← VAF·SA Framework
Design in VAF·SA is not about producing the most detailed diagram. It is not about demonstrating the full depth of your technical knowledge. It is not about filling every box in a framework template.
Design is about producing the clearest possible picture of the solution — for the audience that needs to act on it — using the minimum tool necessary to achieve that clarity.
A component-level diagram in an executive room does not demonstrate depth. It demonstrates that the audience has not been considered. A context diagram that an executive sponsor and a senior technical practitioner can both read without explanation is the standard. That is design at the right level.
The most effective solution architecture diagram is not the most detailed one. It is the one that makes the right decision obvious to the right person at the right moment.
Principle 01
Right Tool
A broad technical toolkit is an advantage only when paired with the discipline to select the right instrument for the engagement. More tools do not produce a better solution. The right tool produces a faster one.
Principle 02
Right Level
Every design decision sits at an altitude. Business intent at business altitude. System structure at architecture altitude. Implementation detail at delivery altitude. Never let the wrong detail appear at the wrong level.
Principle 03
Right Audience
Every diagram has one primary audience. Design for them first. If the same diagram needs to serve multiple audiences — you have drawn at the wrong level. Draw again at the level where all audiences can read it simultaneously.
Every tool in the architect's stack has a purpose and a limit. The wrong instrument wastes time, introduces complexity, and signals to the room that the problem has not been properly characterised. The right instrument produces clarity.
The context-to-component structural approach is the primary design instrument in VAF·SA. It provides a shared vocabulary — Context, Container, Component, Code — that any audience can navigate once they understand which level they are looking at. The power is in the discipline: start at Context. Go deeper only when the audience and purpose require it.
Most architectural presentations fail because they start at the wrong level. Too detailed for the executive. Too abstract for the developer. context diagram solves this by making the level explicit and the zoom deliberate.
C1
Context Diagram — Always Start Here
The system in its environment. Who uses it. What external systems it connects to. No technology. No implementation. No internal structure. Just: what is this, who uses it, and what does it talk to. Every stakeholder in every room can read a Context diagram. Draw this first for every engagement. Draw it last to confirm nothing has changed.
Always Use
C2
Container Diagram — When the Audience Is Technical
The deployable units inside the system. Applications, databases, APIs, services. Technology choices become visible here. Deployment and runtime view. Used when architects, DevOps, or platform teams need to see how the system is actually built and where each part lives. Not for executive audiences. Not for vendor negotiations.
Conditional
C3
Component Diagram — Only When Designing One Container's Internals
The components inside a single container and how they depend on each other. Used only when you are designing or reviewing the internal structure of a specific service or application. Audience is developers and technical leads for that specific system. Never produce this for a full-system audience.
Rarely
context diagram
Code Diagram — Not In This Framework
Class diagrams. Database schemas. Internal implementation detail. This is developer territory. The solution architect does not produce Code diagrams — the development team does. If a solution requires Code-level documentation to be understood by the architecture audience, the design has not been explained at the right altitude.
Never Here
The context diagram is the one diagram that never needs an explanation. If you have drawn it correctly, every person in every room — business, technical, vendor, executive — reads it the same way. That is the standard to design to.
The heat map is the instrument that Module 2 populates and Module 3 uses to confirm that the design is complete. Every domain that the solution touches must be mapped. Every cell must have a status. A blank cell is not "to be confirmed" — it is an open risk sitting in the design unaddressed.
In the vendor obfuscation case study: the heat map was placed in front of the vendor. Every blank cell was named. Every unanswered question was documented. The vendor could not deflect a blank cell the way they could deflect an open question. The map made lying structurally difficult.
RED — Open risk. Decision required before design proceeds.
AMBER — Partially addressed. Owner assigned. Deadline set.
GREEN — Confirmed. Documented. Evidence held.
GREY — Not applicable to this engagement. Documented why.
Domain 01
Security and Cybersecurity
- What is the threat model for this solution?
- What security controls are mandated by policy?
- security control baseline status?
- Who is the security authority for this engagement?
