next regulatory review without re-architecting from scratch.
Question it must answer
Show me the audit trail for a revenue recognition decision made last Tuesday. Every feature weight that drove it.
RevRec AIContractGuardXAI LayerHITL
S-03 · Financial Governance
Chief Financial Officer
Finance & Treasury
Primary Concern
The €40M annual warranty over-reserve and the 12-day month-end close. Both are symptoms of missing intelligence in the asset and revenue layers.
Question it must answer
How does this reduce the warranty reserve and accelerate revenue close — with evidence, not projections?
RevRec AIAsset IQFinRisk Sentinel
S-04 · Sales Leadership
VP Sales & Commercial
Global Sales Organisation
Primary Concern
The 47-day CPQ cycle. By the time a quote reaches a hospital, the clinical team has already evaluated a competitor. Speed is a competitive differentiator in this market.
Question it must answer
Which steps in the quote process can the agent handle autonomously, and what exactly does it hand to a human and when?
CCAI Sales AgentContractGuardHITL Spec
S-05 · Clinical Operations
VP Clinical & Applications
Clinical Engineering
Primary Concern
Configuration accuracy. An MRI unit configured incorrectly for a hospital's clinical workflow requires expensive field remediation. The CPQ process must validate clinical requirements before quoting.
Question it must answer
Does the agent understand clinical configuration requirements, or does it just pass through SKU selections?
CCAI Sales AgentAsset IQ
S-06 · Field Operations
VP Field Service & Operations
Global Service Operations
Primary Concern
Unplanned downtime. A failed MRI unit in a hospital creates immediate patient care disruption and a costly emergency dispatch. The 3.2× cost differential between reactive and predictive maintenance is the field operations budget problem.
Question it must answer
How far in advance can the asset model predict a failure, and how confident is that prediction?
Asset IQRUL ModelAnomaly Detection
S-07 · Legal & Contracts
General Counsel
Legal Affairs
Primary Concern
Non-standard contract terms passing through the sales process without legal review. Liability caps, indemnification clauses, and governing law provisions carry material financial risk if not flagged before countersigning.
Question it must answer
What is the agent's confidence threshold for escalating a clause to Legal, and can I see the precedents it used?
ContractGuardHITL CheckpointClause Scoring
S-08 · IT Architecture
Enterprise Architect
IT & Digital Transformation
Primary Concern
Integration complexity. Whether the Autonomous Quote-to-Cash adds surface area to an already complex integration landscape or reduces it by providing a single orchestration layer across existing systems.
Question it must answer
Show me the TOGAF Phase D diagram. Where are the integration points, and what are the failure modes?
TOGAF Phase DAll ADRsLayer 04 Infra
S-09 · Information Security
Chief Information Security Officer
Security & Risk
Primary Concern
Data sovereignty. No patient data, device configuration data, or commercially sensitive contract data leaves the EU boundary. Every access is authenticated, every action is logged, every log is tamper-evident.
Question it must answer
What is the data residency guarantee, and how is it enforced at the infrastructure layer — not just configured?
VPC-SCCMEKBeyondCorpLayer 04 Infra
RACI Matrix — Modules × Stakeholders
R Responsible — does the work
A Accountable — approves / owns outcome
C Consulted — provides input
I Informed — kept updated
ModuleS-01
CTO
S-02
CCO
S-03
CFO
S-04
VP Sales
S-05
VP Clinical
S-06
VP Field
S-07
Gen. Counsel
S-08
Ent. Arch.
S-09
CISO
CCAI Sales AgentICIACIIRC
ContractGuardIACCIIARC
RevRec AIIAAIIICRC
Asset IQCCAICAIRC
FinRisk SentinelIAAIIIIRC
GreenOps PlatformACCIIIIRC
Data GovernanceACCIIIIRA
Strategy DashboardACACICIRC

§4 As-Is & To-Be Architecture

The current state — mapped precisely.

The TOGAF ADM Phase B input. Understanding where process latency and architectural debt accumulate in the current state is the prerequisite for designing the To-Be architecture. The As-Is diagrams below establish the baseline. The To-Be value stream shows how the Autonomous Quote-to-Cash closes the gap.

