The Autonomous Supply Chain / Page 05 of 9
Delivery & Product Design
SAFe for AI · ART Structure · Programme Increment Structure · FRD · HITL Specification · NFR
Two questions answered on one page. How does the Autonomous Supply Chain get delivered across an 18-month programme — the SAFe delivery governance layer, including ART composition, PI schedules, and measurable Definitions of Done. And what does each of the eight modules actually do — the product design layer that bridges architecture to implementation, covering all modules with full functional requirements, GDPR Article 22 analysis, and HITL traceability.
Programme Scale
18 months · 8 modules
Programme Increments
3 PIs · 2 ARTs
High-Risk Modules (EU AI Act)
5 of 8 modules
HITL Checkpoints
8 checkpoints
Availability (HITL modules)
99.9% CET
Section 01
Delivery Framework: SAFe for AI
MedDevice is an enterprise with 6,800 employees across 22 countries. The Autonomous Supply Chain is an 18-month, 8-module programme. SAFe provides the PI Planning, ART cadence, and change management structure that enterprise stakeholders recognise and trust — and the explicit cross-team dependency governance that prevents integration surprises at scale.
🏛️
Enterprise Scale Demands SAFe
At 6,800 employees across 22 countries, the Autonomous Supply Chain cannot be delivered through ad-hoc sprint planning. SAFe's Solution Train provides a governance model that senior stakeholders in Procurement, Regulatory Affairs, and IT all recognise — reducing programme risk through a shared delivery language rather than architecture-team vocabulary alone.
🔄
PI Cadence Aligns to Regulatory Gates
Each PI increment delivers a compliance milestone — not just a feature set. PI-01 delivers the EU AI Act compliance infrastructure. PI-02 delivers four Annex III-compliant models in production. PI-03 delivers the conformity assessment documentation readiness pack. The PI boundary is the audit checkpoint.
🔗
Cross-Team Dependency Management
DemandIQ feeds InventoryOrchestrator. SupplierSentinel feeds ContractIntelligence. InventoryOrchestrator writes back to SAP MRP. These dependencies cross module boundaries. SAFe's cross-ART dependency board surfaces them at PI Planning — before they become integration blockers in sprint 8.
🛡️
HITL as a SAFe Enabler
The HITL Framework — the Firestore-backed state machine that governs all eight human oversight checkpoints — is a Platform ART enabler. It is delivered in PI-01 before any domain module can build its own HITL integration. SAFe's explicit enabler model prevents every team from building their own oversight mechanism in isolation.
SAFe 6.0 Solution Train
3 Programme Increments
EU AI Act Annex III Gate per PI
HITL Framework — Platform ART Enabler
ISO 13485 · MDR 2017/745
Section 01 — ART Composition
Agile Release Train Structure
Two ARTs deliver the Autonomous Supply Chain under the Solution Train. The Platform ART delivers shared infrastructure, compliance tooling, and the HITL Framework as enablers consumed by all domain teams. The Domain ART delivers the eight business modules in PI-sequenced waves. Team composition is indicative and subject to PI Planning capacity review.
| ART |
Name |
Teams |
Approx. Headcount |
Sprint Cadence |
Primary PI Deliverables |
| ART-1 |
Platform ART |
GCP Infrastructure · MLOps · Security & Compliance · HITL Framework · Integration |
~30 FTE |
2-week sprints · 5 sprints per PI |
VPC-SC, CMEK, Pub/Sub fabric, HITL state machine, XAI layer, MLOps pipeline, drift detection, conformity doc automation |
| ART-2 |
Domain ART |
DemandIQ · SupplierSentinel · QualityTrace · InventoryOrchestrator · ContractIntelligence · ScopeTracer · ProcureGuard · Dashboard |
~40 FTE |
2-week sprints · 5 sprints per PI |
All eight business modules; consumer of Platform ART enablers; cross-ART dependency coordination via PI Planning board |
Cross-ART Dependency Protocol
Domain ART teams cannot deploy a HITL integration until the Platform ART HITL Framework enabler is accepted (PI-01 DoD). This dependency is tracked on the cross-ART board at each PI Planning event and enforced as a hard architectural gate — not a soft dependency. The Platform ART System Architect signs off on each domain module's HITL integration before it enters UAT.
