The supply chain that decides before the crisis does.
An explainability-first, EU AI Act-compliant enterprise AI architecture for regulated manufacturers who can no longer afford the intelligence gap between their data and their decisions.
Modules
EU AI Act Annex III
Sense · Decide · Comply
Decisions
01Why Now
The architectural conditions for autonomous supply chain AI are now in place.
Four things had to be true simultaneously for an autonomous supply chain to be architecturally viable: the regulatory framework had to be clear enough to design against, the tooling mature enough to deploy, and the data infrastructure fast enough to act on in real time. In 2024–25, all four converged.
Regulatory Convergence
EU AI Act, MDR 2017/745, and CSRD all entered enforcement simultaneously in 2024–25. The compliance surface for a regulated manufacturer tripled in 18 months. Architecture must satisfy all three simultaneously — or it satisfies none. The forcing function that turns explainability from a nice-to-have into a contractual necessity has arrived.
EU AI Act · MDR · CSRD · 2024–25LLM Contract Intelligence
Gemini 2.5 Pro's 1M+ token context window makes full-corpus SAP Ariba contract analysis possible for the first time — 310 suppliers, years of contracts, a single inference pass. No chunking. No information loss. The boundary between structured enterprise data and unstructured contract documents, which blocked enterprise AI adoption for fifteen years, has collapsed.
Gemini 2.5 Pro · 1M+ Context · 2025A2A Commerce Protocol
Google ADK and the Agent-to-Agent (A2A) protocol enable procurement agents to transact directly with supplier agents — issuing verified purchase orders, receiving structured bids, and writing every step to an immutable audit log. This is the first architecturally sound, auditable, agent-native commerce layer for enterprise supply chains.
Google ADK · A2A Protocol · 2025Real-Time Supply Chain Data Fabric
BigQuery, Pub/Sub, and Vertex AI Feature Store compose into a real-time data fabric that enables sub-second supplier risk scoring from live financial filings, news streams, and ESG data. The gap between a supply chain event and an AI-driven response has collapsed from days to seconds. The quarterly spreadsheet is architecturally obsolete.
BigQuery · Feature Store · Pub/Sub02The Anchor Problem
Anchor Client · ClaraVis Medical Systems GmbH
Demand Signal Blindness
12-week Excel forecasts updated monthly. No multi-signal intelligence — no POS data integration, no clinical trial pipeline signals, no economic leading indicators. The supply chain responds to history, not the future. When a tier-2 Malaysian supplier went dark with 11 days notice in 2024, there was no early warning system to absorb the shock.
Supplier Risk is a Spreadsheet
310 suppliers. Annual questionnaire-based risk assessment. No real-time monitoring of financial health, geopolitical exposure, ESG compliance, or sub-tier concentration risk. The supply chain has no awareness of the world its suppliers operate in until a crisis has already materialised. Risk arrives as a crisis — not as a signal with time to act.
Procurement is Manual and Fragmented
SAP Ariba deployed across four regional instances with different approval workflows, different contract terms, and different supplier master data. Strategic sourcing conducted without ML-assisted price benchmarking, risk-adjusted scoring, or contract clause analysis. Contract intelligence exists only inside individual procurement professionals — and leaves when they do.
Quality and Compliance Traceability is Reactive
NCR resolution requires manual trace across supplier certificates, inspection records, and batch records in three separate systems. Average NCR resolution time: 23 days. MDR Article 87 vigilance reporting SLA: 72 hours. The gap between what the architecture delivers and what the regulator requires is not a process problem — it is a structural liability.
Sustainability Reporting is a Manual Exercise
CSRD Scope 3 reporting required from FY2025. Emissions data lives in supplier questionnaires, logistics invoices, and freight export reports across 22 countries. Manual quarterly consolidation produces a CSRD report that is 90 days stale at the time of publication. The report describes where the supply chain was — not where it is.
03Design Philosophy
Four principles. Non-negotiable in a regulated context.
These are not best-practice guidelines. In the EU AI Act, MDR 2017/745, and ISO 13485 regulatory environment, they are architectural constraints. Every component of this system must satisfy all four simultaneously.
