Decoding the EU AI Act: Establishing a Quality Management System (QMS) for High-Risk AI Systems

Written by Ana Carolina Teles, AI & GRC Specialist at Palqee Technologies

In our ongoing series "Decoding AI: The European Union's Approach to Artificial Intelligence," we are detailing each aspect of the Act on Artificial Intelligence.

The new law outlines specific obligations that apply to providers of high-risk AI systems offering their products within the EU. We've already covered several key requirements for high-risk AI system providers in previous articles such as technical documentation, record-keeping, transparency, and human oversight.

This article covers another important component of the Act—how to establish a Quality Management System (QMS) for high-risk AI systems.

Understanding the Quality Management System Requirements

Developing and providing high-risk AI systems in compliance with the EU AI Act comes with a multitude of responsibilities. Establishing a Quality Management System (QMS) is one of these obligations.

But what exactly is a QMS?

The concept of a QMS isn't new or unique to the EU AI Act. Many compliance professionals are already familiar with implementing a QMS following well-known standards like ISO 9001 to ensure they meet stakeholder needs as well as regulatory requirements for a product or service.

A QMS is a structured framework of policies, processes, and procedures essential for planning and executing an organisation's core business activities. It integrates various internal processes within the company, providing a process-oriented approach to project execution. This enables the organisation to identify, measure, control, and improve its core business processes, ultimately leading to enhanced business performance.

When it comes to high-risk AI systems, a QMS will be implemented to document all strategies, techniques, procedures, quality control, and quality assurance measures related to the use and application of this technology.

Key Aspects of the Quality Management System under the EU AI ACT

The QMS, as stipulated in the Act, must encompass a range of elements systematically documented through written policies, procedures, and instructions tied to the entire AI lifecycle.

The good news is that many of the existing requirements for high-risk AI systems in the EU AI Act form part of the QMS:  

• Strategy for Regulatory Compliance: The QMS must outline a clear strategy for regulatory compliance. This includes adherence to conformity assessment procedures and effective management of modifications to the high-risk AI system.

• Design, Design Control, and Design Verification: Techniques, procedures, and systematic actions must be established for the design, design control, and design verification of the high-risk AI system. This ensures that every design phase is meticulously planned, executed, and verified to meet specified requirements and standards.

• Development, Quality Control, and Quality Assurance: The QMS should detail the methods for the development, quality control, and quality assurance of the high-risk AI system.

• Examination, Test, and Validation Procedures: Comprehensive examination, test, and validation procedures must be carried out before, during, and after the development of the high-risk AI system. The frequency and thoroughness of these activities ensure that the system remains compliant and performs as intended.

• Technical Specifications and Standards: The QMS must include the technical specifications and standards to be applied. Where harmonised standards are not fully applicable, alternative means must be identified to ensure compliance with the relevant requirements.

• Data Management Systems and Procedures: Effective systems and procedures for data management are crucial. This includes data acquisition, collection, analysis, labelling, storage, filtration, mining, aggregation, and retention. Proper data management ensures that all operations related to data are performed in compliance with regulatory requirements before and after the high-risk AI system is placed on the market. If you are already compliant with the Data Governance requirements outlined in the Act, the next step is to organise and integrate these into your quality system.

• Risk Management System: As referenced in Article 9 of the Act, a risk management system must be part of the QMS. If your existing risk system is already in place, you simply need to integrate it into the quality system. This integration involves identifying, assessing, and mitigating risks associated with the high-risk AI system to ensure its safe and effective operation.

• Post-Market Monitoring System: Setting up, implementing, and maintaining a post-market monitoring system is mandatory. This system monitors the AI system's performance and compliance after it has been introduced to the market, ensuring ongoing safety and effectiveness.

• Serious Incident Reporting Procedures: Providers of high-risk AI systems must implement procedures for reporting serious incidents. A "serious incident" involves an AI system failure that causes death or serious health harm, irreversible disruption of critical infrastructure, or other significant impacts.

• Communication Handling: Effective handling of communication with national competent authorities, other relevant authorities, notified bodies, operators, customers, and other interested parties is one of the components of an adequate QMS.

• Record-Keeping Systems and Procedures: Systems and procedures for maintaining all relevant documentation and information must be established. The Act emphasises record-keeping requirements for high-risk AI systems, and your task is to compile this information and integrate it into the QMS.

• Resource Management: Proper resource management, including measures related to the security of supply, must also be part of your QMS.

• Accountability Framework: Lastly, an accountability framework must be in place, clearly outlining the responsibilities of management and staff regarding all aspects of the QMS. You can use the management structure of your risk management system as a guide to enhance and centralise accountability within your quality system.

Proportional Implementation of the QMS

It is important to note that each QMS must be proportionate to the size and complexity of the provider's organisation.

And what does this mean?

While all high-risk AI system providers must adhere to the same standards of protection, the specific measures and processes they implement can be scaled to fit their operational scope.

For instance, for smaller organisations, implementing a QMS might involve simpler, more streamlined processes. While the core elements of the QMS remain the same, SMEs can leverage existing resources and focus on key areas without the need for extensive documentation or complex procedures.

Conversely, larger companies, with more resources and complex operations, will need a more detailed and comprehensive approach. This includes detailed documentation, multiple layers of quality control, and more sophisticated risk management strategies. The QMS in larger enterprises will likely involve dedicated teams for compliance, regular audits, and continuous improvement processes.

Integrating QMS Requirements with Sectoral Union Laws

Providers of high-risk AI systems who are already subject to obligations regarding QMS or equivalent functions under relevant sectoral Union law can streamline their compliance efforts by integrating the requirements of the EU AI Act with their existing QMS frameworks.

For financial institutions such as banks or insurance companies, which typically have robust internal governance systems due to stringent EU financial regulations, this integration means that adhering to these governance rules generally satisfies the requirements for a quality management system under the EU AI Act. However, there are exceptions that must be considered as they are unique to AI:

• AI Risk Management;

• Post-Market Monitoring for AI; and

• Procedures for Reporting Serious AI related Incidents.

This provision allows providers to incorporate the elements listed above into their current QMS, creating a unified system that meets both the EU AI Act and sector-specific regulations. Such integration helps avoid redundancy and ensures that all compliance requirements are addressed comprehensively.