Section 01 — continued
Programme Increment Structure
Three PIs. Each with a defined feature set, a measurable Definition of Done tied to a quantitative baseline, and a compliance gate that is a formal regulatory milestone — not a sprint velocity target. Sprint count and velocity estimates are based on 2 ARTs × 5 sprints per PI × estimated 40-point team velocity, subject to PI Planning calibration.
Horizon 1 · Months 1–6
PI-01 — GCP Foundation + Compliance Infrastructure
Horizon 2 · Months 7–12
PI-02 — Core ML Modules
Horizon 3 · Months 13–18
PI-03 — Strategic Intelligence + A2A Commerce
Programme Increment
PI-01
Months 1–6 · H1 · GCP Foundation + Compliance Infrastructure
2 ARTs · ~12 sprints · ART-1 primary
Features
VPC-SC + CMEK + IAM baseline — europe-west3 residency enforced
Pub/Sub event fabric — all SAP integration streams live
SAP Ariba REST integration + SAP S/4HANA event bridge
HITL Framework — Firestore-backed state machine, all 8 checkpoint types registered
XAI layer baseline — SHAP pipeline operational
EU AI Act conformity doc automation — pipeline registered, template accepted by Regulatory Affairs
SupplierSentinel v1 — monitoring only, no ML-triggered actions
MLOps scaffold — Vertex AI Pipelines, model registry, drift detection hooks
Definition of Done
EU AI Act compliance infrastructure independently verified by Regulatory Affairs. All SAP integration event streams live and producing valid events in staging. SupplierSentinel v1 surfacing risk signals to HITL queue with ≥95% event completeness. HITL Framework load-tested to 99.9% availability SLA. DR failover demonstrated for europe-west3 outage scenario.
Programme Increment
PI-02
Months 7–12 · H2 · Core ML Modules
2 ARTs · ~12 sprints · ART-2 primary
Features
DemandIQ — full ensemble + HITL-01 operational
QualityTrace — NCR pipeline + MDR lineage + HITL-03/08
InventoryOrchestrator — multi-site ML + SAP MRP integration + HITL-04
ProcureGuard — procurement agent + SAP Ariba + HITL-06
MLOps pipeline fully operational — automated retraining + champion/challenger rollback
Model Cards for all four models — accepted by Regulatory Affairs
Drift detection alerts operational — ≤1h alert SLO live
Definition of Done
Four high-risk ML models in production and EU AI Act Annex III compliant per accepted Model Cards. DemandIQ forecast error ≤20% WMAPE (measured against 34% baseline on 90-day holdout). QualityTrace NCR pipeline meeting 72-hour MDR SLA at ≥98% rate in production. SHAP + HITL operational for all four modules. Automated model rollback demonstrated for each champion model.
Programme Increment
PI-03
Months 13–18 · H3 · Strategic Intelligence + A2A Commerce
2 ARTs · ~12 sprints · ART-2 primary
Features
ContractIntelligence — Gemini full-corpus analysis + HITL-05
ScopeTracer — Scope 3 + CSRD automated reporting
ProcureGuard v2 — full A2A Commerce inter-enterprise loop
SupplyChain Command Dashboard — unified HITL queue + module health
DemandIQ target: forecast error ≤12% WMAPE (programme end target)
EU AI Act conformity assessment documentation package — complete
Definition of Done
Full 8-module system operational. CSRD Scope 3 reporting generating automated output verified against prior manual baseline. A2A Commerce loop demonstrated end-to-end with live supplier agent. DemandIQ forecast error ≤12% WMAPE on 90-day live window. EU AI Act conformity assessment documentation package accepted by Regulatory Affairs and filed. NCR cycle time ≤5 days in production.
