Best Practices For Engineering Documentation

Yesterday, the AI Office published the third draft of the General-Purpose AI Code of Practice, a key regulatory instrument for AI providers seeking to align with the EU AI Act. Developed with input from 1,000 stakeholders, the draft refines previous versions by clarifying compliance requirements and introducing a structured approach to regulation. GPAI providers must meet baseline obligations on transparency and copyright compliance, while models classified as having systemic risk face additional commitments under Article 51 of the AI Act. The final version, expected in May 2025, aims to facilitate compliance while ensuring AI models adhere to safety, security, and accountability standards. The Code introduces the Model Documentation Form, requiring AI providers to disclose key details such as model architecture, parameter size, training methodologies, and data sources. Transparency obligations include specifying the provenance of training data, documenting measures to mitigate bias, and reporting compute power and energy consumption. GPI providers must also outline their models’ intended uses, with additional requirements for systemic-risk models, including adversarial testing and evaluation strategies. Documentation must be retained for twelve months after a model is retired, with copyright compliance mandatory for all providers, including open-source AI. GPAI providers must establish formal copyright policies and comply with strict data collection rules. Web crawlers cannot bypass paywalls, access piracy sites, or ignore the Robot Exclusion Protocol. The Code also requires providers to prevent AI-generated copyright infringement, mandate compliance in acceptable use policies, and implement mechanisms for rightsholders to submit copyright complaints. Providers must maintain a point of contact for copyright inquiries and ensure their policies are transparent. For AI models with systemic risk, the Code introduces a Safety and Security Framework, aligning with the AI Act’s high-risk requirements. Providers must assess risks in areas such as cyber threats, manipulation, and autonomous AI behaviours. They must define risk acceptance criteria, anticipate risk escalations, and conduct assessments at key development milestones. If risks are identified, development may need to be paused while safeguards are implemented. GPAI providers must introduce technical safeguards, including input filtering, API access controls, and security measures meeting at least the RAND SL3 standard. From 2 November 2025, systemic-risk models must undergo external risk assessments before release. Providers must maintain a Safety and Security Model Report, report AI-related incidents within strict timeframes, and implement governance structures ensuring responsibility at all levels. Whistleblower protections are also required. With the final version expected in May 2025, AI providers have a short window to prepare before the AI Act takes full effect in August.

Many teams wonder how to approach documentation for IEC 62304. The answer starts before documentation even begins: IEC 62304 assumes you're already working within a QMS and a Risk Management framework. Without those foundations, software lifecycle documentation won’t hold up during audits or CE submissions. From there, the standard describes five key processes that cover the entire software lifecycle. These include SW development; Risk Management; Maintenance & Change; Config. Management; Problem resolution But documentation is where clarity meets compliance. Some of the core deliverables to focus on: → The SW Development Plan ensures that your lifecycle, roles, tools, and milestones are clearly defined and traceable. → The Configuration Management Plan makes sure versioning and change controls are structured and secure. → The Software Requirements Specification (SRS) covers everything from functional needs to regulatory constraints. It’s the foundation for testing and risk mapping. → The System Architecture Description details interfaces, data flows, hardware, and SOUP integration. → The Detailed Design digs into algorithms, components, and design choices. → The Traceability Matrix connects all dots between req's, risks, and tests. → The Design Review Document supports structured, auditable design discussions. → The Test Plan and Test Report document all testing activities → The Maintenance Plan outlines post-release steps including feedback, updates, and ongoing risk control. → The Problem Report keeps track of issue resolution, from detection to closure. Add to that all the risk documentation and you're good to go. It is possible to have more or fewer documents on this list; IEC 62304 does not impose a specific format, only that the required information be documented. We just released a full template system built to help teams: → Follow a compliant process aligned with IEC 62304/AMD1:2015 → Connect easily with ISO 13485 and ISO 14971 → Organize software documentation by safety class (A, B, or C) → Ensure traceability across requirements, tests, and risk controls → Save time – no need to start from a blank page The bundle is available here : https://lnkd.in/eAB4r65y 14 Word templates in a bundle, ready to adapt and integrate into your QMS.

