The Problem
A pharma supply chain SaaS company had been building a demand forecasting model for nine months. The model worked in their test environment — forecast accuracy was where it needed to be, and the data science team was satisfied with the outputs.
Production was a different problem entirely.
Deploying the model into their regulated supply chain environment required a GxP-compliant validation package: documented evidence that the system was installed correctly, operated as specified, and performed consistently under production conditions. It also required a complete audit trail on every model execution — inputs, outputs, model version, operator — and a mechanism for the QA team to disable the model without depending on engineering. None of that existed. The model ran in a notebook pipeline with no production observability, no structured logging, and no documented validation protocol.
The internal team had tried to address the validation requirements themselves. Nine months in, they had a working model and an incomplete compliance path.

The Constraints
GxP validation is not documentation bolted on at the end. The validation package has to demonstrate that the system behaves as intended across a specified range of inputs and conditions — which means the architecture has to be designed to produce that evidence from the start. Retrofitting logging and validation to a pipeline that wasn’t built for it tends to produce incomplete evidence that regulators reject.
The QA team owns the kill-switch, not engineering. In GxP-regulated environments, the quality assurance team is responsible for deciding when a system should stop running. That decision cannot route through an engineering ticket queue. The mechanism for disabling the model in production had to be QA-operable, documented, and itself part of the validation evidence.
The model could not move; the infrastructure around it had to. The data science team had nine months of model development invested. The forecasting logic itself was not in scope. Everything around it — the execution pipeline, the audit layer, the validation-facing interfaces — needed to be rebuilt without disrupting the model’s behaviour or forcing the data science team to revalidate the model from scratch.
Azure, Go, and Kafka were fixed choices. The client’s infrastructure ran on Azure, and their data streaming architecture used Kafka. The rebuild had to operate within these constraints.
Our Approach
We rebuilt the execution layer around the existing forecasting model rather than touching the model itself. The architecture was designed from the start to produce the evidence the validation package required.
Every model execution writes a structured audit event to an append-only log: input data snapshot, output predictions, model version identifier, execution timestamp, and operator context. The log is write-once — entries cannot be modified or deleted — satisfying the audit trail requirements without relying on application-level controls that a validator would need to verify independently.
The kill-switch is a configuration flag in a QA-managed control plane, not a code deployment. QA team members can disable the model in production through a documented interface that itself produces an audit event. When the model is disabled, the system falls back to a rule-based baseline and logs the transition. The entire disable-and-fallback sequence is covered by the validation protocol.
The validation package — IQ, OQ, and PQ documentation — was produced as a direct output of the build process. Each protocol section mapped to test evidence generated by the system itself during the qualification runs, rather than being written after the fact. When the regulatory team reviewed the package, the evidence referenced in each protocol section existed exactly as described.
Stack: Go, Apache Kafka, Azure (AKS, Blob Storage, Key Vault).

The Outcome
- Production in 90 days from engagement start — the model had been blocked from production deployment for the previous nine months
- Validation package accepted without revision — the regulatory team raised no deficiencies
- QA-owned kill-switch in production — the quality team can disable the model and trigger fallback without engineering involvement
- Full audit trail on every model execution — every prediction traceable to its inputs, model version, and execution context
Team
Engagement: 90 days, 3 engineers (2 backend, 1 ML infrastructure).