Access Control
Threat Model
E8 Status
Domain 02
Data — Flow and Sovereignty
- Where does data originate and where does it go?
- Is data egress or ingress — and to where?
- What classification applies to this data?
- What retention and archival obligations exist?
Data Egress
Classification
Retention
Domain 03
Compliance and Regulatory
- What regulatory obligations apply?
- Privacy impact assessment completed?
- information security management / SOC2 / ISM controls in scope?
- Audit trail requirements documented?
Regulatory
Privacy
Audit Trail
Domain 04
Networking and Connectivity
- What network paths does this solution require?
- Firewall rules — what is open, what needs to be opened?
- SD-WAN or MPLS implications?
- Latency and bandwidth requirements documented?
Firewall Rules
Network Path
SD-WAN
Domain 05
Cloud and Infrastructure
- Which cloud platform? Mandated or selected?
- Hosting model — IaaS, PaaS, SaaS?
- HA and DR requirements confirmed?
- FinOps — cost model understood and approved?
Platform
HA/DR
Cost Model
Domain 06
Integration and APIs
- What systems must this solution integrate with?
- API contracts confirmed with each integration point?
- Event-driven or synchronous — and why?
- API security and authentication model confirmed?
API Contracts
Auth Model
Integration Map
Domain 07
Vendor and Commercial
- Vendor commitments confirmed in writing?
- Contractual obligations reviewed?
- Vendor roadmap alignment verified?
- Vendor exit strategy considered?
Written Commitment
Roadmap
Exit Strategy
Domain 08
Operations and Support
- Who operates this solution post-delivery?
- Monitoring and alerting designed?
- Runbooks and support documentation in scope?
- Business continuity and DR tested?
Operations Owner
Monitoring
DR Plan
Domain 09 — Added
Non-Functional Requirements
- Performance thresholds defined — response time, throughput?
- Scalability model confirmed — vertical, horizontal, elastic?
- Availability target — uptime SLA agreed with business?
- Disaster recovery RTO and RPO defined and tested?
Performance
Availability SLA
RTO/RPO
A heat map with no red cells is not evidence of a complete design. It is evidence that the cells were answered without being challenged. The architect's job is to verify every green cell independently before it leaves the map. Trust but verify is not VAF·SA. Verify, then trust.
Every design decision in VAF·SA belongs to an altitude. Making the wrong decision at the wrong altitude — or letting the wrong audience make a decision that belongs at a different level — produces the failure modes the four archetypes describe. The three-altitude stack is the structural discipline that prevents that.
01
Business Architecture
Audience: Executive · Business Leads · Sponsors
What Gets Decided Here
Business Intent
Why this matters. What winning looks like. The cost of inaction. Business goals, constraints, and success criteria. Nothing technical crosses this altitude.
Primary Tool
Customer Impact Statement
One page. Problem, solution, outcome, cost of failure. Written in plain language. No jargon. Readable by any executive in under two minutes.
Design Output
Intent Locked
Business objective confirmed. Success criteria agreed. Before any architecture diagram is drawn, intent is documented and signed off at this altitude.
02
Solution Architecture
Audience: Architects · Technical Leads · Platform Teams
What Gets Decided Here
Structure and Approach
What gets built, how it connects, what it replaces or extends. Technology choices visible here. Governance constraints from EA applied here, not debated here.
Primary Tool
context-level diagram + Heat Map
context-level diagram shows the structure. Heat map confirms every concern domain is addressed. Container level added when delivery teams need deployment detail.
Design Output
Solution Defined
Named systems. Named connections. Named data flows. Named security controls. Named integration points. Architecture Decision Records where decisions require a formal record.
03
Delivery Architecture
Audience: DevOps · Developers · Project Teams
What Gets Decided Here
Sequence and Phasing
What gets built first. What dependencies exist between components. What the rollback position is. Delivery-compatible artefacts. UAT and go-live readiness.
Primary Tool
Roadmap + Mermaid
Roadmap shows the phased sequence. Mermaid shows process flows, sequence diagrams, and pipeline architecture for the delivery team.