Explainability engineered in — from model design to audit trail
XAI is not a dashboard added after the model ships. Every ML model in this system is designed with its explanation contract upfront — before a single line of training code is written. SHAP values are generated at inference time. Model Cards are versioned alongside models in the registry. Every ML decision produces a human-readable explanation before any write operation commits. When DemandIQ adjusts a replenishment order for imaging system components, the supply chain planner sees the top five demand signals that drove the adjustment, the confidence score, and a one-click override — before the SAP write occurs.
Human oversight is a first-class state machine node
EU AI Act Article 14 defines meaningful human oversight as a designed mechanism — a specific point in the decision flow where a named human reviews the agent's reasoning, the SHAP explanation, and the confidence score. In this architecture, every HITL checkpoint is a formal state in the agent state machine, with a defined entry condition, a presentation contract, a decision interface, a timeout behaviour, and an immutable audit record written before the agent proceeds. Article 14 is satisfied structurally, not by policy document.
Compliance obligations encoded as write-path constraints
EU AI Act, MDR Article 87, ISO 13485, and CSRD obligations are encoded as immutable constraints in the data model and enforced at write time. The compliance audit trail is a by-product of normal operations — not a separate process, not a monthly reconstruction exercise. Every event is tagged with the regulatory obligation it satisfies at the time of writing. A compliance audit reads the operational log. There is nothing to reconstruct after the fact.
Augment the enterprise — never replace its judgment
Every module has a defined autonomy boundary. Below the threshold: autonomous execution. Above the threshold: the agent prepares the best possible brief — supplier risk summary, SHAP explanation, confidence score, recommended action, and comparable precedents — and waits for a named human approver. Replacing human judgment in a medical device manufacturer is not the goal. Making it faster, better-informed, fully documented, and structurally compliant is.
04The Architecture
Four technical layers. Three intelligence layers.
The architecture has two complementary views. The technical stack comprises four layers (Experience, Agent Orchestration, MLOps, Infrastructure) — each with a single responsibility and clean interfaces. The intelligence model organises the eight capability modules into three layers: Sense, Decide, and Comply. Governance and compliance constraints flow downward through the technical stack; intelligence signals flow upward from MLOps to the Experience layer.
This is a concept overview. The full technical design — GCP reference architecture, Terraform IaC, ADK agent topology, and Vertex AI pipeline specifications — is developed in TOGAF ADM Phases A–F (PG 04) and the Infrastructure page (PG 08).
| DemandIQ | Annex III §8 — AI in supply chains for critical infrastructure components (Class II/III medical devices) |
| SupplierSentinel | Annex III §8 — Autonomous risk assessment affecting continuity of critical medical device supply |
| QualityTrace | Annex III §5(b) — AI used in safety components of medical devices subject to MDR 2017/745 |
| InventoryOrchestrator | Annex III §8 — Autonomous allocation decisions affecting availability of life-critical device components |
| ContractIntelligence | Annex III §8 — AI system materially influencing procurement decisions in critical supply chains |
05Capability Layers & Modules
Eight modules. Three intelligence layers.
The three intelligence layers — Sense, Decide, Comply — organise the eight modules by architectural role, independent of the four-layer technical stack. Intelligence flows upward: Sense modules feed signals to Decide modules; Decide outcomes feed Comply modules with the documented audit record.
Multi-signal ML demand forecasting. Replaces 12-week Excel with real-time POS, clinical pipeline, economic indicator, and historical demand fusion. SHAP-attributed. Confidence-scored. EU AI Act Annex III §8 high-risk.
Real-time supplier risk monitoring across 310 suppliers. Financial distress signals, geopolitical exposure scoring, ESG compliance monitoring, sub-tier concentration mapping. 30-day advance warning — not 11-day crisis response. EU AI Act Annex III §8 high-risk.
ML-assisted strategic sourcing. Risk-adjusted supplier scoring, price benchmarking, multi-criteria evaluation. A2A commerce integration for autonomous purchase order issuance within defined autonomy boundaries.
