standards.md

authors
Shakir Laher Christopher Burr

Standards and their role in assurance

!!! info "AI Standards Hub"

This guidance has been co-produced alongside the [AI Standards Hub](https://aistandardshub.org/)—a UK initiative dedicated to the evolving and international field of standardisation for AI technologies, hosted at the Alan Turing Institute and supported by BSI, NPL, and HM Government.

What are standards?

A 'standard' can be described as rules, norms or guidelines, that are established for application within certain contexts and settings. They are crafted to establish a dependable foundation for cultivating collective expectations concerning a product, process, service, or system as part of governance and assurance frameworks. We see examples of their implementation in industry, academia, professions, product development and service delivery.

Standards are developed in a variety of ways, although the best-practice approach to their formation and the most widely accepted are essentially standards crafted through consensus-building processes. These standards can be developed and led by, for example, academic institutions, international bodies, professional associations, industry, or most commonly, formally recognised Standards Development Organisations (SDOs)¹

Standards developed by SDOs are often referred to as 'technical standards'. These standards are developed by stakeholder-driven processes that are guided by principles such as relevance, transparency, and consensus. Standards on the whole are voluntary but can be formally recognised in regulations and international treaties, especially those developed by SDOs. Furthermore, they can be tools used as part of compliance towards governance and assurance frameworks.

Standards can be in a variety of forms but commonly are established and disseminated as documents approved by a recognised body. They provide common and repeatable rules, requirements, norms, guidelines and characteristics for activities that will lead to their associated outcomes; and are aimed at providing 'optimum degree of order'² in the contexts where they are applied.

Different types of standards

Standards find application across diverse domains and sectors. They serve to encode technical specifications related to the design, development, measurement, or performance; of products and systems. Additionally, standards extend their influence to evaluating the impacts or efficiency of broader processes or services.

While some standards are uncomplicated, offering clear metric definitions (e.g. the standardised format of A4 and related paper sizes adopted globally), others offer guidance on intricate, context-specific processes.

Below are some of the categories of standards available.

!!! info "Types of Standards"

• Foundational and terminological
• Process, management, and governance
• Measurement and test methods
• Product and performance requirements
• Interface and architecture

Foundational and terminological

Foundational and terminological standards provide shared vocabularies, terms, concepts, descriptions and definitions, enabling effective communication and fostering collaboration between stakeholders on a given shared area of interest. They help improve understanding between stakeholders through the shared common language at their disposal by setting out agreed-upon terms and definitions. These standards often form the baseline language utilised in other standards supporting their development and forming bilateral relationships.

:::success Examples

• ISO/IEC 22989 BS ISO/IEC 22989:2022 Information technology – Artificial intelligence – Artificial intelligence concepts and terminology
  • This document establishes terminology for AI and describes concepts in the field of AI. This document can be used in the development of other standards and in support of communications among diverse, interested parties or stakeholders. This document is applicable to all types of organizations (e.g. commercial enterprises, government agencies, not-for-profit organizations).
  • AI Standards Hub Link
• ISO/IEC TS 5723 PD ISO/IEC TS 5723:2022 Trustworthiness – Vocabulary
  • This document provides a definition of trustworthiness for systems and their associated services, along with a selected set of their characteristics.
  • AI Standards Hub Link

:::

Process, management, and governance

Process, management and governance standards play a vital role in guiding organisational processes and approaches, providing a structured framework to help achieve well-defined steps towards their aims and objectives. These standards serve as a cornerstone in governance, offering a systematic foundation for areas such as quality assurance, risk management, management systems, benchmarking, and regulatory compliance. By establishing clear guidelines and best practices, these standards contribute to effective governance practices within an organisation. They not only enhance the efficiency and consistency of processes but also ensure that organisational activities align with industry benchmarks and comply with relevant regulations. These standards become essential tools in fostering transparency, accountability, and overall excellence in organisational performance.

:::success Examples

• ISO/IEC FDIS 42001:2023 Information technology – Artificial intelligence – Management system

  • This standard specifies the requirements and provides guidance for establishing, implementing, maintaining and continually improving an AI management system within the context of an organization. The standard is intended for use by an organization providing or using products or services that utilize AI systems. It is intended to help the organization develop or use AI systems responsibly in pursuing its objectives and meet applicable regulatory requirements, obligations related to interested parties and expectations from them. This standard is applicable to any organization, regardless of size, type and nature, that provides or uses products or services that utilize AI systems.
  • AI Standards Hub Link

• DCB0129: Clinical Risk Management: its Application in the Manufacture of Health IT Systems & DCB0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems

  • These standard form a pair of clinical risk management standards implemented by the NHS which are enforced under section 250 of the Health and Social Care Act 2012 to assure the clincal safety of Health Information Technology (HIT) systems
  • DCB0129 is for organisations who develop and maintain HIT that will be utilised in health and care environments.
  • DCB0160 is for organisations who plan to deploy, use, maintain and decommission HIT systems within health and care environments. :::

Measurement and test methods

Measurement and test standards are designed to set out repeatable methodologies and requirements to test attributes (e.g., security, safety, etc) of systems which are underpinned by units of measurement and associated metrics for performance and testing standards. These standards ensure specified thresholds have been achieved and enable entities applied under their remit to possess trustworthiness qualities. For communication amongst stakeholders, these standards provide clarity and a shared understanding of tests and measurement requirements, enabling precise and meaningful communication across discrete sectors, domains and scientific disciplines, whose tests and measurement requirements differ. The aviation industry is one example where they are relied upon to achieve acceptably safe and trustworthy aircraft.

:::success Examples

• ISO/IEC TS 4213:2022 - Assessment of machine learning classification performance

  • This document specifies methodologies for measuring classification performance of machine learning models, systems and algorithms.
  • AI Standards Hub Link

• IEEE 2937-2022 - Performance Benchmarking for Artificial Intelligence Server Systems

  • 'AI computing differs from generic computing in terms of device formation, operators, and usage. AI server systems, including AI server, cluster, and high-performance computing (HPC) infrastructures are designed specifically for this purpose. The performance of these infrastructures is important to users not only on generic models but also on the ones for specific domains. Formal methods for the performance benchmarking for AI server systems are provided in this standard, including approaches for test, metrics, and measure. In addition, the technical requirements for benchmarking tools are discussed.'
  • IEEE 2937-2022 :::

Product and performance requirements

Product and performance standards play a multifaceted role across industries, serving as vital tools for quality assurance, consumer protection, and regulatory compliance. These standards establish specific criteria to ensure that products and services meet defined benchmarks, safeguarding consumers by setting safety and performance requirements. These standards facilitate international trade by their very nature, as they provide a common ground for product specifications, enabling consistency and smooth trade relations between countries. Beyond regulatory requirements, adherence to recognised standards fosters innovation, serving as a foundational reference for research and development efforts. The efficiency and productivity of organisations can significantly be enhanced as these standards streamline processes, reducing errors and improving overall workflow. They also play a crucial role in risk management, helping organisations identify and mitigate potential risks associated with their products and processes. Compliance with standards builds public trust, as consumers are more inclined to rely on products and services adhering to recognised criteria. Additionally, this set of standards contribute to safety assurance, particularly in industries where safety is paramount, by preventing accidents and protecting consumers and users. These standards are instrumental in shaping reliable, safe, and high-quality products, contributing to the advancement and credibility of various industries.

:::success Examples

• BS ISO/IEC 29155-4:2016 - Systems and software engineering. Information technology project performance benchmarking framework. Guidance for data collection and maintenance

  • This text provides requirements and guidance pertaining to the collection and maintenance of data for information technology (IT) projects. It serves as a foundational element within the broader context of benchmarking activities under "the IT project performance benchmarking framework."
  • AI Standards Hub Link

• ISO 9001:2015 - Quality Management Systems. Requirements

  • ISO 9001 is an international standard that provides a framework for establishing and maintaining a quality management system. It is a horizontal sector agnostic standard applicable to organisations regardless of their size or the nature of their products or services. While ISO 9001 is not exclusively focused on product development, many organisations adopt it to demonstrate their commitment to quality and to enhance their overall product development and delivery processes.
  • ISO 9001
  • Check with Chris how best to reference :::

Interface and architecture

Interface and architecture standards define and describe common protocols, schemas, syntax, design patterns, interfaces and formats which assists towards interoperability, architectural design and data management. These standards play a pivotal role in ensuring seamless communication and collaboration among diverse components within a system or across multiple systems. By defining consistent protocols and formats, these standards enable elements with similar qualities that are not exactly the same, to exchange data and functionality effectively. They are pivotal to a cohesive and integrated environment, where disparate platforms and architectures can work together harmoniously.

Additionally, these standards further enhance the reliability and efficiency of information exchange. They provide a structured framework for handling and organizing data, promoting consistency and coherence in the management of information interchange across architectures. In essence, the combination of interoperability, infrastructure, architecture, and data management and compatibility standards establishes a robust foundation for the seamless interaction of elements within complex systems, facilitating efficient data exchange and enhancing overall system performance.