Design Output
Delivery Sequenced
Three phases maximum on the roadmap. Each phase with a named outcome. Dependencies mapped. Owner per workstream. Go-live criteria defined before build begins.
Every design begins with an honest picture of what exists. Not what the documentation says exists. Not what the vendor claims exists. What actually exists — confirmed through Module 1 immersion and Module 2 intelligence. From there, target state is designed. The gap between them is what gets delivered.
Current State
What Exists
- Named systems in production
- Actual data flows — confirmed
- Integration points — mapped
- Known technical debt
- Security posture — actual
- Cost of current state — monthly
- What is failing and why
→
Target State
What Is Needed
- Solution at context level
- Named target systems
- Designed data flows
- Integration architecture
- Security controls in design
- Cost of target state — modelled
- What success looks like
→
Gap
What Gets Delivered
- Delta between current and target
- Named owner per gap item
- Dependency sequence mapped
- Risks per gap item
- Roadmap phases aligned to gap
- Decision required per blocker
- Escalation path if stalled
Never design target state without documenting current state first. The practitioner who skips current state designs a solution for the problem they were told about — not the problem that actually exists. These are rarely the same.
Security architecture in VAF·SA is not a review that happens after design is complete. It is a constraint that shapes every design decision from the first context diagram context box. security architecture practice provides the threat and risk lens. information security management and security control baseline provide the control framework. The heat map ensures no security domain is left unaddressed.
security architecture practice Lens
Threat and Risk Context
Applied at business architecture altitude. What are the threats to the business — not just to the system. What risk appetite applies. What security attributes the solution must demonstrate.
Ask: what does the attacker want, and what does this solution do to prevent them getting it?
security control baseline
Control Baseline
Applied at solution architecture altitude. Eight controls. Maturity level matched to the organisation's risk profile. Every design confirms which controls are addressed and which require additional work.
Ask: which of the eight controls does this solution affect — positively or negatively?
information security management
Governance Framework
Applied when a formal compliance obligation exists. Information security management system alignment. Audit trail requirements. Risk treatment documentation. Not always in scope — but always checked against the heat map.
Ask: what evidence does this design produce that satisfies the control requirement?
API security discipline
Integration Security
Applied at every integration point. Authentication model confirmed. Token lifecycle managed. API contracts documented with security attributes. No unnamed API dependency leaves the design without a named security control.
Ask: who can call this API, what can they do, and how do we know it is them?
Zero Trust is not a product. It is a design posture: assume breach, verify explicitly, enforce least privilege. Every connection in the design — internal or external — is treated as untrusted until verified. Apply this to every named relationship in the context diagram before design is considered complete.
Zero Trust — Added 2025
Trust No Connection by Default
Zero Trust architecture assumes that no user, device, or system — inside or outside the network perimeter — is trusted by default. Every access request must be verified. Every connection must be authenticated. Every privilege must be the minimum required. Applied in VAF·SA at every named connection in the context diagram. Before a relationship arrow is finalised, the Zero Trust question is answered: how is this connection verified, and what is the minimum privilege it requires?
Ask: if this connection were compromised, what could an attacker reach from here — and is that acceptable?
Integration architecture is where most solution designs introduce unnecessary complexity. The practitioner who defaults to event-driven architecture because it is modern, or point-to-point because it is fast, without asking which pattern the problem actually requires — produces a solution that delivers the wrong thing well.
Pattern 01
API-Led Integration
Systems communicate through defined, versioned APIs. Each system owns its API contract. Consumers call the API — they do not reach into the system directly. Decoupled. Reusable. Auditable.
multiple consumers need the same capability, or when the integration must be governed and versioned over time
Pattern 02
Event-Driven Integration
Systems publish events. Other systems subscribe and react. No direct coupling between publisher and subscriber. High throughput. Asynchronous. Resilient to individual system failure.
real-time data distribution is needed across multiple consumers, or when systems must remain decoupled from each other's availability
Pattern 03
Direct Integration
System A calls System B directly. Simple. Fast to implement. Lowest abstraction. Creates tight coupling — changes in B break A. Appropriate only when the integration is permanent and both systems are stable.
two stable, long-lived systems with a simple, permanent, low-volume integration requirement and no future reuse expected
Observability is not a monitoring tool configured after deployment. It is a design decision made before the first component is built. The solution architect is responsible for specifying what must be observable — not for implementing the observability stack. That distinction matters. Defining the requirement is architecture. Building the tooling is delivery.