Diagram 01 — As-Is Quote-to-Cash Value Stream
Nine organisational handoffs · Average cycle time: 47 days · Zero end-to-end owner
Salesforce-managed
Manual handoff (delay point)
SAP-managed
No audit trail
StepOwnerActionLayerDelay
1SalesforceOpportunity created (SFDC)Salesforce layer
2ManualConfig Request to App. EngineeringManual handoff~3 days
3OpsBOM Validation (App. Engineering)Operations / Legal~5 days
4SalesforceCPQ Quote built in SalesforceSalesforce layer~4 days
5LegalLegal Review — no audit trailOperations / Legal~7 days
6SalesforceContract Signed — Salesforce CLMSalesforce layer~5 days
7ManualOrder in SAP — manual entry ERPSAP layer~8 days
No SLA on handoffs
Steps 2–5 have no defined completion SLA. Delays accumulate invisibly.
No end-to-end owner
9 handoffs, 9 teams. Nobody has visibility of the full pipeline state.
Manual SAP entry
Order data re-keyed from Salesforce into SAP. Error rate: ~4%.
47 days average total cycle time
Diagram 01B — To-Be Quote-to-Cash Value Stream · Agent-Mediated
Agent orchestration collapses steps 2–5 · Defined SLA per transition · HITL checkpoint at Legal · Target: ≤ 9 days
Salesforce-managed
Agent-orchestrated
SAP-managed
HITL checkpoint
StepOwnerActionDetailSLA
1SalesforceOpportunity Created (SFDC)System of record entry point
2AgentAgent OrchestrationConfig · BOM · CPQ · Quote — automated. Audit record written to Firestore.SLA: 4 hrs
3SalesforceCPQ Quote — Agent-validatedValidated configuration carried forward
4HITL-02Legal ReviewClause review — human checkpointSLA: 24 hrs
5SalesforceContract Signed — Salesforce CLMSystem of record
6SAPOrder in SAP — automated writePost-approval, automatedAutomated
To-Be: Agent handles config · BOM · CPQ · quote autonomously · HITL at Legal review · SAP write automated post-approval · Target: ≤ 9 days
Diagram 02 — As-Is System Landscape
Six disconnected domains · Three EU AI Act-exposed models · No cross-system orchestration layer
Salesforce ecosystem
SAP ecosystem
EU AI Act exposure
Disconnected / no integration
Salesforce
CRM · CPQ · CLM
Opportunities · Quotes
Contracts · Accounts
Einstein (CRM scope only)
3 ML Models in Production
EU AI Act Annex III — High Risk
Revenue Recognition Model
No SHAP · No HITL · Audit flagged
Asset Failure Prediction Model
No SHAP · No HITL · Audit flagged
Contract Risk Scoring Model
No SHAP · No HITL · Audit flagged
6 Regional Asset Telemetry Systems
No common schema · No unified query · Disconnected
EMEA North · EMEA South
APAC East · APAC West
Americas North · Americas South
⊘ No cross-regional data sharing
SAP S/4HANA
ERP · Finance · Logistics
GL · Revenue Posting
Logistics Execution
⇡ Manual re-key from SFDC
Document Management
On-premise · No full-text search
Contracts stored, not analysed
Finance Reporting Stack
SAP FI/CO + Excel revenue schedules
Month-end close: 12 days
ASC 606 classification: manual
No ML-assisted recognition
Architectural gap: No orchestration layer connects Salesforce · SAP · Asset Systems · ML Models into a coherent, auditable, human-supervised enterprise flow.

§5 Requirements Catalogue

What ClaraVis requires — documented and prioritised.

Every requirement below is traceable to a stakeholder concern, a regulatory obligation, or a business pain point identified in the preceding sections. The Raised By column links each requirement to the stakeholder register above. Prioritised using MoSCoW — Must Have requirements are architectural constraints on the Autonomous Quote-to-Cash design.