Most inaccessible documents aren’t created out of bad intent. No-one does it on purpose. They’re created out of habit. The good news is you don’t need to be an accessibility expert to help build a culture where accessible documents become the norm. Small behaviours, repeated often, shape organisational culture far more than policies do. Here are five simple things anyone can do, right now. (You can also find some further resources in the comments.) 1 - Build accessibility into your workflow Treat accessibility checks the same way you treat spellcheck. Before sending a document, take a minute to run an accessibility check and scan for obvious issues. When accessibility becomes a normal step in the workflow, it stops being an afterthought and starts becoming routine. 2 - Be an ally. You don’t have to personally need accessibility to advocate for it. Ask whether documents have been checked. Encourage colleagues to think about accessibility. If something isn’t accessible, raise it constructively, push back gently if someone sends you something that isn’t accessible. Cultural change often begins with someone asking the question. 3 - Learn the tools you already have Most people already have everything they need. Simple features such as document headings (heading 1, 2 etc), meaningful link titles, and built in accessibility checkers make a huge difference. Learning how to use these properly can transform the usability of a document in minutes. 4 - Think beyond screen readers. Whilst a crucial part of it, accessibility isn’t just about screen reader compatibility. Clear structure, readable layouts, logical headings, and descriptive links make documents easier for everyone to navigate and understand. Accessibility improves usability for the entire organisation. 5 - Automate your mailbox One simple trick is creating an Outlook rule that replies to anyone who sends you an attachment asking whether the document has been checked for accessibility. It’s a gentle prompt that helps build awareness and encourages better habits over time. Bonus tip - set the standard. If you want others to care about accessible documents, your own documents need to set the standard. When people consistently receive accessible content from you, it reinforces that accessibility is not an optional extra. It is simply how good work gets done. Accessibility culture doesn’t start with experts. It starts with everyday habits. ID: a Robbie Crow Purple infographic titled “Five top tips to build a culture of document accessibility”. It summarises the points in this post and full alt text can be found in the image. The graphic uses purple, pale yellow and gold branding with a “Progress Over Perfection” badge at the bottom.

Want more people to read your content? Simple formatting tips can help: 1. Use sentence case or lowercase. (ALL CAPS is harder to read.) 2. Use underlines and italics very sparingly. Underlined and italic text can be harder to read, especially for folks who are dyslexic. 3. Avoid overly decorative fonts. Those are harder to read. 4. Left Align - for paragraphs of content, left alignment is recommended. Centered alignment of a paragraph is harder to read because your eye has to find the start of the new line each time. 5. Avoid Justified alignment- It creates inconsistent gaps (sometimes called “rivers”). You may think it looks “nice” but it is difficult to read. 6. Line spacing: Single spacing is more difficult to read. Spacing of 1.5 can help make your content more accessible. Create breathing room :) 7. Contrast is needed - do not put light text on light background (like white on yellow) or a dark text on dark background. (Like black on dark purple). WebAIM's Contrast Checker is a free tool to tell you if you have enough color contrast in your documents, decks and graphics to meet accessibility guidelines. Simple things make a difference. 💬 Did you learn anything new? 💬 What would you add? This is your Minds of All Kinds tip of the week. 🧠✅ #Accessibility #CognitiveAccessibility #Neuroinclusion #MindsOfAllKinds [Image Description: An educational graphic showing the contrast between text in all caps and text in lowercase: Red X symbol. TEXT IN ALL CAPS IS HARDER TO READ. ESPECIALLY WHEN IT’S MORE THAN ONE WORD. Green checkmark: Sentence case is easier to read. At the bottom center is the Minds of All Kinds logo next to a speech bubble icon labeled TIPS.]

🔥 ISO 42001 (Artificial Intelligence Management System) 🔥 Implementation Steps Step 1: Comprehensive Risk Assessment Start by conducting a detailed risk assessment specific to AI technologies. It should focus on unique risks such as: Algorithmic Transparency: Assessing the ability to trace and explain decision-making processes of AI systems. Data Integrity Risks: Evaluating risks related to data accuracy, consistency, and protection. Ethical Implications: Considering the impact of AI decisions on fairness, non-discrimination, and human rights. Use specialized tools that align with AI risk management to systematically identify and evaluate these risks. Step 2: Developing Policies and Objectives Create policies that specifically address: Ethical AI Usage: Guidelines for ethical decision-making processes, ensuring AI respects privacy and human rights. Data Governance: Policies on data acquisition, storage, usage, and disposal to protect personal and sensitive information. Accountability Structures: Clear accountability frameworks for AI decisions, including roles and responsibilities for oversight. Objectives should be directly linked to mitigating identified risks and aligning AI operations with ethical, legal, and technical standards. Step 3: Resource Allocation Ensure adequate resources are allocated to: AI-specific Compliance Tools: Technologies that monitor AI behavior and compliance with ethical standards. Training Programs: Targeted education initiatives for staff on AI ethics, legal requirements, and the management of AI systems. Step 4: Control Implementation and Management Implement controls that include: Audit Trails for AI Decisions: Systems to log and review AI decision processes and outcomes. Bias Mitigation Processes: Controls to detect and correct biases in AI algorithms. Response Mechanisms: Procedures for responding to AI system failures or ethical breaches. Regular updates to these controls are essential to address evolving AI capabilities and regulatory landscapes. Step 5: Documentation and Record Keeping Document all aspects of AI system development and deployment: Development Documentation: Detailed records of AI models’ design, testing, and validation. Compliance Documentation: Evidence of compliance with ISO/IEC 42001:2023, including audits, training records, and risk assessments. Incident Logs: Records of any issues, how they were addressed, and steps taken to prevent future occurrences. Step 6: Continuous Monitoring and Review Establish ongoing monitoring and periodic reviews to: Evaluate AI Performance: Continuous assessments against compliance and performance objectives. Regulatory Updates: Regular reviews to adapt to new legal and industry standards affecting AI use.

