Full-Stack Cognition Architecture for Manufacturing

Regulatory Framework

ISA-95 (IEC 62264) defines the functional hierarchy between enterprise resource planning and manufacturing execution systems and the data exchanges between Levels 0 through 4 of a manufacturing operation. ISA-99, internationalized as IEC 62443, governs cybersecurity for industrial automation and control systems through zone-and-conduit segmentation, security levels SL1 through SL4, and lifecycle requirements for asset owners, integrators, and product suppliers. NIST SP 800-82 Revision 3 provides federal guidance for securing operational-technology environments and is referenced by CISA, by sector-specific regulators, and by CMMC 2.0 derivative practices.

RAMI 4.0 — the Reference Architecture Model for Industrie 4.0 — defines the three-axis model (hierarchy levels, lifecycle and value stream, and architectural layers) that anchors European Industry 4.0 implementation. The Asset Administration Shell, standardized in the IEC 63278 series, gives every asset in the production environment a digital twin with structured submodels for nameplate, technical data, capabilities, and digital interactions. OPC UA (IEC 62541) provides the transport and information-modeling layer, with companion specifications for robotics (OPC UA for Robotics), machinery (OPC UA for Machinery), additive manufacturing, machine vision, and dozens of additional domains, each adding semantic obligations to the data flowing across production.

At the dataspace layer, Catena-X has established the automotive industry's cross-enterprise data exchange under International Data Spaces principles, with mandatory traceability use cases (battery passport, carbon footprint exchange, demand-and-capacity management) and sovereign-data semantics. Manufacturing-x extends the pattern beyond automotive, and GAIA-X provides the federated cloud and data infrastructure layer beneath. CMMC 2.0 imposes tiered cybersecurity-maturity requirements on defense-industrial-base contractors handling Federal Contract Information and Controlled Unclassified Information, with assessments and certifications now flowing through the contracting lifecycle. ITAR (22 CFR 120-130) and EAR (15 CFR 730-774) impose export-control obligations on regulated technical data, including production process information, that frequently traverse the same data planes that ISA-95 and Catena-X define.

The cumulative regulatory surface is dense, overlapping, and growing. Compliance with any single obligation does not imply compliance with the others, and the boundaries between obligations are exactly where governance failures concentrate.

Architectural Requirement

The architectural requirement implied by this regulatory stack is that production data, control actions, and cross-enterprise exchanges must carry verifiable provenance, must respect zone-and-conduit segmentation, must operate within the capability envelope of the actuating asset, must satisfy the data-sovereignty obligations imposed by Catena-X and adjacent dataspaces, and must do all of this across the heterogeneous brownfield that real factories actually contain. Greenfield deployments are rare; almost every production environment integrates equipment of multiple vintages, control systems of multiple vendors, and information models of varying fidelity.

The requirement extends across three structural dimensions. The first is spatial: a factory is not a logical topology, it is a physical environment in which assets, operators, materials, and energy interact under safety constraints derived from geometry. The second is actuation: production decisions cause physical state change, and the governance of those decisions must be tied to the verified capability of the actuator at the moment of action, not to a rule set evaluated in a separate plane. The third is multi-party: production occurs across supplier tiers, contract manufacturers, logistics providers, and customer organizations, each operating under distinct regulatory profiles, and the coordination among them must be enforceable rather than aspirational.

Why Procedural Compliance Fails

Procedural compliance treats each regulatory obligation as a discrete control set. ISA-95 integration is a project of MES-to-ERP mapping. IEC 62443 segmentation is a project of network architecture. CMMC 2.0 is a project of policy documentation and assessment readiness. Catena-X participation is a project of connector deployment. ITAR/EAR compliance is a project of export-control review. Each project succeeds or fails on its own terms, and the boundaries between projects are managed by handoffs, by exception processes, and by the assumption that human governance will catch what the automated controls miss.