8
Business Requirements
Commercial outcomes ClaraVis requires the Autonomous Quote-to-Cash to achieve. Owned by VP Sales, CFO, and VP Field Service.
12
Architecture Requirements
Structural properties the Autonomous Quote-to-Cash must have — explainability, HITL, compliance, integration. Non-negotiable by design.
7
Constraints
Fixed boundaries — budget, existing systems, regulatory, and integration. The design works within these, not around them.
Business Requirements
Architecture Requirements
Constraints
IDRequirementDescriptionMoSCoWModuleRaised By
BR-01
Quote-to-Cash cycle accelerationThe end-to-end Q2C cycle — from Opportunity creation to revenue posting in SAP — must be orchestrated with defined SLAs per transition and an immutable audit record at every handoff. The current 47-day average is the primary commercial pain point for VP Sales.Must
CCAI Sales Agent · ContractGuard · RevRec AI
S-04 · S-03
BR-02
EU AI Act compliance for 3 production modelsAll three existing ML models — revenue recognition, asset failure, contract risk — must be brought into EU AI Act Annex III compliance. This requires SHAP explanations per inference, documented HITL checkpoints, and a versioned risk management system before the next compliance review.Must
RevRec AI · Asset IQ · ContractGuard · XAI Layer
S-02 · S-01
BR-03
Unified asset telemetry and predictive maintenanceThe six regional asset telemetry systems must feed a single streaming pipeline enabling fleet-level RUL prediction and unit-level anomaly detection. The warranty reserve over-provision is a direct consequence of the inability to model failure probability at scale.Must
Asset IQ · Pub/Sub Pipeline
S-06 · S-03
BR-04
ASC 606 revenue recognition automationLease vs sale classification and performance obligation identification must be handled by an ML model trained on ClaraVis's contract portfolio, with every classification producing a SHAP explanation and routing through a Finance Controller HITL checkpoint before posting to SAP.Must
RevRec AI · SAP Integration
S-03 · S-02
BR-05
Contract clause intelligence and risk scoringEvery inbound contract must be analysed at clause level — liability caps, indemnification, governing law, IP ownership — with non-standard terms flagged to Legal with a risk score, precedent references, and a draft counter-position before any countersigning event.Must
ContractGuard
S-07 · S-04
BR-06
Data sovereignty — no data leaves EU boundaryAll PII, PHI, device configuration data, and commercially sensitive contract data must remain within the EU GCP region boundary. This is a hard constraint from the CISO and a GDPR requirement. Enforcement must be architectural — VPC-SC — not policy-based.Must
Layer 04 Infrastructure · VPC-SC
S-09 · S-02
BR-07
CCAI Sales Agent for inbound MRI inquiriesAn intelligent sales agent must handle the first stages of an inbound MRI inquiry autonomously — qualification, clinical configuration fit, pricing estimate — and escalate to a Senior AE with a full briefing document when commercial terms are required. Autonomy boundary specified in HITL spec.Should
CCAI Sales Agent · Salesforce Integration
S-04 · S-05
BR-08
Executive strategy dashboard with OKR visibilityC-suite requires a unified view of portfolio performance — pipeline health, asset fleet status, revenue recognition posture, compliance status — in a single dashboard. Current state requires pulling from Salesforce, SAP, and six regional systems manually.Should
Strategy Dashboard · BigQuery
S-01 · S-03
IDRequirementDescriptionMoSCoWRegulatory BasisRaised By
AR-01
SHAP explanation per ML inferenceEvery ML model inference that informs a business decision must produce a SHAP explanation identifying the top contributing features, their directional effect, and the model confidence score. The explanation must be written to the audit log before any downstream action executes.Must
EU AI Act Art. 13 & 14
S-02 · S-08
AR-02
HITL checkpoint as formal state machine nodeEvery high-risk decision must route through a named human approver via a formal HITL state — with defined entry condition, presentation contract, decision interface (approve/reject/escalate), timeout behaviour, and immutable audit record. HITL is a first-class architectural component, not a process note.Must
EU AI Act Art. 14
S-02 · S-03 · S-07
AR-03
Immutable audit trail for all agent actionsEvery agent action — tool call, state transition, HITL event, model inference — must be written to an immutable audit store (Firestore) before the action is considered complete. The audit record must be queryable but not modifiable. Deletion requires a separate access-controlled process with its own audit trail.Must
EU AI Act Art. 12 · ISO 13485
S-02 · S-09
AR-04
Salesforce as system of record — augmented, not replacedThe Autonomous Quote-to-Cash reads from and writes back to Salesforce via Developer Edition REST API. Salesforce remains the source of truth for commercial data. The Autonomous Quote-to-Cash does not maintain a parallel CRM. Any data written to Salesforce by it is tagged with the agent action ID that produced it (ADR-001, ADR-002).Must
ADR-001 · ADR-002
S-01 · S-08
AR-05
Model Cards for every ML modelEvery model in production must have a Model Card documenting intended use, training data summary, evaluation metrics, known limitations, bias analysis, and the HITL checkpoint specification. Model Cards are versioned alongside the model in Vertex AI Model Registry and reviewed as part of the promotion gate.Must
EU AI Act Art. 11 · Google Model Cards
S-02 · S-08
AR-06