SAFe Alignment Note — Regulatory Milestones as PI Gates
Each PI boundary is a compliance gate — not a feature delivery milestone. PI-01 closes when the EU AI Act infrastructure is independently verifiable by Regulatory Affairs. PI-02 closes when all four Annex III Model Cards are accepted and the measurable forecast error target is demonstrated. PI-03 closes when the full conformity assessment documentation package is filed. This alignment of PI cadence to regulatory milestones makes compliance governance a first-class SAFe artifact, not a retrospective audit.
Section 01 — HITL Autonomy Thresholds
Financial Autonomy Threshold Governance
All financial thresholds that govern HITL activation are derived from MedDevice Industries GmbH's Delegation of Authority (DoA) policy and CFO-approved procurement thresholds — not architecture team assumptions. This table traces each threshold to its governance source. These figures must be re-validated at each PI Planning event and are subject to CFO sign-off before programme go-live.
| HITL ID |
Module |
Threshold Value |
Threshold Type |
Governance Source |
Owner |
Review Cadence |
| HITL-01 |
DemandIQ |
€50,000 |
Forecast-triggered PO value |
DoA Policy § 4.2 — Procurement Level II |
VP Supply Chain |
Annual / PI Planning |
| HITL-02 |
SupplierSentinel |
Risk Score ≥ 0.75 |
Composite risk score (0–1) |
Supplier Risk Management Policy § 6 — Critical Threshold |
Procurement Director |
Quarterly / model retrain |
| HITL-03 |
QualityTrace |
Any CAPA closure |
Regulatory event (no financial threshold) |
ISO 13485 § 8.5.2 — CAPA closure requires QM sign-off |
Quality Manager |
Per event / MDR SLA |
| HITL-04 |
InventoryOrchestrator |
€100,000 |
Reorder decision value |
DoA Policy § 4.3 — Inventory Reorder Level III |
CFO / VP Supply Chain |
Annual / PI Planning |
| HITL-05 |
ContractIntelligence |
Any strategic sourcing · Any A2A bid |
Strategic sourcing decision |
Procurement Policy § 2.1 — Strategic Sourcing requires CPO approval |
CPO |
Annual |
| HITL-06 |
ProcureGuard |
Any contract countersignature |
Legal event (no financial threshold) |
Legal Sign-off Policy § 3 — All contracts require Legal Counsel review |
Head of Legal |
Annual |
Threshold Governance Note
Financial thresholds in this document are derived from the governance artefacts cited above. They are not architecture team defaults. Any change to MedDevice's DoA policy, Procurement Policy, or Supplier Risk Management Policy must trigger a review of the corresponding HITL threshold — tracked as a configuration change item in the MLOps change management register. The CFO and Head of Legal must formally accept the threshold table before PI-01 completion.
Section 02
Functional Requirements Document — All Eight Modules
All eight modules. For each: primary function, key functional requirements, EU AI Act Annex III classification (where applicable), and the HITL checkpoint specification. Five modules carry high-risk designation under EU AI Act Annex III and require full conformity assessment. Three modules (ScopeTracer, SupplierSentinel monitoring component, SupplyChain Command Dashboard) operate under standard risk classification. These are the handover documents from the architecture engagement to the development teams — precise enough to build from.
Module 01
DemandIQ
Multi-signal ML demand forecasting replacing the Excel-based monthly cycle. 12-week rolling forecast per SKU per manufacturing site, with SHAP attribution required before any procurement trigger is issued.
EU AI Act · Annex III High-Risk
Functional Requirements
FR-D01Ingest Salesforce pipeline, SAP IBP, hospital procurement indices, macroeconomic indicators as feature inputs via Pub/Sub event stream
FR-D02Generate 12-week rolling forecast with 80% and 95% confidence intervals per SKU per manufacturing site
FR-D03Produce SHAP attribution (top-5 features with magnitude and direction) per forecast line before procurement trigger is issued
FR-D04Route all forecast-triggered procurement decisions above the DoA-defined threshold (currently €50K) to HITL-01 (Demand Planner) for approval before any SAP event is written
FR-D05Write forecast, SHAP explanation, confidence interval, and human approval decision to immutable Firestore audit log atomically before proceeding
FR-D06Support automated model rollback to last champion version upon drift alert — rollback must complete within 30 minutes of alert trigger
HITL Specification
HITL-01 — Demand Planner
Reviews: 12-week forecast + SHAP top-5 features + 80%/95% confidence intervals + prior forecast accuracy on this SKU/site pair. Actions: Approve / Reject / Escalate. Trigger: forecast-triggered PO above DoA threshold.