:::success Examples

• IEEE 2941: Standard for Artificial Intelligence (AI) Model Representation, Compression, Distribution, and Management

  • The AI development interface, AI model interoperable representation, coding format, and model encapsulated format for efficient AI model inference, storage, distribution, and management are discussed in this standard.
  • AI Standards Hub Link

• HTML (HyperText Markup Language)

  • A standard developed and maintained by the World Wide Web Consortium (W3C) and Web Hypertext Application Technology Working Group (WHATWG) to serve as a markup language for structuring and presenting content on the world wide web, providing a standardised and interoperable format for creating web pages and applications.
  • HTML - Living Standard

:::

Functions and benefits of standards

Standards, as functional tools, can play a pivotal role in realising a wide array of benefits across many domains and sectors. They ensure consistency and uniformity; provide a common language and set of guidelines for processes, products, or services; and help to systematically manage risks and unlock potential. This consistency enhances communication, reduces misunderstandings, creates trust and fosters a shared understanding among stakeholders. They are increasingly relied upon when implementing assurance frameworks to provide the specificity required to assure the quality and safety. This leads to increased efficiency and innovative edge to stay current and competitive in the global marketplace.

The following headings highlight the functions and benefits in more detail:

• Assurance, risks, and trust
• Knowledge and technology diffusion
• Standards as compliance tools

Assurance, risks, and trust

The paramount concern for organisations engaged in technology production is the safety and quality of their products. This concern extends to the individuals who adopt, use, and are affected by these technologies. Standards serve as a cornerstone, enabling organisations to attain high-quality products and effectively manage associated risks by integrating them into their assurance systems. These standards become integral components of conformity assessments, allowing organisations to demonstrate that their technologies and services not only meet safety, ethical, and legal requirements but also contribute to enhancing their reputation and fostering public trust. Noteworthy examples like DCB 0129/0160 exemplify how standards, such as those integrated into the clinical safety assurance framework of the NHS in England, play a pivotal role in upholding safety standards and ensuring the quality of technologies within the healthcare sector.

By establishing benchmarks for the quality of products, services, or processes, standards help organisations maintain high standards of excellence. Consumers, in turn, gain confidence in products that adhere to recognised standards, knowing that they meet specified criteria for safety, reliability, and performance. Additionally, standards contribute to cost savings and efficiency by streamlining processes, reducing errors, and optimising resource utilisation.

Knowledge and technology diffusion

Standards and their development processes provide an infrastructure for the transfer of knowledge and technology within society and the economy. The consensus-building processes inherent in standards development are particularly noteworthy, as they facilitate the translation of research and best practices into accessible, practical guidance. Furthermore, through these consensus-building processes, standards development forums bring together experts, stakeholders, and representatives from various sectors. This collaborative effort ensures that a broad spectrum of perspectives is considered, leading to the creation of standards that reflect a shared understanding of best practices. As a result, organisations can leverage these standards to enhance their operational processes and bring products to market that demonstrate trustworthy properties.

By bridging the gap between research and practical application, standards become instrumental in driving improvements in operational efficiency and the overall quality of products entering the commercial sphere. They provide a structured pathway for the integration of advancements from diverse fields into the fabric of everyday operations, ultimately contributing to the advancement of technology, innovation, and the betterment of society and the economy at large.

Standards as compliance tools

Certain standards are explicitly endorsed by regulatory authorities as essential tools for organisations to meet the requirements outlined in regulations. In the UKs regulatory framework, relevant Secretaries of State have the authority to 'designate' specific standards for the purpose of regulatory conformity. When a standard is officially designated by the government, its adoption carries a significant weight—it essentially presumes that organisations adhering to this standard are in compliance with the pertinent aspects of regional regulations. In essence, organisations that have followed a designated standard are presumed to be in compliant with the relevant regulatory requirements. This mechanism mirrors similar practices in other jurisdictions, such as the European Union (EU), where 'harmonised' standards play an analogous role in establishing and ensuring regulatory conformity.

Standards and Trustworthy and Ethical Assurance

With the types of standards and their functions and benefits now outlined, we can also ask 'what role do standards have in the TEA framework'? And, what other connections are there between TEA and standards?

??? info "Reminder of the Types of Standards"

- Foundational and terminological
- Interface and architecture
- Measurement and test methods
- Process, management, and governance
- Product and performance requirements

Using the types of standards as a reference, we can identify the following roles for standards in the TEA framework:³

Supporting development of assurance case structure

Several types of standards can support the development of an assurance case's structure. For instance, foundational and terminological standards can be useful for identifying core attributes for a top-level goal claim, which in turn would allow a project team to develop strategies for each of the core attributes. And, process, management, and governance standards could help a team or organisation develop a project governance plan that integrates considerations of the iterative development of an assurance case (e.g. ML safety requirements as set out in the AMLAS guidance⁴). These standards can also ensure that the assurance case adheres to industry best practices, thereby enhancing its credibility and acceptance.