VPC-SC perimeter for data sovereigntyAll data processing must occur within a VPC-SC perimeter configured to prevent data exfiltration outside the EU GCP region. The perimeter is enforced at the infrastructure layer via Terraform — it is not a network policy that can be overridden by application configuration.Must
GDPR · EU DPDP · BR-06
S-09 · S-02
AR-07
CMEK encryption — ClaraVis key custodyAll data at rest and in transit must be encrypted using Customer-Managed Encryption Keys via Cloud KMS. ClaraVis retains key custody — Google cannot access encrypted data without ClaraVis key authorisation. Key rotation policy: 90 days.Must
ISO 27001 · GDPR
S-09 · S-03
AR-08
ASC 606 rules as write-path constraintsRevenue recognition classification rules must be encoded as write-path constraints in the data model — applied at transaction time, before any posting. Recognition logic is not a reporting layer applied after the fact. Every transaction is tagged with the performance obligation it satisfies at the time of writing.Must
ASC 606 · IFRS 15 · BR-04
S-03 · S-02
AR-09
Device History Record atomic writeEvery MRI device shipment event must write simultaneously to the Salesforce Order, the SAP logistics record, and the ISO 13485 Device History Record — in a single atomic transaction. Partial writes are not acceptable. The DHR must be created before the shipment is considered confirmed.Must
FDA 21 CFR 820 · ISO 13485
S-01 · S-08
AR-10
ADR documentation for every significant decisionEvery significant architectural decision must be documented as an Architecture Decision Record with status, context, decision, alternatives considered, and consequences. ADRs are version-controlled in the repository and linked from the relevant module page.Must
TOGAF ADM · Portfolio Standard
S-08 · S-01
AR-11
Pub/Sub event fabric as the integration busAll cross-system events — asset telemetry, Salesforce opportunity updates, SAP posting confirmations — must be published to a Pub/Sub topic before downstream systems consume them. This decouples producers from consumers, enables replay for audit purposes, and provides the foundation for the streaming ML feature pipeline.Should
Architecture Principle · BR-03
S-08 · S-01
AR-12
Drift detection and automated retraining triggerEvery model in production must have a Vertex AI monitoring job configured to detect data drift and concept drift against a baseline. Drift beyond a defined threshold must trigger an alert, generate a retraining recommendation, and route to the ML Engineer HITL checkpoint before any automated retraining executes.Should
EU AI Act Art. 9 · MLOps Standard
S-08 · S-02
IDConstraintDescription & Impact on DesignMoSCoWSourceRaised By
C-01
Zero additional software licensing costThe Autonomous Quote-to-Cash portfolio is a demonstration system built on free-tier and open-source components. No paid API subscriptions, no commercial data connectors, no licensed dataset providers. Salesforce Developer Edition (free, permanent) is the only external dependency. All GCP services will operate within the free tier or GCP credits until the build phase begins.Must
Portfolio Constraint
Portfolio
C-02
Salesforce Developer Edition as integration patternSalesforce integration uses Developer Edition REST API only — no Enterprise or Unlimited Edition features, no paid connectors, no ISV AppExchange dependencies. The integration pattern must be demonstrable on a free Developer Edition org with sample data. Schema is Salesforce standard objects only (ADR-001).Must
ADR-001 · C-01
S-08 · C-01
C-03
SAP integration via middleware abstractionDirect SAP API integration is not implemented in the portfolio demo (SAP license cost). The Autonomous Quote-to-Cash design shows the integration architecture — BAPI/RFC via middleware, or BTP event mesh — and the demo uses a BigQuery table seeded with SAP-schema data to represent the ERP layer. The architecture is correct; the live integration is deferred to the client engagement phase.Must
C-01 · ADR-002
S-08 · C-01
C-04
EU data residency — GCP europe-west3 (Frankfurt)All GCP resources must be provisioned in europe-west3 (Frankfurt) or europe-west4 (Netherlands) only. No multi-region configurations that include non-EU endpoints. This is enforced via Terraform variable and Organisation Policy constraint — not configurable at the application layer.Must
GDPR · BR-06 · AR-06
S-09 · S-02
C-05
MVP-plus build standardEach module is built to demonstrate one complete end-to-end flow — sufficient to impress a hiring manager or enterprise architect in a live demo. Production hardening (multi-region failover, 99.99% SLA engineering, load testing) is out of scope for the portfolio phase. Architecture is designed for production; the implementation is scoped for demonstration.Must
Portfolio Scope
Portfolio
C-06
Existing Salesforce and SAP investments preservedThe Autonomous Quote-to-Cash does not replace Salesforce or SAP. Both systems remain in place and it augments them. Any design decision that requires replacing either system is out of scope. It is the orchestration and intelligence layer — the systems of record stay (ADR-002).Must
ADR-002 · BR-06
S-01 · S-03
C-07
SAFe delivery governance — light touchThe Autonomous Quote-to-Cash modules map to Agile Release Trains consistent with SAFe 6.0 principles. Full Program Board and PI Planning artifacts are documented at the architectural level (Page 04) but are not operationally executed for the portfolio build. The SAFe mapping demonstrates delivery governance understanding; it is not a live programme management process.Could
SAFe Page 04
S-08 · S-01