Three pillars. All three required. None optional.
Pillar 01
Logs
Every system event that matters to operations must be logged. Named log sources. Named log destination. Retention period aligned to compliance obligations. Access controls on log data confirmed.
a system event could indicate a failure, a security incident, or a compliance violation — which means always
Pillar 02
Metrics
Performance, availability, and resource utilisation measured continuously. Thresholds aligned to the NFRs confirmed in the heat map. Alerting configured before go-live — not after the first incident.
an NFR has been defined — which means every engagement. No NFR without a corresponding metric.
Pillar 03
Traces
End-to-end request tracing across distributed systems and integration points. Required when the solution includes multiple services or APIs. Enables rapid incident diagnosis without manual log correlation across systems.
the solution crosses more than one system boundary — which in VAF·SA is almost every engagement.
The operations team inherits what the architect designed. If observability is not in the design, it will not be in the solution. The question is not whether the delivery team will need visibility — they will. The question is whether the architect specified it before anyone had to ask.
Every design is built on some information that has not been fully confirmed. That is unavoidable. What is not acceptable is leaving those assumptions unnamed. An unnamed assumption is an invisible risk — it does not appear on the heat map because it has not been tested, and it does not appear in an ADR because no decision has been formally made against it. It quietly shapes the design until the moment it proves false.
The assumption register names each assumption explicitly before the design is presented. It does not eliminate the assumption — in many engagements the information simply is not available yet. It makes the assumption visible, assigns it an owner, and defines what changes to the design if it turns out to be wrong.
An assumption register is not a risk register. A risk is something that might happen. An assumption is something being treated as already true. Both need to be tracked. Neither replaces the other.
Field 01
The Assumption
State what is being treated as true. Plain language. Specific. Not "vendor will deliver on time" — that is a risk. An assumption is structural: "The existing integration layer supports the required throughput." Either it does or it does not. That answer changes the design.
Field 02
Basis
What is this assumption grounded in? Vendor documentation. A prior engagement. An estimate from the technical lead. A reasonable inference from the current state. Name the source. The weaker the basis, the higher the priority for verification.
Field 03
Design Impact if False
If this assumption proves incorrect, what changes in the design? A different integration pattern. An additional security layer. A changed data flow direction. The phasing of the roadmap. State it precisely. This is the field that makes the assumption register a design instrument, not just a documentation exercise.
Field 04
Verification Owner and Date
Who is responsible for confirming or disproving this assumption. By when. An assumption without an owner and a deadline is not managed — it is deferred. Every assumption in this register requires a named owner before the design is presented to any audience.
The heat map identifies domain-level risks — gaps in security, data, compliance, vendor, and operations coverage. The architecture risk register tracks something different: the risks created by specific architectural decisions. Every significant design choice introduces uncertainty. Some of that uncertainty has consequences serious enough to document, track, and assign.
The distinction matters. A domain risk is a gap to be closed. A decision risk is a trade-off accepted. Both require governance. Neither replaces the other.
The architecture risk register is not the project risk register. Project risks are owned by the project manager. Architecture risks are owned by the solution architect — they arise from design choices and are resolved by design changes, acceptance, mitigation, or formal transference to the appropriate owner.
API-led integration selected over direct database connection
API contract changes in vendor platform could break integration without notice
Service interruption for all consumers of the integration
Medium
Mitigation — versioned API contract with vendor. Monitoring on contract drift.