SLO: 4h · Timeout → VP Supply Chain
Module 02
SupplierSentinel
Continuous real-time multi-dimensional supplier risk scoring. Financial, geopolitical, ESG, and sub-tier concentration risk per supplier — continuously refreshed via Pub/Sub event stream. Monitoring v1 delivered in PI-01; ML-triggered actions in PI-02.
EU AI Act · Annex III High-Risk
Functional Requirements
FR-S01Ingest supplier financial filings, news/event streams, geopolitical indices, ESG data, and sub-tier mapping via Pub/Sub — refresh within 60 seconds of each inbound event
FR-S02Generate composite risk score (0–1) per supplier per dimension (financial, geopolitical, ESG, concentration) with per-dimension sub-scores
FR-S03Produce SHAP explanation per composite score identifying the top contributing signals before any sourcing action is triggered
FR-S04Route events where composite score ≥ 0.75 (per Supplier Risk Management Policy § 6) to HITL-02 before sourcing decisions proceed
FR-S05Route sub-tier concentration risk events (single supplier representing ≥30% of a critical component category) to HITL-07 (Supply Chain Director) for resilience response
FR-S06Maintain immutable supplier risk event history in Cloud Firestore with full audit trail for regulatory review and MDR lineage correlation
HITL Specification
HITL-02 — Procurement Director
Reviews: composite risk score + per-dimension sub-scores + SHAP top signals + recommended sourcing action + alternative supplier availability. Actions: Approve / Reject / Escalate. Trigger: composite score ≥ 0.75 per policy.
SLO: 2h · Timeout → CPO + Alert Regulatory Affairs
Module 03
QualityTrace
Automated NCR root cause + MDR Article 87 lineage tracing. Full device lineage from raw material supplier to finished device, with CAPA routing and 72-hour MDR SLA enforcement via event-sourced pipeline.
EU AI Act · Annex III High-Risk
Functional Requirements
FR-Q01Ingest batch records, supplier certificates, and incoming inspection data from Veeva Vault and SAP S/4HANA via Pub/Sub event stream — all events timestamped and immutable
FR-Q02Generate automated root cause hypothesis per NCR with SHAP attribution within 2 hours of NCR creation event — hypothesis must identify responsible component/supplier/process step
FR-Q03Trace full device lineage from raw material supplier through to finished device serial number for MDR Article 87 vigilance reporting — lineage must be exportable as MDR-structured artefact
FR-Q04Generate MDR Article 87 vigilance report draft within 48 hours of serious incident event, leaving 24 hours for HITL-08 (Regulatory Affairs) review before 72-hour SLA deadline
FR-Q05Route all CAPA recommendations to HITL-03 (Quality Manager) before CAPA closure — ISO 13485 § 8.5.2 requires QM sign-off; system must enforce this as a hard gate
HITL Specification
HITL-03 — Quality Manager
Reviews: root cause hypothesis + SHAP attribution + affected device lineage + CAPA recommendation. Actions: Approve / Modify / Reject. MDR 72h hard deadline enforced by pipeline — timeout triggers auto-escalation to VP Quality.
SLO: 8h · MDR hard deadline: 72h
Module 04
InventoryOrchestrator
ML-optimised inventory positioning across 14 manufacturing and distribution sites. Consumes DemandIQ forecasts and SupplierSentinel risk scores as primary inputs for reorder and safety stock calculation. Writes back to SAP S/4HANA MRP only after HITL gate.
