PG 01 Architecture Portfolio · 2025–2026
The supply chain that decides
before the crisis does.
An explainability-first, EU AI Act-compliant enterprise AI architecture for regulated manufacturers who can no longer afford the intelligence gap between their data and their decisions.
01Why Now
The architectural conditions for autonomous supply chain AI
are now in place.
Four things had to be true simultaneously for an autonomous supply chain to be architecturally viable: the regulatory framework had to be clear enough to design against, the tooling mature enough to deploy, and the data infrastructure fast enough to act on in real time. In 2024–25, all four converged.
EU AI Act, MDR 2017/745, and CSRD all entered enforcement simultaneously in 2024–25. The compliance surface for a regulated manufacturer tripled in 18 months. Architecture must satisfy all three simultaneously — or it satisfies none. The forcing function that turns explainability from a nice-to-have into a contractual necessity has arrived.
EU AI Act · MDR · CSRD · 2024–25Gemini 2.5 Pro's 1M+ token context window makes full-corpus SAP Ariba contract analysis possible for the first time — 480 suppliers, years of contracts, a single inference pass. No chunking. No information loss. The boundary between structured enterprise data and unstructured contract documents, which blocked enterprise AI adoption for fifteen years, has collapsed.
Gemini 2.5 Pro · 1M+ Context · 2025Google ADK and the Agent-to-Agent (A2A) protocol enable procurement agents to transact directly with supplier agents — issuing verified purchase orders, receiving structured bids, and writing every step to an immutable audit log. This is the first architecturally sound, auditable, agent-native commerce layer for enterprise supply chains.
Google ADK · A2A Protocol · 2025BigQuery, Pub/Sub, and Vertex AI Feature Store compose into a real-time data fabric that enables sub-second supplier risk scoring from live financial filings, news streams, and ESG data. The gap between a supply chain event and an AI-driven response has collapsed from days to seconds. The quarterly spreadsheet is architecturally obsolete.
BigQuery · Feature Store · Pub/Sub02The Anchor Problem
Anchor Client · MedDevice Industries GmbH
12-week Excel forecasts updated monthly. No multi-signal intelligence — no POS data integration, no clinical trial pipeline signals, no economic leading indicators. The supply chain responds to history, not the future. When a tier-2 Malaysian supplier went dark with 11 days notice in 2024, there was no early warning system to absorb the shock.
480 suppliers. Annual questionnaire-based risk assessment. No real-time monitoring of financial health, geopolitical exposure, ESG compliance, or sub-tier concentration risk. The supply chain has no awareness of the world its suppliers operate in until a crisis has already materialised. Risk arrives as a crisis — not as a signal with time to act.
SAP Ariba deployed across four regional instances with different approval workflows, different contract terms, and different supplier master data. Strategic sourcing conducted without ML-assisted price benchmarking, risk-adjusted scoring, or contract clause analysis. Contract intelligence exists only inside individual procurement professionals — and leaves when they do.
NCR resolution requires manual trace across supplier certificates, inspection records, and batch records in three separate systems. Average NCR resolution time: 23 days. MDR Article 87 vigilance reporting SLA: 72 hours. The gap between what the architecture delivers and what the regulator requires is not a process problem — it is a structural liability.
CSRD Scope 3 reporting required from FY2025. Emissions data lives in supplier questionnaires, logistics invoices, and freight export reports across 34 countries. Manual quarterly consolidation produces a CSRD report that is 90 days stale at the time of publication. The report describes where the supply chain was — not where it is.
03Design Philosophy
Four principles. Non-negotiable
in a regulated context.
These are not best-practice guidelines. In the EU AI Act, MDR 2017/745, and ISO 13485 regulatory environment, they are architectural constraints. Every component of this system must satisfy all four simultaneously.
XAI is not a dashboard added after the model ships. Every ML model in this system is designed with its explanation contract upfront — before a single line of training code is written. SHAP values are generated at inference time. Model Cards are versioned alongside models in the registry. Every ML decision produces a human-readable explanation before any write operation commits. When DemandIQ adjusts a replenishment order for surgical robotics components, the supply chain planner sees the top five demand signals that drove the adjustment, the confidence score, and a one-click override — before the SAP write occurs.
EU AI Act Article 14 defines meaningful human oversight as a designed mechanism — a specific point in the decision flow where a named human reviews the agent's reasoning, the SHAP explanation, and the confidence score. In this architecture, every HITL checkpoint is a formal state in the agent state machine, with a defined entry condition, a presentation contract, a decision interface, a timeout behaviour, and an immutable audit record written before the agent proceeds. Article 14 is satisfied structurally, not by policy document.