Platform Lead
Cloud-hosted solution selected over on-premises
Data sovereignty confirmation not yet received from vendor
Regulatory breach if data leaves jurisdiction without appropriate controls
High
Avoidance — design provisional pending Domain 02 heat map resolution
Solution Architect
Four response strategies. Every risk in the register requires one of these four responses assigned before the register is presented:
Avoidance
Change the design to remove the risk. The preferred response when the risk is high severity and the design has flexibility.
Mitigation
Add controls, monitoring, or process to reduce likelihood or severity. Named control. Named owner. Named review date.
Acceptance
The risk is acknowledged and the decision is made to proceed. Formal acceptance requires a named authority with the level to own the consequence.
Transference
Contractual or governance mechanism shifts responsibility to a vendor, insurer, or external party. The mechanism must be named and confirmed — not assumed.
The assumption register tracks what is being treated as true. The architecture risk register tracks what each design decision could cost. The technical debt register tracks something different: what the current state already owes. Every system that has been running in production carries deferred decisions, undocumented integrations, and compromised foundations that were accepted at some earlier point in exchange for speed or short-term convenience.
Technical debt is not a failure of the current engagement. It is the environment the solution must be designed within. Naming it explicitly before design begins prevents the most common failure mode in solution architecture — designing a target state that cannot be reached from the actual current state because nobody documented what stands between them.
The technical debt register is not a criticism of what was built before. It is an accurate description of what the current design must account for. Without it, the gap analysis between current and target state is built on an incomplete picture of the current state.
Field 01
The Debt Item
Name the specific deferred decision, undocumented dependency, or compromised component. Plain language. Specific to a named system or integration point. Not a category — a concrete item that the design team will need to navigate.
Field 02
Origin
When was this debt incurred and why. A tactical shortcut. A deferred upgrade. A vendor lock-in decision made under time pressure. An undocumented integration created outside normal governance. The origin informs how hard it will be to resolve.
Field 03
Design Constraint
How does this debt item constrain the target state design. Does it force a phasing decision. Does it require a migration step that was not in the original scope. Does it affect the integration pattern or the data flow. Name the constraint precisely.
Field 04
Resolution Approach
Address within this engagement. Defer with governance approval and a named review date. Accept permanently with documented rationale. Each debt item requires one of these three responses before the design is considered complete. An unresolved debt item with no response is not managed debt — it is hidden risk.
ALL ITEMS BELOW MUST BE CONFIRMED BEFORE PROCEEDING TO MODULE 4
context diagram produced — all systems named, all users named, all connections named and directional.
Heat map complete — all eight domains addressed. No blank cells. Red cells documented with owner and deadline. All green cells independently verified.
Current state documented — confirmed through Module 1 immersion and Module 2 intelligence. Not taken from a document at face value.
Target state designed — at context level minimum. Container level added where required by delivery audience.
Gap analysis complete — named items, named owners, named dependencies, named risks per item.
Three-altitude stack aligned — business intent at BA altitude, solution structure at SA altitude, delivery sequence at delivery altitude. No altitude crossover.
Security embedded — threat and risk assessment, security control alignment, API security, and information security management controls confirmed against heat map.
Integration pattern selected — pattern named and justified for each integration point. No unnamed or assumed connections.
Data flow direction confirmed — ingress or egress, internal or external, classification applied, retention obligation documented.
NFRs confirmed in heat map Domain 09 — performance thresholds, scalability model, availability SLA, RTO and RPO defined and agreed with business.
Zero Trust applied to every context diagram connection — each named relationship verified: authentication method, minimum privilege, blast radius if compromised.
Observability specified — logs, metrics, and traces named. Sources, destinations, retention, and alerting thresholds defined before delivery begins.
Assumption register complete — every design assumption named, basis stated, design impact if false documented, verification owner and deadline assigned.
Architecture risk register complete — every decision-specific risk named, severity assessed, response strategy assigned, owner confirmed.
Technical debt register complete — every debt item in the current state named, constrained against the target state design, and assigned a resolution approach.
Design ready for artefact production — Customer Impact Statement, Architecture on a Page, Heat Map, and ADRs can now be produced.