FDA's AI Enforcement Shift: What the Exer Labs Warning Letter Signals for GxP Teams The era of treating AI as a "non-product" tool outside traditional validation is over. The FDA's enforcement against Exer Labs classified their AI motion-analysis system as a medical device and cited deficiencies across validation, change control, and lifecycle management. The signal: when AI influences regulated decisions, the solution must be brought under your quality system with expectations proportionate to process and patient risk. Three consequences for Pharma and MedTech teams: 1) Validation scope widens AI models touching labeling, dosing, safety, or quality decisions require a documented credibility assessment consistent with the January 2025 draft guidance's 7-step framework and your CSA/GAMP risk classification. 2) ALCOA+ includes model behavior Training data lineage, drift monitoring, bias detection, and explainability must meet the same data integrity standards as batch documentation. Audit trails for AI-supported decisions are expected, not optional. 3) Lifecycle management becomes continuous The agency expects active monitoring, not one-time validation. SOPs need change-control pathways for model updates and retraining. Not only for software releases. The January 2025 draft incorporated patterns from 500+ AI-related submissions since 2016. FDA reviewers know exactly where gaps typically appear. Practical next step: Inventory every AI system touching regulated decisions. Map each against the credibility assessment framework before your next audit. Which gap would an inspector find first: data lineage, model validation documentation, or change control procedures? #AIStrategy #LifeSciences #GxP #Validation #DigitalR&D #CSV #DataIntegrity #ALCOA #FDA

How Are You Auditing AI Model Cards? I am certain of few things in this world of great change ... but I am going to go out on a limb and say that within six months (if not already) Boards and Management are going to be asking of Internal Audit: "So can you provide assurance ... by tomorrow ... over our model card?" And this will prompt a question you will quickly ask of AI - which as you will see by the end of this LinkedIn post is ironic!: "I have no idea what they are asking me to do; what is a model card?" I saw a great description of model cards being like a nutrition label for AI - a document that explains what an AI model is meant to do, how it was built, how well it performs, and what its risks or limitations are. A model card should help non-technical people - executives, regulators, customers (me!) - see if an AI system is safe, fair, and fit for purpose. (The Google Model Card page is worth a look: https://lnkd.in/g6z5-dHQ) Hmmm ... stakeholders wanting comfort that what they are using is safe and appropriate ... what function in an organisation could possibly help ... Stand up Internal Audit ... this is our time!!! And this is what we need to do. ~ Model Design & Purpose ~ 1 - Confirm the intended use case is clearly documented. 2 - Check that the business objective aligns with the model’s stated purpose. 3 - Ensure stakeholders can understand the card (plain language, no jargon). ~ Model Data & Development ~ 4 - Review how datasets are sourced, documented, and compliant. 5 - Assess bias testing and fairness methods (easier said than done!). 6 - Confirm that validation data is independent from training. ~ Model Training & Testing ~ 7 - Validate that performance metrics are fairly presented. 8 - Review stress testing for edge cases and robustness. 9 - Ensure limitations and assumptions are openly disclosed. ~ Model Risk & Compliance ~ 10 - Confirm operational, ethical, and regulatory risks are listed. 11 - Check alignment with laws and standards. 12 - Ensure misuse scenarios are anticipated and mitigated. ~ Model Governance & Deployment ~ 13 - Verify that the model card names clear accountable owners. 14 - Review version control for every model iteration. 15 - Assess change governance before deployment updates. ~ Model Controls & Safeguards ~ 16 - Confirm there are fallback procedures if the model fails. 17 - Review audit trail evidence for external (non management) review. 18 - Check coverage of third-party models interacting with the reviewed model. ~ Model Monitoring & Continuous Assurance ~ 19 - Confirm the card references ongoing monitoring of performance and risks. 20 - Assure that Internal Audit has visibility into the entire lifecycle for repeat reviews. ** AI may often feel complex (primarily because it is), but trust is simple: document, disclose, and independently assure. The first globally recognised AI Model Auditor is going to reshape the entire profession. Who will it be?