EU AI Act · Annex III High-Risk
Functional Requirements
FR-I01Consume DemandIQ forecast events + SupplierSentinel risk scores as primary inputs via Pub/Sub — reorder calculation must re-run within 5 minutes of each upstream event
FR-I02Generate reorder point and safety stock recommendation per SKU per site with confidence score and SHAP attribution to DemandIQ forecast, SupplierSentinel risk, and safety stock model contributions
FR-I03Integrate with SAP S/4HANA MRP via Pub/Sub for automated reorder trigger — SAP write is blocked until HITL gate is passed or value is below autonomous threshold
FR-I04Route high-value reorder decisions above DoA-defined threshold (currently €100K) to HITL-04 (Inventory Planner) before SAP write — SAP write held atomically until approval
FR-I05Support automated model rollback to prior champion state within 30 minutes of drift alert — rollback must include re-calculation of all open reorder recommendations
HITL Specification
HITL-04 — Inventory Planner
Reviews: reorder recommendation + SHAP attribution (DemandIQ %, SupplierSentinel %, safety stock %) + current stock levels + lead time. Actions: Approve / Adjust / Reject. Trigger: reorder value above DoA threshold.
SLO: 4h · Timeout → VP Supply Chain
Module 05
ContractIntelligence
Full-corpus contract analysis + A2A Commerce sourcing loop. Uses a Gemini-family model with ≥1M token context window for full-corpus contract ingestion (no chunking), classifying 200+ clause types, generating TCO scores, and executing the inter-enterprise A2A sourcing loop.
EU AI Act · Annex III High-Risk
Functional Requirements
FR-C01Ingest full SAP Ariba contract corpus via REST — 480 supplier contracts, full document without chunking — requires Gemini-family model with ≥1M token context window
FR-C02Classify and risk-score 200+ clause types per contract using a capable large context model with clause-level confidence score per classification
FR-C03Generate risk-adjusted TCO score per supplier for strategic sourcing decisions with SHAP attribution tracing each score to clause-level risk contributors
FR-C04Execute A2A Commerce loop — issue structured sourcing request to supplier agents via A2A protocol, receive structured bids, evaluate against TCO model, present comparison to CPO via HITL-05
FR-C05Route all strategic sourcing decisions and all A2A bid acceptances to HITL-05 (CPO) before contract countersignature or PO issuance — no autonomous contract commitment permitted
HITL Specification
HITL-05 — CPO
Reviews: TCO score + SHAP clause attribution + A2A bid comparison table + contract risk summary. Actions: Approve / Counter / Reject. Covers strategic sourcing and emergency re-sourcing paths.
SLO: 24h strategic · 2h emergency
Module 06
ProcureGuard
Automated procurement agent managing PO lifecycle in SAP Ariba, executing contract countersignature workflows, and enforcing Legal Counsel sign-off via HITL-06 before any contract becomes binding. The A2A Commerce v1 integration is delivered in PI-02; full inter-enterprise loop in PI-03.
EU AI Act · Annex III High-Risk
Functional Requirements
FR-P01Manage full PO lifecycle in SAP Ariba — creation, amendment, and closure — with every state transition logged to immutable Firestore audit record
FR-P02Enforce HITL-06 (Legal Counsel) gate before any contract progresses to countersignature — system must hold contract in PENDING_LEGAL state until approval or rejection is recorded
FR-P03Surface to Legal Counsel: contract summary, ContractIntelligence clause risk flags, SHAP attribution, recommended action, and escalation path — all in HITL-06 review interface
FR-P04Execute A2A Commerce v1 sourcing request issuance to supplier agents on behalf of ContractIntelligence — all A2A messages structured per A2A protocol specification
FR-P05Generate structured audit export per PO and contract event — exportable in formats compatible with ISO 13485 audit requirements and EU AI Act Annex IV documentation obligations
HITL Specification
HITL-06 — Legal Counsel
Reviews: contract summary + clause risk flags from ContractIntelligence + SHAP attribution + recommended action. Actions: Approve / Return for Revision / Escalate to Head of Legal. Trigger: any contract countersignature.