EU AI Act, MDR Article 87, ISO 13485, and CSRD obligations are encoded as immutable constraints in the data model and enforced at write time. The compliance audit trail is a by-product of normal operations — not a separate process, not a monthly reconstruction exercise. Every event is tagged with the regulatory obligation it satisfies at the time of writing. A compliance audit reads the operational log. There is nothing to reconstruct after the fact.
Every module has a defined autonomy boundary. Below the threshold: autonomous execution. Above the threshold: the agent prepares the best possible brief — supplier risk summary, SHAP explanation, confidence score, recommended action, and comparable precedents — and waits for a named human approver. Replacing human judgment in a medical device manufacturer is not the goal. Making it faster, better-informed, fully documented, and structurally compliant is.
04The Architecture
Four technical layers. Three intelligence layers.
The architecture has two complementary views. The technical stack comprises four layers (Experience, Agent Orchestration, MLOps, Infrastructure) — each with a single responsibility and clean interfaces. The intelligence model organises the eight capability modules into three layers: Sense, Decide, and Comply. Governance and compliance constraints flow downward through the technical stack; intelligence signals flow upward from MLOps to the Experience layer.
This is a concept overview. The full technical design — GCP reference architecture, Terraform IaC, ADK agent topology, and Vertex AI pipeline specifications — is developed in TOGAF ADM Phases A–F (PG 04) and the Infrastructure page (PG 08).
| DemandIQ | Annex III §8 — AI in supply chains for critical infrastructure components (Class II/III medical devices) |
| SupplierSentinel | Annex III §8 — Autonomous risk assessment affecting continuity of critical medical device supply |
| QualityTrace | Annex III §5(b) — AI used in safety components of medical devices subject to MDR 2017/745 |
| InventoryOrchestrator | Annex III §8 — Autonomous allocation decisions affecting availability of life-critical device components |
| ContractIntelligence | Annex III §8 — AI system materially influencing procurement decisions in critical supply chains |
05Capability Layers & Modules
Eight modules. Three intelligence layers.
The three intelligence layers — Sense, Decide, Comply — organise the eight modules by architectural role, independent of the four-layer technical stack. Intelligence flows upward: Sense modules feed signals to Decide modules; Decide outcomes feed Comply modules with the documented audit record.
Multi-signal ML demand forecasting. Replaces 12-week Excel with real-time POS, clinical pipeline, economic indicator, and historical demand fusion. SHAP-attributed. Confidence-scored. EU AI Act Annex III §8 high-risk.
Real-time supplier risk monitoring across 480 suppliers. Financial distress signals, geopolitical exposure scoring, ESG compliance monitoring, sub-tier concentration mapping. 30-day advance warning — not 11-day crisis response. EU AI Act Annex III §8 high-risk.
ML-assisted strategic sourcing. Risk-adjusted supplier scoring, price benchmarking, multi-criteria evaluation. A2A commerce integration for autonomous purchase order issuance within defined autonomy boundaries.
Full-corpus SAP Ariba contract analysis using Gemini 2.5 Pro 1M+ context window. 480 suppliers, full contract portfolio, single inference pass. Clause extraction, risk scoring, non-standard term flagging, HITL routing. EU AI Act Annex III §8 high-risk.
Real-time inventory positioning across 14 manufacturing sites. Multi-echelon optimisation driven by DemandIQ signals and SupplierSentinel risk scores. Autonomous rebalancing within threshold; HITL for above-threshold moves. EU AI Act Annex III §8 high-risk.
Device lineage tracing from supplier certificate through production batch to implanted device. Atomic write to ISO 13485 device history record. MDR Article 87 vigilance reporting at 72-hour SLA. NCR resolution from 23 days to same-day. EU AI Act Annex III §5(b) high-risk.
CSRD Scope 3 data fabric. Supplier emissions data collection, logistics invoice parsing, freight export integration. Real-time consolidation replaces quarterly manual process. ISO 14001 environmental data requirements satisfied via Cloud Carbon Footprint API integration.
Unified executive visibility layer. Real-time supply chain health dashboard. Cross-module KPI aggregation, risk surface map, regulatory obligation status, pending HITL queue, immutable audit log viewer. The operating cockpit.
06A2A Commerce Protocol
From risk signal to executed
purchase order — without a form.
