Embedding Quality by Design to the EU AI Act

Peter Haenni

2 min read
Embedding Quality by Design to the EU AI Act
SIPOC process map auto generated by the ProcessHorizon web app

The EU AI Act, i.e. the version adopted by the European Parliament and now moving toward final implementation, emphasizes Privacy by Design (PbD). It requires that AI systems, especially high-risk ones, integrate safeguards for data protection at the design stage following GDPR principles.

However, Quality by Design (QbD) in the sense you might know it from pharmaceuticals or manufacturing, i.e. designing processes to ensure quality is built-in from the start, is not named and postulated as such in the AI Act.

To sustainable quality, note that risk management and quality management are complementary but distinct disciplines:

  • Risk management focuses on preventing harm > reducing negative outcomes
  • Quality management focuses on ensuring excellence and consistency > positive assurance of outcomes.

The EU AI Act is heavily risk-driven and does not systematically embed Total Quality Management (TQM) principles or Quality by Design (QbD) the way it probably should for something as critical and dynamic as AI.

Proposed Amendment to the EU AI Act

New Article 15a (QMS & Quality by Design Principle)

1. Providers of high-risk AI systems shall establish, document, implement and maintain a comprehensive Quality Management System (QMS) that governs the entire lifecycle of the AI system, from initial design through development, testing, deployment, monitoring and decommissioning.

2. The QMS shall ensure that Quality by Design principles are applied, including:

  • Proactive identification and incorporation of quality objectives at the design phase
  • Systematic planning for data quality, model robustness, usability and maintainability
  • Continuous monitoring & improvement mechanisms post-deployment
  • Inclusion of traceable design controls & change management procedures.

3. Quality by Design obligations are distinct from, and complementary to, risk management requirements under Article 9. Providers shall demonstrate, through technical documentation, how quality was built into the AI system’s design from the outset, independently of risk mitigation measures.

4. The Commission shall adopt implementing acts to specify harmonized standards and guidelines for the application of Quality by Design in the development of AI systems.

Providers may demonstrate compliance with this Regulation by applying harmonized standards covering Quality by Design and Total Quality Management for AI systems, once adopted pursuant to Regulation (EU) No 1025/2012. This would encourage the development of formal ISO/CEN quality standards for AI.