Application Documentation Template

Application Owner: Name and contact information
Document Version: Version controlling this document is highly recommended
Reviewers: List reviewers

General Information

EU AI Act Article 11; Annex IV paragraph 1, 2, 3

Purpose and Intended Use:

  • Description of the AI system's intended purpose, including the sector of deployment.
  • Clearly state the problem the AI application aims to solve.
  • Delineate target users and stakeholders.
  • Set measurable goals and key performance indicators (KPIs).
  • Consider ethical implications and regulatory constraints.
  • Clear statement on prohibited uses or potential misuse scenarios.
  • Operational environment: Describe where and how the AI system will operate, such as on mobile devices, cloud platforms, or embedded systems.

Risk classification

Prohibited Risk: EU AI Act Chapter II Article 5
High-Risk: EU AI Act Chapter III, Section 1 Article 6, Article 7
Limited Risk: Chapter IV Article 50

  • High / Limited / Minimal (in accordance with the AI Act)
  • reasoning for the above classification

Application Functionality

EU AI Act Article 11 ; Annex IV, paragraph 1, 2, 3

  • Instructions for use for deployers:
    (EU AI Act Article 13)
  • Model Capabilities:
  • What the application can and cannot do (limitations).
  • Supported languages, data types, or scenarios.
  • Input Data Requirements:
  • Format and quality expectations for input data.
  • Examples of valid and invalid inputs.
  • Output Explanation:
  • How to interpret predictions, classifications, or recommendations.
  • Uncertainty or confidence measures, if applicable.
  • System Architecture Overview:
  • Functional description and architecture of the system.
  • Describe the key components of the system (including datasets, algorithms, models, etc.)

Models and Datasets

EU AI Act Article 11; Annex IV paragraph 2 (d)

Models

Link to all model integrated in the AI/ML System

Model Link to Single Source of Truth Description of Application Usage
Model 1 TechOps Model Document ...
Model 2 TechOps Model Document ...
Model 3 GitHub Repo ...

Datasets

Link to all dataset documentation and information used to evaluate the AI/ML System.
(Note, Model Documentation should also contain dataset information and links for all datasets used to train and test each respective model)

Dataset Link to Single Source of Truth Description of Application Usage
Dataset 1 TechOps Data Document ...
Dataset 2 GitHub Repo ...

Deployment

  • Infrastructure and environment details (e.g., cloud setup, APIs).
  • Integration with external systems or applications.

Infrastructure and Environment Details

  • Cloud Setup:
  • Specify cloud provider (e.g., AWS, Azure, GCP) and regions.
  • List required services: compute (e.g., EC2, Kubernetes), storage (e.g., S3, Blob Storage), and databases (e.g., DynamoDB, Firestore).
  • Define resource configurations (e.g., VM sizes, GPU/TPU requirements).
  • Network setup: VPC, subnets, and security groups.
  • APIs:
  • API endpoints, payload structure, authentication methods (e.g., OAuth, API keys).
  • Latency and scalability expectations.

Integration with External Systems

EU AI Act Article 11 ; Annex IV paragraph 1 (b, c, d, g, h), 2 (a)

  • Systems:
  • List dependencies
  • Data flow diagrams showing interactions.
  • Error-handling mechanisms for APIs or webhooks

Deployment Plan

  • Infrastructure:
  • List environments: development, staging, production.
  • Resource scaling policies (e.g., autoscaling, redundancy).
  • Backup and recovery processes.
  • Integration Steps:
  • Order of deployment (e.g., database migrations, model upload, service launch).
  • Dependencies like libraries, frameworks, or APIs.
  • Rollback strategies for each component.
  • User Information: where is this under deployment?

Lifecycle Management

EU AI Act Article 11; Annex IV paragraph 6

  • Monitoring procedures for performance and ethical compliance.
  • Versioning and change logs for model updates.
  • Metrics:
  • Application performance: response time, error rate.
  • Model performance: accuracy, precision, recall.
  • Infrastructure: CPU, memory, network usage.
  • Key Activities:
  • Monitor performance in real-world usage.
  • Identify and fix drifts, bugs, or failures.
  • Update the model periodically.
  • Documentation Needs:
  • Monitoring Logs: Real-time data on accuracy, latency, and uptime.
  • Incident Reports: Record of failures, impacts, and resolutions.
  • Retraining Logs: Data updates and changes in performance.
  • Audit Trails: Comprehensive history of changes to ensure compliance. -Manteinance of change logs:
  • new features added
  • updates to existing functionality
  • deprecated features
  • removed features
  • bug fixes
  • security and vulnerability fixes

Risk Management System

EU AI Act Article 9
EU AI Act Article 11 ; Annex IV

Risk Assessment Methodology: Describe the frameworks or standards used to identify and assess risks, such as ISO 31000 or failure mode and effects analysis (FMEA), or NIST Risk Assessment Framework.

Identified Risks:

Potential Harmful Outcomes: List possible negative effects, such as biased decisions, privacy breaches, or safety hazards.

Likelihood and Severity: Assess how likely each risk is to occur and the potential impact on users or society.

Risk Mitigation Measures

Preventive Measures: Detail actions taken to prevent risks, like implementing data validation checks or bias reduction techniques.

Protective Measures: Describe contingency plans and safeguards in place to minimize the impact if a risk materializes.

Testing and Validation (Accuracy, Robustness, Cybersecurity)

EU AI Act Article 15

Testing and Validation Procedures (Accuracy):

Performance Metrics: List the metrics used to evaluate the AI system, such as accuracy, precision, recall, F1 score, or mean squared error.

