# Article 17 QMS Template Pack ## EU AI Act Quality Management System for High-Risk AI --- ## Overview This template pack provides a practical starting point for building a Quality Management System (QMS) compliant with **EU AI Act (Regulation 2024/1689) Article 17**. It is designed for teams building or providing high-risk AI systems who need to establish documented, auditable quality management processes. **Important Disclaimer:** This is a fictional sample for educational purposes and does not constitute legal advice. Organizations should customize these templates with qualified legal and compliance guidance. --- ## What's Included ### 01-QMS-Manual/ The main policy document establishing your QMS framework. | Document | Description | |----------|-------------| | `QMS-Manual-Article17.md` | Comprehensive QMS manual covering all 13 elements (a-m) of Article 17(1) | ### 02-Procedures/ Core procedures for QMS operation. | Document | Covers | |----------|--------| | `QMS-PRO-001-Change-Control.md` | Element (a): Change and modification management | | `QMS-PRO-006-Data-Management.md` | Element (f): Data governance across the lifecycle | | `QMS-PRO-007-Risk-Management.md` | Element (g): Risk management system integration | | `QMS-PRO-008-Post-Market-Monitoring.md` | Element (h): Monitoring after deployment | | `QMS-PRO-009-Incident-Reporting.md` | Element (i): Serious incident reporting | ### 03-Records-Forms/ Templates for required operational records. | Document | Purpose | |----------|---------| | `QMS-REC-001-Internal-Audit-Report.md` | Document internal audit findings | | `QMS-REC-002-Management-Review-Minutes.md` | Record management review meetings | | `QMS-REC-003-CAPA-Log.md` | Track corrective and preventive actions | | `QMS-REC-004-Change-Request-Form.md` | Initiate and track changes | | `QMS-REC-005-Incident-Report-Form.md` | Document and investigate incidents | ### 04-Evidence-Templates/ Templates for evidence packaging and audit readiness. | Document | Purpose | |----------|---------| | `Evidence-Manifest-Template.md` | Package evidence with integrity verification | --- ## Article 17(1) Coverage Map | Element | Description | Template Coverage | |---------|-------------|-------------------| | **(a)** | Regulatory compliance strategy + change management | QMS Manual §3.1, Change Control Procedure | | **(b)** | Design control + design verification | QMS Manual §3.2 | | **(c)** | Development + QA controls | QMS Manual §3.3 | | **(d)** | Test + validation procedures | QMS Manual §3.4 | | **(e)** | Technical specs + standards | QMS Manual §3.5 | | **(f)** | Data management | QMS Manual §3.6, Data Management Procedure | | **(g)** | Risk management integration | QMS Manual §3.7, Risk Management Procedure | | **(h)** | Post-market monitoring | QMS Manual §3.8, Post-Market Monitoring Procedure | | **(i)** | Serious incident reporting | QMS Manual §3.9, Incident Reporting Procedure | | **(j)** | Communication procedures | QMS Manual §3.10 | | **(k)** | Record-keeping | QMS Manual §3.11, All record templates | | **(l)** | Resource + supply management | QMS Manual §3.12 | | **(m)** | Accountability framework | QMS Manual §2.2, §3.13 | --- ## How to Use This Pack ### Step 1: Customize the QMS Manual 1. Replace all `[placeholder]` values with your organization's information 2. Define your AI system scope and boundaries 3. Assign roles and responsibilities 4. Set your review cadence and update triggers ### Step 2: Adapt Procedures 1. Review each procedure against your existing processes 2. Customize thresholds, timelines, and escalation paths 3. Align with your tooling (monitoring systems, ticketing, etc.) 4. Add organization-specific controls as needed ### Step 3: Implement Record Templates 1. Set up a document management system 2. Configure forms for your workflow 3. Train staff on documentation requirements 4. Establish retention schedules ### Step 4: Build Evidence Capability 1. Define your systems of record 2. Implement integrity verification (hashing) 3. Practice evidence export 4. Conduct a mock audit --- ## Alignment with prEN 18286 This template pack is structured to align with **prEN 18286: Artificial Intelligence - Quality Management System for EU AI Act Regulatory Purposes**, the draft European standard currently in public enquiry. Key alignment points: - Lifecycle coverage (planning, implementation, monitoring, improvement) - Evidence-based approach with traceability - Integration with risk management (Article 9) - Post-market monitoring integration - Document control and record-keeping emphasis --- ## Implementation Tips ### Keep It Operational - A QMS that exists only on paper will fail audits - Every procedure should have records proving it runs - If you can't produce evidence, the control doesn't exist ### Right-Size to Your Organization - Article 17(2) requires proportionality to organization size - Minimal is fine; missing controls is not - Your QMS should be small enough to run and strict enough to prove ### Define Update Triggers - Model/prompt/tool/data changes - Monitoring findings - Incidents (or near-miss clusters) - Supplier changes - Regulatory updates ### Run Internal Audits Like You Mean It - Audit the process, not just the document - Log nonconformities - Track corrective actions to closure ### Treat Post-Market Monitoring as the Heartbeat - If monitoring isn't connected to management review and CAPA, the QMS is decorative - Monitoring → Risk Review → Action is the core loop --- ## Common Pitfalls to Avoid | Pitfall | How to Avoid | |---------|--------------| | "We have a QMS doc" (but no records) | Implement records from day one | | Change management for code only | Include prompts, models, data pipelines | | Monitoring exists but disconnected | Link to risk review and CAPA | | Incident process never tested | Run annual drills | | Evidence scattered across tools | Centralize with integrity proofs | --- ## Related Resources - [EU AI Act (Regulation 2024/1689)](https://eur-lex.europa.eu/eli/reg/2024/1689/oj) - [AI Act Standardisation](https://digital-strategy.ec.europa.eu/en/policies/ai-act-standardisation) - ISO/IEC 42001:2023 - AI Management System - ISO/IEC 23894:2023 - AI Risk Management --- ## Version History | Version | Date | Changes | |---------|------|---------| | 1.0 | [Date] | Initial template pack | --- ## License This template pack is provided for informational and educational purposes. Organizations should customize with appropriate legal and compliance guidance for their jurisdiction and circumstances. --- *Generated for KLA Digital - Article 17 QMS Template Pack*