Full-corpus SAP Ariba contract analysis using Gemini 2.5 Pro 1M+ context window. 310 suppliers, full contract portfolio, single inference pass. Clause extraction, risk scoring, non-standard term flagging, HITL routing. EU AI Act Annex III §8 high-risk.
Real-time inventory positioning across 6 manufacturing sites. Multi-echelon optimisation driven by DemandIQ signals and SupplierSentinel risk scores. Autonomous rebalancing within threshold; HITL for above-threshold moves. EU AI Act Annex III §8 high-risk.
Device lineage tracing from supplier certificate through production batch to implanted device. Atomic write to ISO 13485 device history record. MDR Article 87 vigilance reporting at 72-hour SLA. NCR resolution from 23 days to same-day. EU AI Act Annex III §5(b) high-risk.
CSRD Scope 3 data fabric. Supplier emissions data collection, logistics invoice parsing, freight export integration. Real-time consolidation replaces quarterly manual process. ISO 14001 environmental data requirements satisfied via Cloud Carbon Footprint API integration.
Unified executive visibility layer. Real-time supply chain health dashboard. Cross-module KPI aggregation, risk surface map, regulatory obligation status, pending HITL queue, immutable audit log viewer. The operating cockpit.
06A2A Commerce Protocol
From risk signal to executed purchase order — without a form.
The A2A Commerce Protocol enables ClaraVis procurement agents to transact directly with supplier agents — issuing verified purchase orders, receiving structured bids, and writing every step to an immutable audit log. This is the complete inter-enterprise agentic commerce loop.
SupplierSentinel detects a risk spike on the tier-2 Malaysian PCB supplier — financial distress signal combined with a regional geopolitical event. Risk score crosses the autonomy threshold. HITL fires. Procurement team reviews the SHAP-attributed risk brief and approves emergency re-sourcing. The A2A Commerce loop initiates.
Broadcast sourcing request over A2A
The ClaraVis Procurement Agent generates a qualified sourcing request — schema-validated, SHAP-attributed risk justification, HITL-authorised reference included. The request is broadcast to three pre-qualified supplier agents over the A2A protocol. No form. No email. No manual RFQ process. The message is a structured, signed, machine-readable commercial document.
Evaluate capacity and return structured bids
Three pre-qualified supplier agents evaluate the sourcing request against current production capacity, lead time availability, and pricing constraints. Each returns a structured bid over A2A — schema-validated, machine-readable, with full provenance. The bid format is defined by the A2A commerce schema; no supplier-specific interpretation required.
Evaluate bids, surface recommendation with SHAP explanation
ContractIntelligence evaluates the three bids using risk-adjusted total cost of ownership scoring — incorporating SupplierSentinel's live risk scores, Gemini 2.5 Pro contract analysis of existing supplier terms, and delivery reliability history. The recommendation is surfaced to the CPO with a full SHAP explanation identifying the five factors that differentiated the winning bid.
Approve, execute, audit
The CPO reviews the recommendation, the SHAP explanation, and approves via the HITL surface. The winning supplier agent receives a signed purchase order over A2A. The full transaction — from risk signal through bid evaluation to executed purchase order — is written to the immutable audit log. Every step has a timestamp, an approver identity, and a SHAP attribution.
07The Architecture Speaks to Every Seat at the Table
What this architecture delivers — by leadership role.
Operational intelligence that anticipates — not reacts.
34% forecast error. €95M inventory cost. €32M stockout when a Malaysian supplier went dark with 11 days notice. DemandIQ replaces the Excel forecast with a multi-signal ML model that reads POS data, clinical pipeline signals, and economic indicators in real time. InventoryOrchestrator positions stock across 6 sites dynamically. SupplierSentinel gives you 30-day advance warning — not an 11-day crisis.
Compliance as a structural property — not a reporting exercise.
Five high-risk AI systems under EU AI Act Annex III, each classified and justified by design. MDR Article 87 vigilance SLA of 72 hours versus a 23-day NCR resolution baseline. CSRD Scope 3 reporting required from FY2025. FDA 21 CFR Part 820 design control and DHR requirements satisfied via QualityTrace atomic writes. Every high-risk inference routes through a named approver with a SHAP explanation before any write operation commits. The audit trail writes itself during normal operations.