The first failure mode is at the boundary between automated production decisions and quality outcomes. Modern lines automate process-parameter adjustment, dynamic routing, and adaptive quality thresholding based on real-time sensor data. Each automated decision has a local rule set, and the rule set is typically defended at audit on its own terms. The interaction between decisions made by separate automation systems produces emergent outcomes that no individual rule set anticipates: a parameter adjustment that is locally optimal degrades downstream quality when combined with a routing change made independently, and the resulting defect surfaces hours or shifts later, after thousands of units have been produced under the silent interaction.

The second failure mode is at the boundary between robotic and human work envelopes. ISO 10218 and ISO/TS 15066 define collaborative-robot safety envelopes; IEC 61508 and IEC 62061 define functional-safety integrity. Procedural compliance treats these as static configurations. Real production conditions vary: tools wear, materials drift, environmental conditions shift, calibration ages. Static envelopes either run conservatively (sacrificing throughput) or run optimistically (accepting incident risk). Neither matches the actual capability envelope of the asset at the moment of action.

The third failure mode is at the boundary between the production environment and workforce safety. Fitness-for-duty assessments are typically point-in-time: a shift-start check, a periodic medical review, an incident-triggered investigation. The boundary case — fatigue accumulating across a shift in a hazardous environment, impairment developing between checks — falls outside the procedural surface, and the safety incident is the detection mechanism.

The fourth failure mode is at the boundary between enterprises. Catena-X, Manufacturing-x, and GAIA-X define the dataspace, but the governance of an action that depends on data from multiple sovereign parties — a production stop driven by a downstream-supplier capacity signal, an export-control review driven by a customer-disclosed end-use change — is not addressable by any single party's compliance posture. CMMC 2.0 and ITAR/EAR overlay obligations that the dataspace specifications themselves do not enforce. Procedural compliance produces gaps at exactly the points where the regulatory expectation is highest.

What the AQ Primitive Provides

The AQ stack provides three composing primitives — spatial-mesh, governed-actuation, and n-party-coordination — that address the structural gaps directly rather than as procedural overlays.

The spatial-mesh primitive treats the factory as a credentialed spatial environment in which every asset, operator, and material is a node carrying a continuity-based identity and a memory of observations. Provenance is not retrofitted onto data flowing across the ISA-95 hierarchy; it is the structural property of the data itself. AAS submodels and OPC UA companion specifications emit observations into the mesh, where the credentialing chain establishes which sensor or operator produced which observation and the trust-slope evaluator governs how downstream automation incorporates the observation into a decision. Zone-and-conduit segmentation under IEC 62443 becomes a property of the credentialing topology rather than of the network plumbing; data flowing across a conduit carries the credentialing chain that authorizes the flow, and an attempt to flow that violates the segmentation fails verification at the receiving node rather than at a separate firewall.

The governed-actuation primitive ties production decisions to verified capability envelopes evaluated at the moment of action. Robotic systems publish their current capability envelope as a function of tool wear, calibration age, material parameters, and environmental conditions; the envelope is updated continuously and credentialed by the robot's identity. A commanded action is admitted only if the action falls within the current envelope; the robot does not attempt operations outside its verified capability. Confidence-governed execution composes above this: when sensor-data quality degrades or when conditions deviate from validated ranges, confidence drops and execution pauses for human engagement before defective output is produced. ISO 10218 and IEC 61508 obligations are satisfied structurally rather than configurationally.

The n-party-coordination primitive provides the cross-enterprise governance that Catena-X, Manufacturing-x, and GAIA-X define semantically but do not enforce. Multi-party actions — a production stop driven by supplier signals, an export-control review triggered by end-use disclosure, a battery-passport disclosure under EU regulation — are constructed as coordinated rotations across the participating credentialing chains, with each participant's signature required for the action to commit. A coordination event is auditable across all participants, satisfies CMMC 2.0 evidence requirements for defense-industrial-base participants, and respects ITAR/EAR boundaries because the credentialing chain enforces which participants can see which observations and authorize which actions.

