We’ve talked before about some of the Quality issues related to the use of artificial intelligence (AI) technology, but mostly in an incidental kind of way.* But the adoption of AI by many companies seems not at all incidental. So it is fair to ask how the introduction of AI is going to affect core Quality functions. How will AI change—say—auditing?
It's a good question, and there have been a couple of attempts to answer it in the past year. Last October, Elisabeth Thaller and Jorge Bravo Carreño wrote an article "When the QMS Thinks for Itself" for Quality Progress. Then just last month the ISO 9001 Auditing Practices Group published a formal guidance paper on "Auditing a Quality Management System that uses Artificial Intelligence (AI) systems." It is perhaps not surprising that the article and the guidance paper repeat the same basic points,** and they are pretty much the same points you would make if someone asked you about the same topic. Nothing here is unexpected.
What makes this consistency possible is that ISO 9001 is structured to apply to any kind of work. So the basic questions are always the same. What are your processes? What are your risks? What are your training requirements? And are you getting the results that you want?
The article in Quality Progress identifies five main thoughts to keep in mind when planning an audit in an organization that uses AI, and the suggestions in the APG guidelines can almost be mapped directly onto the same list. The five main thoughts are these:
- Identify where the organization is actually using AI. ("AI may be hiding in plain sight.")
- Use the process approach to identify inputs and outputs in the normal way. ("The process approach still applies—even when the process thinks for itself.")
- Identify risks. ("Risk-based thinking isn’t optional.")
- Identify training needs, responsibilities, and authorities. ("Competence and oversight are essential.")
- Identify results and look for objective evidence. ("Focus on evidence, not the shine.")
And while I'm certainly not going to quote all ten pages of the guidance document in a blog post—you can download the whole thing for free by using the link above—let me quote just a couple of items that fit under each of these five headers, to show you the overlap.
Identify where the organization is actually using AI.
- When preparing the audit, the auditor should:
- Identify whether the organization uses any AI system type for any of its processes within the scope of the QMS.
- Determine the specific function(s) of these processes within the QMS, and
- Recognize assigned responsibilities in relation to these processes. [§2, p.4]
Use the process approach.
- Where AI system(s) are used within operational processes, has the organization ensured that their use supports the achievement of intended results?
- Are such processes monitored, and are changes related to the use of AI system(s) controlled?
- How does the organization ensure the consistency, correctness, and reliability of AI outputs? [§3, cl. 8, p.7]
Identify risks.
- Has the organization considered the implications of the use of AI system(s) when determining its internal and external issues?
- Has the organization identified statutory and regulatory requirements in relation to the use of AI systems, such as those related to data privacy and information security? [§3, cl. 4, p.4-5]
- Has the organization determined and addressed risks and opportunities related to the use of AI system(s)? [§3, cl. 6, p.6]
Identify training needs, responsibilities, and authorities.
- Are adequate resources available to maintain and update AI system(s), including access to technical expertise, data quality management, and cybersecurity support?
- Is the organization able to demonstrate that personnel who use, manage, or oversee AI system(s) meet the determined competence requirements? [§3, cl. 7, p.6]
- Does top management take accountability for ensuring that the AI system(s) within the QMS support its effectiveness and achievement of intended results? [§3, cl. 5, p.5]
Identify results and look for objective evidence.
- Are customer satisfaction trends evaluated for potential impacts arising from AI-enabled processes or interactions?
- Is internal auditing addressing the effectiveness of AI-influenced processes?
- Is information related to the performance and effectiveness of AI systems an input into management review? [§3, cl. 9, p.8]
- Are nonconformities or complaints involving AI system outputs recorded, analyzed, and addressed? [§3, cl. 10, p.8]
There shouldn't be anything shocking in this list. One of the strengths of ISO 9001 is precisely its flexibility. And that flexibility comes from seeing all kinds of work through a lens that highlights certain common features. AI is just one more topic viewed through the very same lens. This is why I said above that you would have come up with the same points if you had taken the time to work through the standard in detail.
But most of us are too busy with our day jobs to do that, so it's convenient that the Auditing Practices Group has done it for us. The next time you have to audit an organization that uses AI in its management system, check out the guidelines document to see if any of the suggestions help you.
__________
* In this post, I asked what the word “Quality” really means in the context of AI. In this one, I discussed how AI tools might be able to enhance training records.
** Partly this outcome is unsurprising because the same person—Elisabeth Thaller—was the lead writer for the article and the chair of the committee that wrote the guidance document. Chris Paris published an article taking the APG committee to task because most of them have no special background in AI. But it appears from her LinkedIn profile that Thaller does have at least some background.




com-3578949410.jpg)