SLO: 48h · Timeout → Head of Legal alert + CPO notified
Module 07
ScopeTracer
Automated real-time Scope 3 emissions monitoring and CSRD-compliant reporting. Ingests freight, 3PL, and logistics data via BigQuery Omni in-place calculation — eliminating the quarterly manual data gathering process. Classified as standard risk under EU AI Act (reporting module, no high-impact automated decisions).
Standard Risk · CSRD Obligation
Functional Requirements
FR-SC01Ingest freight emissions data, 3PL portal feeds, and logistics event streams via Pub/Sub — all data ingestion in-region (europe-west3) with CMEK encryption at rest
FR-SC02Calculate Scope 3 Category 4 (upstream transportation) and Category 9 (downstream transportation) emissions per shipment using GHG Protocol-compliant emission factors
FR-SC03Generate CSRD-structured Scope 3 emissions report on automated schedule — output must be diff-comparable against prior period for Sustainability Controller review
FR-SC04Surface real-time Scope 3 dashboard in SupplyChain Command Dashboard — current period vs. prior period, by supplier, by logistics lane
FR-SC05Maintain full emissions calculation audit trail — each reported figure must be traceable to source data, emission factor version, and calculation methodology
Human Review
Sustainability Controller Review
ScopeTracer does not carry an EU AI Act high-risk HITL checkpoint. The Sustainability Controller reviews the auto-generated CSRD report before external submission. This is a business process control, not an AI Act Article 14 obligation — documented here for completeness.
Review cycle: Quarterly CSRD submission · Annual ESRS E1 report
Module 08
SupplyChain Command Dashboard
Unified operational interface for all HITL queue management, module health monitoring, agent state inspection, and cross-module alerting. Read-only aggregate view — it does not make autonomous decisions. Delivered in PI-03.
Standard Risk · Observability Module
Functional Requirements
FR-DB01Display all 8 HITL queues with pending items, reviewer assignment, elapsed time against SLO, and escalation status — refreshed every 30 seconds
FR-DB02Surface module health metrics per agent — last run timestamp, event throughput, drift alert status, error rate — with threshold-based alerting to on-call engineer
FR-DB03Provide cross-module alert feed — structured JSON events from Cloud Logging surfaced as prioritised operational alerts with severity classification
FR-DB04Support HITL audit log export per module per time period — export must satisfy EU AI Act Annex IV audit documentation requirements
FR-DB05Role-based access control enforced at dashboard layer — HITL reviewer sees only their assigned queue; VP Supply Chain sees cross-module view; read-only for all non-approver roles
Human Review
No AI Act HITL Obligation
The Dashboard is a monitoring and audit interface, not an AI decision system. It does not trigger automated actions. All human decisions are initiated through the HITL checkpoints of the domain modules — the Dashboard surfaces the queue and provides the review interface for those checkpoints.
Monitoring module · No autonomous decision path
Section 03
HITL Specification — Master Table
All eight HITL checkpoints across the Autonomous Supply Chain system. This table is the contract between the architecture and the EU AI Act compliance team — satisfying Article 14 documentation requirements for every high-risk AI system in scope. The "Information Presented" column is a required Article 14 artefact specifying that reviewers receive sufficient, interpretable information to make a meaningful oversight decision — not just a notification.