Evidential grounding and justification of property claims

Property claims require evidential grounding. That is, the validity of a claim needs to be justified by connecting the claim to evidence through a supported by link (see guidance). But how does a project team or organisation know which evidence to select, and whether it is sufficient to justify the claims being made? This is where standards can provide useful support?

For instance, measurement and test methods and product and performance requirements standards are crucial for determining whether a system meets the required performance levels. They can also help set out criteria or benchmarks for determining which forms of evidence are sufficient (e.g. objective and quantitative criteria for compliance) or how the evidence should be gathered, documented, and managed (e.g. communication of uncertainty when dealing with probabilistic evidence).

!!! note "The Use of Artificial Intelligence in Health Care: Trustworthiness (ANSI/CTA-2090)"

ANSI/CTA-2090 is one example of a standard that sets out requirements for several core attributes related to human, technical, and regulatory trust. For instance, their approach to bias includes (but is not limited to) the following requirements for the model developer and owner of the AI solution:

    - Determine if the existing data set are “raw” data or pre-processed data.
    - For pre-processed data, find out what kind(s) of pre-processing has been performed so that the same preprocessing software/method can be applied to the input data during inference.
    - If there is need to capture additional new data, it is important to know how the existing data was collected (e.g., hardware/sensor, environment condition) so that the new data can be collected under similar conditions.
    - When combining or joining multiple existing data sets:
        - Learn and/or model the bias for each data set.
        - Mitigate or undo the associated bias from each data set.
        - Find out the commonalities to all the data sets (e.g., through modeling) to achieve cross-dataset generalization.
    - When splitting a collected data set into training, validation, and testing datasets, make sure each of them is randomly selected by applying certain techniques (e.g., data shuffling with a random number generator). By doing so, it can reduce the potential bias introduced in this process.

Building trust among stakeholders

For systems that interact with other systems or operate within a larger ecosystem, process, management, and governance standards can ensure compatibility or interoperability of data. This can be vital in situations where groups of stakeholders are making choice about whether to invest or interact with a specific ecosystem or platform (e.g. digital twins). Here, providing assurance (through reference to an accepted standard) can build confidence among the stakeholders (or possible stakeholders) within the ecosystem. Such an example extends beyond goals such as interoperability though. Concerns such as data quality, security and privacy, liability and accountability, can also impact the trustworthiness of a system. As such, communication through structured assurance cases that reference key standards can help build trust.

Knowledge transfer and consensus formation

Where standards exist at an early (and perhaps incomplete) stage of development, or perhaps do not exist at all (e.g. when dealing with novel data-driven technologies), assurance cases can serve as a useful reference for how different teams and sectors understand sufficiency and justifiability. Consider a situation where an assurance claim regarding a property of a system cannot be sufficiently evidenced. This does not necessarily mean it is false. Rather, it could indicate a gap where standards do not yet exist. In this sense, open assurance cases can support the formation of consensus and the development of best practices and community-based standards.

For instance, several teams within a shared community of practice (e.g. explainability of AI systems for environmental science) may choose to share their assurance cases with each other through structured knowledge share events (e.g. workshops). In doing so, they could identify common claims that depend on the same forms of evaluative evidence (e.g. usability testing and related human factors research). Furthermore, they may be able to identify areas where their design choices will limit interoperability in the broader ecosystem, and on this basis revisit their system requirements.

!!! abstract "Further Resources"

For more information on standards, see the following resources:

- The AI Standards Hub has a range of training materials included in their training database: [https://aistandardshub.org/training-search/](https://aistandardshub.org/training-search/)
- The British Standards Institute (BSI) has a knowledge base with articles and news related to a wide array of standards: [https://knowledge.bsigroup.com/](https://knowledge.bsigroup.com/)

Footnotes

1. AI Standards Hub. 1.Introducing AI Standards. 2022. https://aistandardshub.org/resource/main-training-page-example/1-what-are-standards/. ↩

2. International Standards Organisation. 1. Standards in our world. ISO. https://www.iso.org/sites/ConsumersStandards/1_standards.html ↩

3. Standards may also have additional roles in the context of the broader assurance ecosystem. ↩

4. Hawkins, R., Paterson, C., Picardi, C., Jia, Y., Calinescu, R., & Habli, I. (2021). Guidance on the Assurance of Machine Learning in Autonomous Systems (AMLAS). University of York. https://www.york.ac.uk/media/assuring-autonomy/documents/AMLASv1.1.pdf ↩