§6 AI Readiness Assessment

Where ClaraVis stands today — five dimensions.

The AI Readiness Assessment is the input to the TOGAF Architecture Vision. It defines the starting position across five dimensions and frames the gap the Autonomous Quote-to-Cash is designed to close. Scored 1–5. Findings are actionable, not evaluative.

Data Maturity
4/ 5
Salesforce and SAP maintain high-quality structured data. The gap is the six regional asset systems — no common schema, no unified API. BigQuery is not yet deployed. Data fabric is partially in place.
Action: Unified Pub/Sub ingestion pipeline + BigQuery data fabric as Day 1 infrastructure.
ML Infrastructure
2/ 5
Three models in production, all built without MLOps tooling. No Vertex AI Pipelines. No Model Registry. No drift detection. No automated retraining. Models are static artefacts, not managed assets.
Action: Vertex AI Pipelines + Model Registry + monitoring jobs — mandatory before next model promotion.
HITL Capability
1/ 5
No formal HITL architecture exists. Human review happens informally via email and Slack. No structured approval interface, no timeout behaviour, no audit record of the human decision. EU AI Act Art. 14 is currently unsatisfied.
Action: HITL state machine design is Phase 1 of the build. Blocks all other module development.
Regulatory Posture
2/ 5
ISO 13485 and FDA 21 CFR 820 compliance is established for device manufacturing. AI-specific obligations under EU AI Act Annex III are not yet addressed. Q3 2025 audit flagged all three production ML models as non-compliant.
Action: XAI layer + HITL spec + Model Cards + risk management documentation — all required for compliance.
Org Change Readiness
3/ 5
CTO and VP Sales are active sponsors. Finance and Legal are cautious but engaged following the compliance audit. Field Service is enthusiastic about predictive maintenance. The compliance team requires visible HITL before endorsing any AI deployment.
Action: HITL visibility is the organisational unlock. Demonstrate it first, expand second.
Scoring methodology: Dimensions and scoring rubric aligned to the Google Cloud AI Adoption Framework (five capability dimensions: Data & Infrastructure, ML Capability, MLOps Maturity, Governance & Compliance, and Organisational Readiness) and the Gartner AI Readiness Assessment model. Scale 1–5, where 1 = no capability and 5 = fully mature. Scores derived from structured discovery interviews conducted against each dimension's capability indicators with ClaraVis stakeholders S-01 through S-09.
Sources: Google Cloud AI Adoption Framework (cloud.google.com/adoption-framework) · Gartner AI Readiness Model (2024) · ClaraVis Q3 2025 internal compliance audit findings

§7 Use Case Catalogue

Eight flagship use cases — one per module.

Each use case is a specific, demonstrable capability the Autonomous Quote-to-Cash delivers for ClaraVis. Every card includes the EU AI Act risk classification and the specific architectural constraint it satisfies to meet it.