⚠️ Why should banks care about AI governance today—not tomorrow? Because model failures already exist. Because AI audits aren’t optional anymore. And because this new certification framework might be the most rigorous response to SR11-7 you haven’t heard about yet. 📘 Just read through ForHumanity’s Model Risk Management Certification Scheme v1.5—and it’s a game changer for Regulated Financial Institutions using AI, algorithmic, or autonomous (AAA) systems. What stood out? 💡 Why it matters: This isn’t just another standard. It’s a modular, compliance-by-design infrastructure that fuses BASEL III, SR11-7, SR13-19, and other federal guidance with human-centric governance criteria. Think of it as a bridge between: traditional model risk frameworks, and modern AI governance demands. No more waiting for AI Act enforcement. No more vague accountability. 🔍 Key strengths: Covers everything from conceptual soundness to decommissioning. Defines Top Management and Oversight Bodies, linking internal audit, risk, compliance, and ethics. Introduces clear audit-ready documentation like the cAIRE Report, Residual Risk statements, and Explainability+. Integrates Fiduciary human oversight and protections for vulnerable populations. Most importantly: It’s binary and enforceable—compliant or not. No grey zones. 👥 It’s also one of the few schemes explicitly calling for expert multidisciplinary teams—market experts, ethics professionals, cybersecurity leads—working together to reduce systemic risk in finance. Grateful to the 2,900+ contributors behind this work. ForHumanity continues to lead in defining practical, defensible, and ethical AI standards. #ModelRisk #AIinFinance #SR117 #AIGovernance #AAACompliance === Did you like this post? Connect or Follow 🎯 Jakub Szarmach Want to see all my posts? Ring that 🔔. Sign up for my biweekly newsletter with the latest selection of AI Governance Resources (1.400+ subscribers) 📬.

Audit documentation tip #5 Document how audit information (including client-prepared) relates to your planned audit procedures including the source (where did it come from and from whom?) and the purpose of the information (why is it in the audit file?). Document where the information came from. Who prepared it and how? Document the purpose of the information. How does it relate to the planned audit procedures (which should come from our risk assessments)? If the information has no relation to the planned procedures, is it needed? Include a purpose statement on each main work paper. Many auditors take exception to this; they say a purpose statement is redundant, that the procedures are in the audit program. But let me say as someone who has reviewed tens of thousands of work papers, it is often not clear why a work paper is in the file. It might make sense to the person who included it, but not to anyone else. I think I’ve spent months (maybe years) of my life staring at work papers and trying to make sense of them. Remember, create your documentation so it’s understandable to an experienced auditor/reviewer (this is the requirement of the audit standards). You are communicating to that audience (not to yourself). In summary, include the following on each lead work paper: Source of information Purpose of information Relation to planned audit procedures Does it take more time to document these? Yes, but less time than is lost by reviewers trying to understand what was done. #CPAHallTalk, #auditdocumentation

A European Standard for AI cybersecurity: Baseline Cyber Security Requirements for AI Models and Systems. If you build or deploy AI systems for European markets, expect this standard to show up in customer due diligence, RFP language, and “map your controls” conversations. ETSI published ETSI EN 304 223 V2.1.1, “Baseline Cyber Security Requirements for AI Models and Systems”, a European Standard for AI cybersecurity. I read it so you don’t need to. (link in comments 👇) Highlights: 🔹 The standard sets a lifecycle security baseline across five phases: design, development, deployment, maintenance, and end of life. 🔹 It defines 13 high-level principles that are easy to map into engineering, governance, and operational controls. 🔹 It makes documentation and auditability core requirements, including traceability for models, data, prompts, and configuration changes. 🔹 It treats model exposure as an attack surface and calls out API abuse mitigations such as access controls and rate limiting. 🔹 It requires ongoing monitoring for AI-specific failure modes, including behavioral drift and indicators of data poisoning. My take: 1️⃣ For AI vendors selling into Europe, it is worth starting to align their controls with ETSI EN 304 223 now. 2️⃣ AI security vendors should publish mappings showing how their tooling helps teams meet these requirements. 3️⃣ The standard is intentionally high level. It doesn’t specify metrics, thresholds, or minimum testing depth, so, as with ISO/IEC standards, teams must translate it into measurable controls, acceptance criteria, and checklists. 4️⃣ Secure development is the focus: 5 of 13 principles, and a strong push for audit-ready evidence. 5️⃣ AI security and AI safety are converging. See my earlier post on the Cisco AI Cybersecurity Framework (link in comments 👇). ETSI’s planned TR 104 159 for generative AI extends the focus to deepfakes, misinformation and disinformation, confidentiality risks, and copyright and IPR concerns.