Strategic sourcing with real intelligence — and a commerce layer that executes.
310 suppliers. Annual questionnaire risk. Four SAP Ariba instances. Strategic sourcing without ML-assisted benchmarking. ProcureGuard and ContractIntelligence give you real-time risk-adjusted supplier scoring, full-corpus contract analysis across the entire supplier base in a single inference pass, and — for the first time — a procurement agent that can issue a verified purchase order to a supplier agent over A2A, autonomously, with a full audit trail.
08Regulatory Grounding
Compliance is not a layer. It is the foundation.
Each regulation imposes specific architectural constraints — not just documentation requirements. The design satisfies them structurally, at write time, as a by-product of normal operations.
| Regulation | Architectural Constraint Imposed | Risk Level |
|---|---|---|
| EU AI Act — Annex IIIHigh-Risk AI Systems | Five high-risk AI systems classified per Annex III §5(b) and §8. Full SHAP explanation + named HITL approver + versioned Model Card + risk management documentation. Write-path enforcement. Every inference produces a human-readable explanation before any write operation commits. | High Risk |
| MDR 2017/745Art. 87–89 Vigilance | Device lineage tracing and vigilance reporting infrastructure. 72-hour Article 87 SLA satisfied architecturally via QualityTrace real-time NCR pipeline. Atomic write to ISO 13485 device history record at every supply chain event. | High Risk |
| FDA 21 CFR Part 820Quality System Regulation | Design control records (§820.30), Device History Records (§820.184), and CAPA documentation (§820.100) satisfied via QualityTrace atomic writes to the immutable data fabric. Supplier qualification records (§820.50) maintained in real-time by SupplierSentinel. Post-market surveillance data feeds ML retraining pipeline. | High Risk |
| GDPR / EU DPDPData Protection | Supplier PII confined within VPC-SC perimeter. CMEK encryption — ClaraVis holds the keys. Data residency enforced: europe-west3. Right to erasure preserved via Firestore document-level deletion with audit record preservation. | Native to Infra |
| EU CSRDSustainability Reporting | ScopeTracer produces a real-time Scope 3 data fabric and CSRD-compliant reporting pipeline. Replaces manual quarterly consolidation. Report reflects current state — not 90-day-old data. Mandatory from FY2025. | Moderate |
| ISO 13485:2016Medical Devices QMS | Device batch records, supplier qualification records, and NCR documentation stored in immutable data fabric. Atomic writes to device history records at every relevant supply chain event. Post-market surveillance data feeds ML retraining pipeline. | Moderate |
| ISO 14001Environmental Management | ScopeTracer and GreenOps scheduling satisfy ISO 14001 environmental management data requirements structurally. GreenOps scheduling shifts non-time-critical compute to low-carbon grid windows via GCP Cloud Carbon Footprint API. Carbon attribution per inference run computed and logged. | Native to Infra |
09The Design
The design starts here.
The following pages take every principle above and express it as concrete architecture artifacts — client requirements, TOGAF phases, workflow simulations, agent topology, ML pipeline design, and infrastructure code. Each page is independently readable. Together, they form a complete enterprise AI solutions architecture portfolio.
Why Now · Pain Domains · Philosophy · Capability Layers · A2A Commerce · Regulatory Framework
LiveBRD · Stakeholder Map · AI Readiness Audit · Use Case Catalogue · Non-Functional Requirements
LiveEnd-to-end scenario walkthroughs · HITL decision flows · A2A Commerce sequence diagrams
LiveArchitecture Vision · Business Architecture · Data & Application · Technology · Migration Planning
LiveSAFe Programme Increment · FRD · HITL Specification · Module Design Contracts
LiveADK Topology · A2A Protocol · MCP Tool Manifest · State Machines · Guardrails · Audit Schema
LiveFeature Store · Model Cards · XAI Contracts · Vertex Pipelines · Drift Detection · Retraining
LiveTerraform IaC · VPC-SC · GKE · Cloud Run · CI/CD · FinOps · GreenOps · Security Command Center
LiveChange Management · Training Design · Governance Operating Model · Value Realisation Roadmap