| ID |
Module |
Reviewer |
Trigger Condition |
Information Presented to Reviewer |
Actions Available |
SLO |
Timeout Action |
| HITL-01 |
DemandIQ |
Demand Planner |
Forecast-triggered PO above DoA threshold (€50K) |
12-week forecast + 80%/95% confidence intervals · SHAP top-5 features with magnitude · Prior forecast accuracy for this SKU/site pair · Proposed PO value |
Approve · Reject · Escalate |
4 hours |
Auto-escalate to VP Supply Chain · SAP write held |
| HITL-02 |
SupplierSentinel |
Procurement Director |
Composite supplier risk score ≥ 0.75 (per Risk Policy § 6) |
Composite score + per-dimension sub-scores (financial, geo, ESG, concentration) · SHAP top signals · Recommended action · Alternative supplier availability |
Approve · Reject · Escalate |
2 hours |
Pause sourcing action · Alert CPO · Regulatory Affairs notified |
| HITL-03 |
QualityTrace |
Quality Manager |
CAPA recommendation pending closure (ISO 13485 § 8.5.2) |
Root cause hypothesis + SHAP attribution · Affected device lineage + batch records · CAPA recommendation + proposed corrective actions · MDR SLA countdown |
Approve · Modify · Reject |
8h · 72h MDR hard SLA |
Escalate to VP Quality · MDR flag raised · Hard deadline enforced |
| HITL-04 |
InventoryOrchestrator |
Inventory Planner |
Reorder decision above DoA threshold (€100K) |
Reorder recommendation + SHAP attribution (DemandIQ %, SupplierSentinel %, safety stock %) · Current stock levels per site · Lead time · Prior reorder accuracy |
Approve · Adjust · Reject |
4 hours |
Hold SAP write · Escalate to Supply Chain Director |
| HITL-05 |
ContractIntelligence |
CPO |
Strategic sourcing decision · Any A2A bid acceptance |
TCO score + SHAP clause attribution · A2A bid comparison table (all bids received) · Contract risk summary · Recommended supplier + rationale |
Approve · Counter · Reject |
24h strategic · 2h emergency |
Pause A2A loop · Hold PO issuance · Alert Head of Legal |
| HITL-06 |
ProcureGuard |
Legal Counsel |
Any contract pending countersignature |
Contract summary · ContractIntelligence clause risk flags + severity · SHAP attribution for flagged clauses · Recommended action · Prior legal review history for this supplier |
Approve · Return for Revision · Escalate |
48 hours |
Hold contract in PENDING_LEGAL · Alert CPO + Head of Legal |
| HITL-07 |
SupplierSentinel |
Supply Chain Director |
Sub-tier concentration risk flag: single supplier ≥30% of critical component category |
Concentration risk profile · Affected component categories + spend exposure · Alternative supplier landscape · Recommended diversification action + estimated lead time |
Initiate Diversification · Accept Risk · Escalate |
8 hours |
Escalate to VP Supply Chain · Regulatory Affairs notified if MDR-critical component |
| HITL-08 |
QualityTrace |
Regulatory Affairs |
MDR Article 87 vigilance report ready for sign-off |
Full MDR-structured vigilance report draft · Device lineage trace · Root cause summary + CAPA status · SLA countdown to 72h submission deadline · Prior similar incident history |
Sign Off · Request Amendment · Reject |
Within 72h MDR SLA |
Auto-escalate to VP Regulatory · Hard deadline enforced by pipeline |
EU AI Act Article 14 — Human Oversight Compliance Statement
This HITL specification satisfies EU AI Act Article 14 by defining: (1) the specific conditions under which human oversight is triggered for each high-risk AI system, (2) the information presented to the human reviewer at each checkpoint — including model outputs, explainability artefacts, and contextual data sufficient for a meaningful decision, (3) the decision options available and the system action each triggers, (4) the SLA and escalation path, and (5) the immutable audit record written to Cloud Firestore before any agent proceeds. All eight checkpoints are implemented as first-class state machine nodes in the ADK agent definition — not process notes or informal review steps. The HITL Framework is a Platform ART enabler delivered in PI-01 before any domain module can build a HITL integration.
GDPR Article 22 — Automated Decision-Making Analysis
Several modules in this system produce decisions with legally significant or commercially significant effects on third parties (supplier organisations, procurement counterparties). GDPR Article 22 applies where automated processing is used to make decisions that produce legal effects concerning, or similarly significantly affecting, a data subject or legal entity. The HITL architecture is the primary Article 22 safeguard: no high-impact decision — PO issuance, contract countersignature, supplier sourcing action — proceeds without a human approval step. This design satisfies GDPR Article 22(2)(b) (explicit human review). The DPO must confirm this assessment at PI-01 gate. Supplier risk scoring (SupplierSentinel) may also require a legitimate interest assessment under GDPR Article 6(1)(f) for the processing of third-party financial and behavioural data — to be resolved with Legal Counsel before SupplierSentinel v2 activates ML-triggered actions in PI-02.