Disruption modeling composes above the three primitives, monitoring production coherence across the spatial-mesh and detecting emergent interactions among governed actuators before defective output reaches downstream processes. Biological identity through behavioral-trajectory analysis composes alongside, providing continuous workforce fitness assessment that complements rather than replaces the point-in-time procedural surface.

Compliance Mapping

Against ISA-95, the spatial-mesh primitive operates as the data substrate beneath the Level 3/Level 4 boundary, carrying provenance and credentialing through the MES-to-ERP exchanges that ISA-95 defines. Against IEC 62443, the credentialing topology realizes the zone-and-conduit model with verifiable enforcement at the data layer rather than reliance on network-segmentation alone, and the security-level obligations map onto trust-slope thresholds for cross-zone data admission.

Against NIST SP 800-82, the architecture provides the operational-technology security controls — data integrity, access control, anomaly detection — through structural rather than overlay mechanisms. Against RAMI 4.0 and IEC 63278, AAS submodels emit credentialed observations into the mesh, and the AAS lifecycle and value-stream axis is realized as the chain of credentialed states that an asset traverses across its lifetime. Against OPC UA companion specifications, the protocol composes as the transport for credentialed observations, with companion-specific semantics carried as observation payload.

Against Catena-X, Manufacturing-x, and GAIA-X, n-party-coordination provides the action-level enforcement that the dataspace specifications anticipate at the data-exchange level, satisfying mandatory use cases (battery passport, CO2 footprint exchange, demand-and-capacity management) with verifiable cross-enterprise governance. Against CMMC 2.0, the credentialing chain and coordination events provide the evidence trail that maturity-level assessments require, with coverage extending from Level 1 basic safeguarding through Level 3 expert practices.

Against ITAR and EAR, the credentialing topology enforces export-control boundaries at the data layer: regulated technical data flows only across credentialed paths whose participants are authorized for the controlled item, and an attempted disclosure to an unauthorized participant fails verification rather than relying on procedural review. The architecture does not replace the export-control compliance program; it provides the structural enforcement that the program currently relies on humans and procedure to maintain.

Adoption Pathway

Adoption begins at a single line or cell within an existing brownfield. The spatial-mesh primitive is deployed as an observation layer above the existing OPC UA and AAS infrastructure; equipment continues to emit data through the protocols it already supports, and the credentialing wrapper is applied at the integration boundary. Initial value comes from cross-system coherence monitoring — disruption modeling on the credentialed observation stream detects emergent interactions that the existing per-system governance misses — and the deployment expands as the value compounds.

The second adoption phase introduces governed-actuation at the robotic and high-consequence-actuator boundary. Capability envelopes are published by the actuator and consumed by the orchestration layer; commanded actions are admitted only within the verified envelope; ISO 10218 and IEC 61508 conformance flows through the structural enforcement rather than through procedural configuration. The third phase extends n-party-coordination to the supplier and customer interfaces, beginning with the Catena-X mandatory use cases for participants in the automotive ecosystem and extending to broader Manufacturing-x and GAIA-X obligations as the dataspaces mature.

The fourth phase addresses the regulated-export and CMMC 2.0 surfaces. Defense-industrial-base participants integrate the credentialing chain with their CMMC 2.0 evidence pipelines; ITAR/EAR-regulated production integrates the chain as the structural enforcement for controlled technical data. The fifth phase extends biological identity for workforce fitness across hazardous-environment roles, complementing existing fitness-for-duty programs with continuous behavioral-trajectory assessment.

The pathway is incremental, each phase delivers operational and regulatory value independently, and the architectural primitives compose without disturbing the existing brownfield. Procedural compliance with ISA-95, IEC 62443, NIST SP 800-82, RAMI 4.0, OPC UA, Catena-X, CMMC 2.0, and ITAR/EAR remains in place; the AQ stack provides the structural layer beneath that closes the boundary gaps where procedural compliance has historically failed.