Reference Architecture Diagram + Narrative (private 5G + MEC + ERP/WMS)
┌──────────────────────────────────────────────┐
│ ROLES & DOMAINS │
Floor Ops │ Supervisors │ Robotics/OT │ IT/Sec │ Vendors/3PL │ QA/HSSE │
└──────────┬──────────┬──────────┬──────────┬───┘
│ │ │ │
▼ ▼ ▼ ▼
┌────────────────────────────────────────────────────────────────┐
│ DC / WAREHOUSE EDGE (ZONED) │
│ SD-Branch / SD-WAN (dual uplinks; ZTP templates) │
│ VRFs/VLANs: AMR/Robotics │ IoT/RFID │ ERP/WMS │ Staff │ Guest │
│ NGFW/NAC • QoS: control>vision>ERP>guest │
└───────────┬──────────────────────────┬─────────────────────────┘
│ │
Private 5G/LTE (CBRS/licensed) │ Wi-Fi 6/7 (BYOD/scanners)
Small cells + local UPF (URLLC) │ (non-deterministic lanes)
▼ ▼
┌────────────────────────────────────────────────┐
│ MEC / EDGE CLUSTER (on-prem) │
│ • K8s/VMs: AMR orchestration, vision AI │
│ • IoT/OT gateways: OPC-UA/Modbus/REST │
│ • Local historian • Store-and-forward buffers │
└───────────┬────────────────────────────────────┘
│
▼
┌────────────────────────────────────────────┐
│ TRANSPORT / SECURITY FABRIC │
│ SD-WAN overlays ║ MPLS/IX ║ SASE/SSE POPs │
│ ZTNA | SWG | CASB | FWaaS | DLP | EmailSec │
│ (geo/data-residency; vendor PAM windows) │
└──────────────┬─────────────────────┬────────┘
│ │
▼ ▼
┌────────────────────────────────┐ ┌────────────────────────────────────┐
│ ENTERPRISE CORES (DC/Colo) │ │ CLOUD ON-RAMPS (DX/ER/GCI) │
│ • ERP/WMS/TMS • IdP/MFA • KMS │ │ • ERP/WMS SaaS • Analytics/AI │
│ • SIEM/NDR • Backups/Immutable │ │ • Data lake • Partner/3PL APIs │
└───────────┬────────────────────┘ └───────────────┬────────────────────┘
│ │
▼ ▼
┌──────────────────────────────┐ ┌───────────────────────────────────┐
│ FULFILLMENT APPS │ │ VISIBILITY & CUSTOMER EDGE │
│ Slotting/optimizers │ │ CPaaS (SMS/email/WhatsApp) │
│ Labor mgmt / WFM │ │ Portals / E-com / Returns (WAF) │
└──────────────────────────────┘ └───────────────────────────────────┘
Observability / Telemetry bus ──► NOC/SOC + AIOps (AMR/vision/ERP KPIs) + ITSM/CMDB + PCI/SOC2 audit vault
Narrative (how the fulfillment fabric stays fast, safe, and exact)
1) Purpose & posture
- Objective: Run robotic fulfillment with deterministic control, real-time inventory truth, and global supply-chain visibility, while meeting PCI/SOC2/OSHA/FSMA requirements.
- Posture: Zero-Trust by default, IT/OT segmentation, evidence-ready compliance, and vendor access gated by PAM + time-bound windows.
2) Radio & edge (syntax where milliseconds matter)
- Private 5G/LTE small-cell grid with local UPF gives URLLC-grade paths for AMRs, conveyors, PLCs, and machine vision.
- Wi-Fi 6/7 serves scanners/BYOD in non-deterministic lanes.
- MEC/edge cluster runs AMR orchestration, vision AI (defect/label read/palletization), slotting algorithms, and proxies all device protocols (OPC-UA/Modbus/REST) into secure, routable flows.
- Store-and-forward buffers ensure picks, scans, and sensor data survive WAN impairment.
3) Segmentation & zero-trust (semantics preserved)
- VRFs/VLANs isolate AMR/Robotics, IoT/RFID, ERP/WMS, Staff, Guest.
- SASE/SSE POPs apply ZTNA (user+device+role), SWG/CASB/FWaaS/DLP for SaaS/e-com flows; email security prevents social engineering on floor devices.
- Vendor access is PAM-mediated, recorded, and time-boxed.
4) Enterprise & cloud destinations (where meaning aggregates)
- DC/Colo cores host ERP/WMS/TMS, IdP/MFA, KMS/HSM, SIEM/NDR, and immutable backups.
- Cloud on-ramps provide private access to ERP/WMS SaaS, analytics/AI, data lakes, and partner/3PL APIs for inbound/outbound logistics and returns.
5) Resilience patterns (grammar under stress)
- WAN failover: SD-WAN steers ERP/WMS flows to secondary DIA/LTE in <60 s; guest/staff lanes throttled.
- Local autonomy: AMRs and vision continue under edge control; buffered events reconcile to ERP/WMS on recovery.
- Cold-chain: Sensors maintain local thresholds; alerts dispatch via CPaaS even if WAN is impaired.
6) Security & compliance (trust zones)
- Identity-centric (MFA, device posture) for staff; cert-based identity for robots/sensors.
- PCI scope confined to kiosks/POS VLANs; DLP protects ERP exports; WAF/API security shields portals and partner endpoints.
- Immutable audit vault keeps logs/configs for PCI/SOC2/FSMA evidence.
7) Telemetry & operations (pragmatics of proof)
- AIOps tracks AMR mission success/time, vision FPS/accuracy, ERP latency, pick/pack cycle time, network jitter; auto-tickets to ITSM/CMDB.
- SLO dashboards expose uptime, failovers, backlog burn-down, and QA/HSSE signals.
8) Reference KPIs
- AMR control-loop latency: <10 ms • Pick accuracy: ≥99.8%
- Failover (WAN): <60 s • Order RTO (alt DC): ≤4 h • ERP/WMS RPO: ≤15 min
- Safety incidents linked to network events: 0 critical • PCI/SOC2 findings: 0 critical
9) Minimal BOM (aligned to your matrix)
Private 5G/LTE + UPF, Wi-Fi 6/7, SD-WAN/SD-Branch, MEC/edge K8s, IoT/OT gateways (OPC-UA/Modbus), DIA/MPLS/IX, SASE/SSE (ZTNA/SWG/CASB/FWaaS/DLP/Email Sec), IdP/MFA, PAM, KMS/HSM, SIEM/NDR/SOAR, ERP/WMS/TMS, Cloud on-ramps, Data lake/Analytics, CPaaS, AIOps, ITSM/CMDB, immutable backup/audit vault.