The A2A Commerce Protocol enables MedDevice procurement agents to transact directly with supplier agents — issuing verified purchase orders, receiving structured bids, and writing every step to an immutable audit log. This is the complete inter-enterprise agentic commerce loop.
breach detected
+ HITL approval
Pub/Sub
broadcast to
3 supplier agents
Commerce
schema-validated
returned over A2A
brief
→ Signed PO
evaluation + CPO
sign-off → PO issued
SupplierSentinel detects a risk spike on the tier-2 Malaysian PCB supplier — financial distress signal combined with a regional geopolitical event. Risk score crosses the autonomy threshold. HITL fires. Procurement team reviews the SHAP-attributed risk brief and approves emergency re-sourcing. The A2A Commerce loop initiates.
The MedDevice Procurement Agent generates a qualified sourcing request — schema-validated, SHAP-attributed risk justification, HITL-authorised reference included. The request is broadcast to three pre-qualified supplier agents over the A2A protocol. No form. No email. No manual RFQ process. The message is a structured, signed, machine-readable commercial document.
Three pre-qualified supplier agents evaluate the sourcing request against current production capacity, lead time availability, and pricing constraints. Each returns a structured bid over A2A — schema-validated, machine-readable, with full provenance. The bid format is defined by the A2A commerce schema; no supplier-specific interpretation required.
ContractIntelligence evaluates the three bids using risk-adjusted total cost of ownership scoring — incorporating SupplierSentinel's live risk scores, Gemini 2.5 Pro contract analysis of existing supplier terms, and delivery reliability history. The recommendation is surfaced to the CPO with a full SHAP explanation identifying the five factors that differentiated the winning bid.
The CPO reviews the recommendation, the SHAP explanation, and approves via the HITL surface. The winning supplier agent receives a signed purchase order over A2A. The full transaction — from risk signal through bid evaluation to executed purchase order — is written to the immutable audit log. Every step has a timestamp, an approver identity, and a SHAP attribution.
07The Architecture Speaks to Every Seat at the Table
What this architecture delivers
— by leadership role.
34% forecast error. €180M inventory cost. €60M stockout when a Malaysian supplier went dark with 11 days notice. DemandIQ replaces the Excel forecast with a multi-signal ML model that reads POS data, clinical pipeline signals, and economic indicators in real time. InventoryOrchestrator positions stock across 14 sites dynamically. SupplierSentinel gives you 30-day advance warning — not an 11-day crisis.
Five high-risk AI systems under EU AI Act Annex III, each classified and justified by design. MDR Article 87 vigilance SLA of 72 hours versus a 23-day NCR resolution baseline. CSRD Scope 3 reporting required from FY2025. FDA 21 CFR Part 820 design control and DHR requirements satisfied via QualityTrace atomic writes. Every high-risk inference routes through a named approver with a SHAP explanation before any write operation commits. The audit trail writes itself during normal operations.
480 suppliers. Annual questionnaire risk. Four SAP Ariba instances. Strategic sourcing without ML-assisted benchmarking. ProcureGuard and ContractIntelligence give you real-time risk-adjusted supplier scoring, full-corpus contract analysis across the entire supplier base in a single inference pass, and — for the first time — a procurement agent that can issue a verified purchase order to a supplier agent over A2A, autonomously, with a full audit trail.
08Regulatory Grounding
Compliance is not a layer.
It is the foundation.
Each regulation imposes specific architectural constraints — not just documentation requirements. The design satisfies them structurally, at write time, as a by-product of normal operations.
09The Design
The design starts here.
The following pages take every principle above and express it as concrete architecture artifacts — client requirements, TOGAF phases, workflow simulations, agent topology, ML pipeline design, and infrastructure code. Each page is independently readable. Together, they form a complete enterprise AI solutions architecture portfolio.
Why Now · Pain Domains · Philosophy · Capability Layers · A2A Commerce · Regulatory Framework
LiveBRD · Stakeholder Map · AI Readiness Audit · Use Case Catalogue · Non-Functional Requirements
LiveEnd-to-end scenario walkthroughs · HITL decision flows · A2A Commerce sequence diagrams
LiveArchitecture Vision · Business Architecture · Data & Application · Technology · Migration Planning
LiveSAFe Programme Increment · FRD · HITL Specification · Module Design Contracts
LiveADK Topology · A2A Protocol · MCP Tool Manifest · State Machines · Guardrails · Audit Schema
LiveFeature Store · Model Cards · XAI Contracts · Vertex Pipelines · Drift Detection · Retraining
LiveTerraform IaC · VPC-SC · GKE · Cloud Run · CI/CD · FinOps · GreenOps · Security Command Center
LiveChange Management · Training Design · Governance Operating Model · Value Realisation Roadmap