Quality and Regulatory Compliance for AI: An Auditor’s Perspective


A Quality Management System (QMS) is a set of procedures and work instructions that a company creates for all internal verticals, to effectively achieve the goals of the company. The requirements from various standards/directives/guidelines are identified and the applicable requirements for the companies QMS and target regulatory markets are set as an agenda for accomplishment. Every manufacturer intends to have an ISO-compliant QMS. Having an ISO-compliant Quality Management System is the first step before achieving product compliance.

Data science is an added process in the QMS structure of a medical device manufacturer using artificial intelligence. It shall be of great interest for an auditor to check for compliance of artificial intelligence processes and procedures.

Any quality measure of an AI process has to start with data. Since the data scientists are working on a large amount of data, auditors would be interested to know the system followed by the scientists for data management. The system should cover data collection, data analysis, data retention time, data storage, data filtration, data mining, data protection etc. Considering data mining as an example, a lot of questions can be asked. How do we create an audit trail of what information was gleaned from which data entity? How can the efficiency of data mining tracked? Also, is the residual data post mining being checked for any useful information?

Further, an auditor would be interested to know methods employed for AI model management. The data scientists train multiple models. Each time an AI model is built, it is important for a data scientist to have the insights from previously generated models or experiments. Since most data scientists follow iterative methods for model training, meta-analysis across models is a big challenge. Verification and validation of measurable outputs are a major demand of every regulation. The performance of the AI model must be verified and validated periodically. Are the regular metrics employed to evaluate the build model, such as metrics for precision, recall, f-measure etc. sufficient from an audit point-of-view?

There is a lot of scope for an auditor to bring about improvements in the data science process. I have thrown light on a few instances from an auditor’s perspective in this blog.

Image Credits: http://www.pqsl.org.tt/training/environmental-management-systems/iso-9001-quality-management/qms-implementing-documenting/