Article 17 - Quality Management System (ART17)

Under Article 17, it is the obligation of the High-Risk AI providers to have in place a quality management system that ensures compliance with this Regulation. That system shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions (17.01), and shall include at least the following aspects:

1. a strategy for regulatory compliance, including compliance with conformity assessment procedures and procedures for the management of modifications to the high-risk AI system (17.02);

2. techniques, procedures and systematic actions to be used for the design, design control and design verification of the high-risk AI system (17.03);

3. techniques, procedures and systematic actions to be used for the development, quality control and quality assurance of the high-risk AI system (17.04);

4. examination, test and validation procedures to be carried out before, during and after the development of the high-risk AI system, and the frequency with which they have to be carried out (17.05);

5. technical specifications, including standards, to be applied and, where the relevant harmonised standards are not applied in full, the means to be used to ensure that the high-risk AI system complies with the requirements set out in Article 9-15 (17.06);

6. systems and procedures for data management, including data collection, data analysis, data labelling, data storage, data filtration, data mining, data aggregation, data retention and any other operation regarding the data that is performed before and for the purposes of the placing on the market or putting into service of high-risk AI systems (17.07);

7. the risk management system referred to in Article 9 (17.08);

8. the setting-up, implementation and maintenance of a post-market monitoring system, in accordance with Article 61 (17.09);

9. procedures related to the reporting of serious incidents and of malfunctioning in accordance with Article 62 (17.10);

10. the handling of communication with national competent authorities, competent authorities, including sectoral ones, providing or supporting the access to data, notified bodies, other operators, customers or other interested parties (17.11);

11. systems and procedures for record keeping of all relevant documentation and information (17.12);

12. resource management, including security of supply related measures (17.13);

13. an accountability framework setting out the responsibilities of the management and other staff with regard to all aspects listed in this paragraph (list) (17.14).

Below is the list of controls/checks part of Article 17.

• 17.01 - Quality Management System in Place

• 17.02 - Compliance Strategy Stated

• 17.03 - Design Processes

• 17.04 - Development and QA Processes

• 17.05 - Test and Validation Procedures

• 17.06 - Technical Standards

• 17.07 - Data Management Procedures

• 17.08 - Risk Management System

• 17.09 - Ongoing Monitoring System

• 17.10 - Incident Reporting Procedures

• 17.11 - Communications with Competent Authorities

• 17.12 - Record Keeping Procedures

• 17.13 - Resource Management Procedures

• 17.14 - Accountability Framework