Validation Results: Summarize the outcomes of testing, including any benchmarks or thresholds met or exceeded.

Measures for Accuracy: High-quality data, algorithm optimisation, evaluation metrics, and real-time performance tracking.

Accuracy throughout the lifecycle

Data Quality and Management: High-Quality Training Data: Data Preprocessing, techniques like normalisation, outlier removal, and feature scaling to improve data consistency, Data Augmentation, Data Validation

Model Selection and Optimisation: Algorithm selection suited for the problem, Hyperparameter Tuning (grid search, random search, Bayesian optimization), Performance Validation( cross-validation by splitting data into training and testing sets, using k-fold or stratified cross-validation), Evaluation Metrics (precision,recall, F1 score, accuracy, mean squared error (MSE), or area under the curve (AUC).

Feedback Mechanisms: Real-Time Error Tracking, Incorporate mechanisms to iteratively label and include challenging or misclassified examples for retraining.

Robustness

<-- Add outlier detection and all possible post analysis, what are the criticalities -->

Robustness Measures:

  • Adversarial training, stress testing, redundancy, error handling, and domain adaptation.

Scenario-Based Testing:

  • Plan for adversarial conditions, edge cases, and unusual input scenarios.

  • Design the system to degrade gracefully when encountering unexpected inputs.

Redundancy and Fail-Safes:

  • Introduce fallback systems (e.g., rule-based or simpler models) to handle situations where the main AI system fails.

Uncertainty Estimation:

  • Include mechanisms to quantify uncertainty in the model’s predictions (e.g., Bayesian networks or confidence scores).

Cybersecurity

EU AI Act Article 11; Annex IV paragraph 2 (h)

Data Security:

Access Control:

Incident Response :

These measures include threat modelling, data security, adversarial robustness, secure development practices, access control, and incident response mechanisms.

Post-deployment monitoring, patch management, and forensic logging are crucial to maintaining ongoing cybersecurity compliance.

Documentation of all cybersecurity processes and incidents is mandatory to ensure accountability and regulatory conformity.

Human Oversight

EU AI Act Article 11;; Annex IV paragraph 2(e)
EU AI Act Article 14

Human-in-the-Loop Mechanisms: Explain how human judgment is incorporated into the AI system’s decision-making process, such as requiring human approval before action.

Override and Intervention Procedures: Describe how users or operators can intervene or disable the AI system in case of errors or emergencies.

User Instructions and Training: Provide guidelines and training materials to help users understand how to operate the AI system safely and effectively.

Limitations and Constraints of the System: Clearly state what the AI system cannot do, including any known weaknesses or scenarios where performance may degrade.

Incident Management

  • Common Issues:
  • List common errors and their solutions.
  • Logs or debugging tips for advanced troubleshooting.
  • Support Contact:
  • How to reach technical support or community forums.

Troubleshooting AI Application Deployment

This section outlines potential issues that can arise during the deployment of an AI application, along with their causes, resolutions, and best practices for mitigation.

Infrastructure-Level Issues

Insufficient Resources
  • Problem: Inaccurate resource estimation for production workloads.

  • Unexpected spikes in user traffic can lead to insufficient resources such as compute, memory or storage that can lead to crashes and bad performance

  • Mitigation Strategy:

Network Failures

  • Problem: network bottlenecks can lead to inaccessible or experiences latency of the application.

  • Mitigation Strategy:

Deployment Pipeline Failures

  • Problem: pipeline fails to build, test, or deploy because of issues of compatibility between application code and infrastructure, environment variables or credentials misconfiguration.

  • Mitigation Strategy:

Integration Problems

API Failures

  • Problem: External APIs or internal services are unreachable due to network errors or authentication failures.

  • Mitigation Strategy:

Data Format Mismatches

  • Problem: Crashes or errors due to unexpected data formats such as changes in the schema of external data sources or missing data validation steps.

  • Mitigation Strategy:

Data Quality Problems

  • Problem: Inaccurate or corrupt data leads to poor predictions.
  • Causes:
  • No data validation or cleaning processes.

  • Inconsistent labelling in training datasets.

  • Mitigation Strategy:

Model-Level Issues

Performance or Deployment Issues

  • Problem: Incorrect or inconsistent results due to data drift or inadequate training data for the real world deployment domain.

  • Mitigation Strategy:

Safety and Security Issues

Unauthorised Access
  • Problem: Sensitive data or APIs are exposed due to misconfigured authentication and authorization.
Data Breaches

  • Problem: User or model data is compromised due to insecure storage or lack of monitoring and logging of data access.

  • Mitigation Strategy:

Monitoring and Logging Failures

Missing or Incomplete Logs

  • Problem: Lack of information to debug issues due to inefficient logging. Critical issues go unnoticed, or too many false positives occur by lack of implementation ofactionable information in alerts.

  • Mitigation Strategy:

Recovery and Rollback

Rollback Mechanisms

  • Problem: New deployment introduces critical errors.

  • Mitigation Strategy:

Disaster Recovery

  • Problem: Complete system outage or data loss.

  • Mitigation Strategy:

EU Declaration of conformity

EU AI Act Article 47

Standards applied

Documentation Metadata

Template Version

Documentation Authors

  • Name, Team: (Owner / Contributor / Manager)
  • Name, Team: (Owner / Contributor / Manager)
  • Name, Team: (Owner / Contributor / Manager)