Section 04
Non-Functional Requirements
Six NFRs that govern the entire Autonomous Supply Chain platform — performance, availability, security, compliance, observability, and cost. These are architectural constraints, not aspirational goals. Each carries a measurable acceptance criterion and an owner accountable for its enforcement.
NFR-01
Performance
DemandIQ forecast generation within 30 seconds per full-corpus run on Vertex AI Pipelines. SupplierSentinel risk score refresh within 60 seconds of each Pub/Sub event. InventoryOrchestrator reorder recalculation within 5 minutes of an upstream DemandIQ or SupplierSentinel event. These are architectural constraints on pipeline configuration and Pub/Sub consumer topology — not SLAs to be set post-deployment.
DemandIQ ≤ 30s · SupplierSentinel ≤ 60s · InventoryOrchestrator ≤ 5min
NFR-02
Availability & DR
HITL-gated modules require 99.9% availability during CET business hours — a human reviewer cannot approve if the platform is unavailable. Non-HITL modules operate at 99.5%. RTO: 4 hours, RPO: 15 minutes for HITL modules (derived from the 4-hour HITL-01 SLO — a platform recovery must complete before the first HITL timeout fires). Multi-region failover design for europe-west3 outage scenarios is required by PI-01 DoD. GreenOps batch scheduling shifts non-HITL workloads to off-peak windows.
HITL: 99.9% CET · RTO 4h · RPO 15min · Non-HITL: 99.5%
NFR-03
Security
All data within VPC-SC perimeter. CMEK mandatory for all persistent storage — Cloud Storage, BigQuery, Firestore, Pub/Sub. Supplier PII restricted to europe-west3 at the Organisation Policy level. No service account key files in any environment — Workload Identity Federation only. All inter-service calls authenticated via IAM service identities. Network egress restricted to approved external endpoints only (SAP, Veeva, approved supplier agent endpoints).
VPC-SC · CMEK mandatory · WIF only · No SA keys · PII in europe-west3
NFR-04
Compliance
EU AI Act Annex IV conformity assessment documentation is generated automatically per model version by the MLOps pipeline on every model promotion event — not produced manually for each audit. Generated artefacts include: model purpose statement, training data provenance, performance metrics per validation dataset, SHAP explainability summary, HITL checkpoint mapping, and known limitations. The documentation pipeline is a first-class Platform ART component, delivering its first template in PI-01 and full automation in PI-02.
Conformity docs auto-generated per model version · Annex IV template accepted by Regulatory Affairs in PI-01
NFR-05
Observability & Model Operations
All agent state transitions logged to Cloud Logging with structured JSON — queryable in BigQuery via Log Sink. Drift detection alerts are operational SLOs: threshold breach triggers automated alert within 1 hour — before the next HITL review cycle is affected. On drift alert: automated rollback to last champion model initiates within 5 minutes; rollback must complete within 30 minutes. Rollback trigger, rollback completion, and post-rollback performance metrics are all logged as first-class audit events.
Structured JSON logging · Drift alert ≤ 1h · Rollback initiation ≤ 5min · Rollback complete ≤ 30min
NFR-06
Cost & GreenOps
FinOps tagging per module per environment from the first Terraform apply — cost allocation is enforced from day 1, not deferred to Phase 2. GreenOps scheduling shifts batch workloads — DemandIQ full-corpus runs, QualityTrace lineage traces, ScopeTracer Scope 3 calculations — to off-peak hours aligned with low-carbon grid windows. ScopeTracer's CSRD reporting itself depends on accurate GreenOps scheduling to report reduced cloud Scope 3 emissions.
FinOps tags day 1 · GreenOps batch scheduling active · Scope 3 cloud emissions tracked by ScopeTracer