UC-01
CCAI Sales Agent
Autonomous MRI inquiry qualification and CPQ initiation
Inbound hospital inquiries require 3–5 days to reach a qualified Account Executive. The agent qualifies, configures, and prices autonomously through the first 11 conversation turns before escalating.
VP Sales · S-04
EU AI Act — Limited Risk
Architectural constraint satisfiedHITL-01 escalation state — agent pauses at commercial terms. Turn 11 transition logged to Firestore before AE notification sent. EU AI Act Art. 52 transparency disclosure at session start.
UC-02
ContractGuard
Clause-level risk scoring with Legal HITL escalation
Non-standard liability caps pass through the sales process without Legal review. ContractGuard reads the full contract, scores every clause, and routes non-standard terms to Legal with precedents and a draft counter-position.
General Counsel · S-07
EU AI Act — High Risk
Architectural constraint satisfiedHITL-02: all clauses above risk threshold route to Legal HITL. SHAP explanation written to audit log before counter-proposal drafted. 24hr SLA enforced by state machine. EU AI Act Annex III · Art. 14.
UC-03
RevRec AI
ASC 606 lease/sale classification with Finance Controller approval
Revenue recognition classification is manual, takes 4 days per transaction, and is flagged as non-compliant. RevRec AI classifies each transaction, generates a SHAP explanation, and routes to Finance Controller before posting.
CFO · S-03
EU AI Act — High Risk
Architectural constraint satisfiedHITL-04: no GL write without approved HITL record in Firestore. SHAP top-5 features computed at inference time via TreeExplainer. ASC 606 performance obligation tag written at transaction time. EU AI Act Annex III · Art. 13–14.
UC-04
Asset IQ
Fleet-level RUL prediction and maintenance scheduling
12,000 units across 6 disconnected regional systems. No unified failure probability model. Asset IQ unifies telemetry, predicts Remaining Useful Life at fleet level, and triggers predictive maintenance work orders before failure.
VP Field Service · S-06
EU AI Act — High Risk
Architectural constraint satisfiedHITL-06: work orders below confidence threshold route to FSM HITL — no autonomous work order creation below threshold. SHAP sensor attribution per alert. Unified Pub/Sub schema validated before BigQuery write. EU AI Act Annex III · Art. 14.
UC-05
FinRisk Sentinel
Real-time financial anomaly detection with CFO alert
Unusual payment patterns, revenue posting anomalies, and warranty reserve movements are detected weeks after occurrence. FinRisk monitors the financial event stream in real time and surfaces anomalies with full context before they compound.
CFO · S-03
EU AI Act — High Risk
Architectural constraint satisfiedHITL-08: high-severity anomalies route to CFO + Finance Controller simultaneously. SHAP explanation available for every anomaly above alert threshold. False positive feedback retrains anomaly baseline. EU AI Act Annex III · Art. 14.
UC-06
GreenOps Platform
Carbon-aware GCP workload scheduling for ESG reporting
ClaraVis is required to report Scope 3 emissions from cloud operations under EU CSRD. GreenOps schedules compute-intensive ML training workloads to align with low-carbon electricity grid windows and generates auditable ESG metrics.
CTO · S-01
EU AI Act — Minimal Risk
Architectural constraint satisfiedGCP Carbon Footprint API feeds scheduling decisions. Carbon savings written to BigQuery ESG dataset with resource label taxonomy for FinOps cross-reference. Monthly CSRD report auto-generated. No HITL required — scheduling decisions are reversible and non-high-risk.
UC-07
Data Governance
Automated data quality validation with lineage tracking
Salesforce, SAP, and asset telemetry data arrive with inconsistent schemas, missing fields, and duplicate records. Data Governance validates, enriches, and lineage-tags every record entering the data fabric before it reaches any ML model.
Enterprise Architect · S-08
EU AI Act — Minimal Risk
Architectural constraint satisfiedSchema validation on every Pub/Sub message before BigQuery write. Malformed records quarantined, not dropped. Every record carries lineage tag: source system, ingestion timestamp, schema version, quality score. Records below quality threshold excluded from ML feature pipelines until reviewed. AR-11 · AR-12.
UC-08
Strategy Dashboard
Unified C-suite view — pipeline, assets, compliance, revenue
C-suite visibility requires pulling from Salesforce, SAP, and six regional systems manually. The Strategy Dashboard unifies pipeline health, fleet status, revenue recognition posture, and EU AI Act compliance status in a single real-time view.
CTO · CFO · S-01 · S-03
EU AI Act — Minimal Risk
Architectural constraint satisfiedSingle BigQuery dataset aggregating all 8 modules — no module-specific logins. EU AI Act compliance status green/amber/red per model based on HITL checkpoint completion rate and SHAP coverage. Pipeline health pulls from Salesforce via Pub/Sub integration. BR-08 · AR-11.
Full Use Case Catalogue
The full catalogue — covering every use case the Autonomous Quote-to-Cash addresses for ClaraVis across all 8 modules, with complete stakeholder mapping, regulatory classification, and MoSCoW priority — is maintained as a living backlog in the repository.

§8 Success Criteria

How ClaraVis will know the Autonomous Quote-to-Cash is working.

Observable architectural outcomes — not percentage projections. Each criterion is measurable at the system level and traceable to a specific requirement. These are the acceptance criteria it must satisfy before any module is considered production-ready.

EU AI Act Compliance
Every high-risk inference is explainable and human-supervised
Every ML inference above a defined risk threshold produces a SHAP explanation written to the audit log before the downstream action executes
Every high-risk decision routes through a named human approver via a formal HITL state — no exceptions, no bypasses
Every model in production has a versioned Model Card in Vertex AI Model Registry, reviewed and approved before promotion
A compliance audit query returns a complete, unbroken decision trail for any inference made in the last 24 months — from the BigQuery audit log, not a reconstructed report
Quote-to-Cash Orchestration
Every Q2C handoff has a defined SLA and an immutable record
Every state transition in the Q2C flow has a defined SLA — the agent tracks elapsed time and escalates automatically on breach
Every handoff produces an immutable audit record in Firestore before the next state is entered
The CCAI Sales Agent handles the qualification and configuration stages autonomously — the escalation to a human AE is a designed state transition, observable in the state machine log
Salesforce Opportunity stage and SAP order status are synchronised via the event bus — no manual re-keying between systems
Asset Intelligence
Fleet telemetry is unified and RUL prediction is active
All six regional asset telemetry systems feed a single Pub/Sub topic with a validated common schema — no regional system writes to its own isolated store after Day 1 of the data fabric
The RUL model produces a prediction confidence score for every active unit — predictions below a defined confidence threshold trigger a human review alert, not an automated action
Every predictive maintenance work order created by the system has a SHAP explanation identifying the sensor features that drove the prediction
Revenue Recognition
ASC 606 classification is automated, explained, and approved
Every transaction is classified by the RevRec AI model — lease, sale, or multi-element arrangement — with SHAP feature attribution generated at inference time
Every classification routes through the Finance Controller HITL checkpoint before posting to SAP — no journal entry posts without an approved HITL record
ASC 606 performance obligation tags are written at transaction time — not applied retrospectively at month-end
Data Sovereignty
No data leaves the EU boundary — enforced at the infrastructure layer
VPC-SC perimeter is provisioned via Terraform — the data residency constraint is in infrastructure code, not network policy
CMEK keys are provisioned and owned by the ClaraVis Cloud KMS project — Google has no access to encrypted data
All GCP resources are deployed to europe-west3 or europe-west4 — enforced by Organisation Policy constraint applied at the Terraform root
Architecture Decision Records
Every significant design choice is documented and traceable
Every module page links to the ADRs that govern its design decisions — no component exists without a traceable decision record
Every ADR states the alternatives considered and the reasoning for the choice made — not just the decision
The ADR index is maintained as a living document — updated when decisions change, with the change reason recorded
ADR-001 · Salesforce Integration Pattern
Salesforce Developer Edition — REST API
Selected over BigQuery Data Transfer, CSV export, and Google Sheets mock patterns. Salesforce Q2C domain depth is the portfolio's primary differentiator — a live API integration makes that depth observable and demonstrable, not merely claimed. Alternatives considered: Salesforce SOAP API (deprecated for new integrations), Heroku Connect (paid tier), MuleSoft (out of budget, C-01).
Status: Accepted
ADR-002 · GCP alongside Salesforce
Augmentation, not replacement
The Autonomous Quote-to-Cash addresses five domains outside Salesforce Einstein's boundary: physical asset intelligence, EU AI Act Annex III explainability, cross-system revenue recognition, full-document contract intelligence, and cross-system orchestration. Salesforce remains the system of record. Alternatives considered: full Salesforce Einstein expansion (structurally unable to satisfy EU AI Act Annex III — see Domain 02), SAP BTP as orchestration layer (no ML explainability capability at required depth).
Status: Accepted

§9 Next in the Portfolio

Requirements captured. Architecture follows.

This document is the input to TOGAF Phase A — Architecture Vision. Every diagram, decision record, and architecture component in the pages that follow traces back to a requirement, constraint, or stakeholder concern documented here.