aicomply.
aicomply.
Home
Understand OverviewLearning ModulesGlobal RegulationsEU AI Act TextGlossaryFAQ
Assess Overview1. Register2. Classify3. Requirements4. Comply5. Monitor
Implement OverviewPoliciesStandardsControlsProceduresTemplates
Resources
GitHubGet Started
Understand/Governance & Penalties/Chapter 6
Lesson10 minChapter 6 of 8

Post-Market Monitoring

Provider obligations for monitoring deployed AI systems.

PreviousNextBack to Module

Learning Objectives

By the end of this chapter, you will be able to:

  • Design a post-market monitoring system meeting Article 72 requirements
  • Establish data collection mechanisms with deployers and users
  • Implement analysis procedures to detect compliance issues
  • Trigger appropriate corrective actions based on monitoring data
  • Report serious incidents according to Article 73 requirements

Post-Market Monitoring Framework (Article 72)

Post-market monitoring (PMM) ensures high-risk AI systems remain compliant throughout their operational lifetime. Unlike one-time conformity assessment, PMM is continuous and responsive to real-world performance.

Legal Requirements

ArticleRequirementKey Elements
Article 72(1)Establish PMM systemProportionate to nature, risk
Article 72(2)Active and systematic collectionPerformance data throughout lifetime
Article 72(3)Documentation and availabilityPlan documented, available to authorities
Article 72(4)Integration with existing PMMProviders under Union harmonisation legislation or financial services law may integrate AI Act PMM into existing systems
Article 73Serious incident reportingReport to market surveillance authorities within 2, 10, or 15 days depending on incident type

PMM System Elements

ElementPurposeImplementation
Data collectionGather performance informationFeedback channels, telemetry, reports
Analysis proceduresEvaluate collected dataMetrics, thresholds, trend analysis
Corrective action triggersIdentify when action neededCriteria, escalation procedures
Documentation updatesKeep records currentVersion control, change logs
Authority reportingMeet regulatory obligationsReporting templates, procedures

Data Collection Framework

Data Sources

SourceData TypeCollection Method
DeployersOperational performance, incidents, feedbackRegular reports, surveys, incident forms
UsersComplaints, satisfaction, error reportsFeedback channels, support tickets
System telemetryTechnical metrics, logs, performance dataAutomated collection (with consent)
Market surveillanceRegulatory feedback, inspection findingsAuthority communications
External researchAcademic studies, third-party auditsLiterature monitoring, commissioned studies
Media/publicReports, complaints, incidentsMedia monitoring, public feedback

Performance Metrics

Metric CategorySpecific MetricsMonitoring Frequency
AccuracyPrecision, recall, F1, error ratesContinuous or periodic
ReliabilityUptime, failure rates, consistencyContinuous
FairnessDemographic performance gaps, bias indicatorsPeriodic (quarterly)
SafetyNear misses, incidents, risk indicatorsContinuous
User satisfactionFeedback scores, complaint ratesOngoing
Performance driftChanges from baseline metricsContinuous

Deployer Feedback Mechanisms

MechanismPurposeFrequency
Regular performance reportsSystematic data collectionMonthly/quarterly
Incident reporting formsCapture adverse eventsAs incidents occur
Annual surveysComprehensive feedbackAnnually
Support interactionsIssue identificationOngoing
Contract review meetingsStrategic feedbackAnnually/bi-annually

User Feedback Channels

ChannelTypeData Captured
In-product feedbackIntegrated reportingReal-time issues, satisfaction
Support ticketsIssue-basedProblems, errors, complaints
Complaint mechanismsFormal complaintsSerious concerns, rights issues
User researchStructured researchUsability, satisfaction, impact

Analysis and Evaluation

Analysis Framework

Analysis TypePurposeFrequency
Trend analysisDetect performance changes over timeMonthly
Threshold monitoringIdentify breaches of acceptable limitsContinuous
Root cause analysisUnderstand causes of issuesPer incident
Comparative analysisCompare across deploymentsQuarterly
Bias monitoringDetect emerging fairness issuesQuarterly
Risk reassessmentUpdate risk profileAnnually or on trigger

Performance Thresholds

MetricGreenAmberRed
AccuracyWithin specifications5-10% below spec>10% below spec
Error rateBaseline2x baseline>3x baseline
Complaint rate< 0.1% users0.1-0.5% users> 0.5% users
Bias indicator< 5% gap5-10% gap> 10% gap
Incident rate0 seriousMinor incidentsSerious incident

Trigger Points for Action

TriggerIndicated ActionTimeline
Red threshold breachImmediate investigation, potential pauseHours to days
Amber threshold breachEnhanced monitoring, remediation planningDays to weeks
Trend toward thresholdProactive investigationWeeks
Serious incidentIncident response, authority notificationImmediate
Pattern across deploymentsSystematic reviewDays

Corrective and Preventive Actions

Corrective Action Categories

CategoryTriggerActions
Technical fixesPerformance issues, errorsSystem updates, patches
Documentation updatesChanged understanding, new limitationsRevised documentation
Training updatesUser/deployer misunderstandingEnhanced guidance
Deployment restrictionsUnsafe in certain contextsUse case limitations
System updatesModel improvements neededRetraining, enhancement
WithdrawalFundamental safety/compliance issuesMarket removal

Corrective Action Process

StageActivitiesTimeline
DetectionIssue identified through monitoringDay 0
AssessmentSeverity evaluation, scope determinationDays 1-3
PlanningCorrective action plan developedDays 3-7
ImplementationChanges made, tested, deployedDays 7-30
VerificationConfirm effectivenessDays 30-60
DocumentationUpdate records, close issuePost-verification

Documentation Update Requirements

Update TypeTriggerRecords to Update
Performance updateMetrics change significantlyTechnical documentation
Limitation discoveryNew limitation identifiedInstructions, model card
Risk updateRisk profile changesRisk management file
Incident recordIncident occursIncident log
Version changeSystem updatedVersion history, changelog

Serious Incident Reporting (Article 73)

Definition of Serious Incident

CategoryExamplesSeverity
DeathAI decision/action contributed to deathHighest
Serious damage to healthPhysical injury, significant psychological harmHighest
Serious property damageSignificant financial loss, destructionHigh
Serious/irreversible environmental damageEnvironmental harmHigh
Critical infrastructure disruptionEssential service interruptionHigh
Fundamental rights breachDiscrimination, rights violation at scaleHigh

Reporting Timeline

EventTimelineAction
Incident occursT+0Become aware
Initial assessmentWithin 24 hoursDetermine if serious incident
Authority notification15 days for general incidents (Art. 73(2)); 2 days for widespread infringements (Art. 73(3)); 10 days for deaths (Art. 73(4))Initial report
Full reportAs soon as possibleDetailed incident report
Follow-upAs requiredAdditional information, updates

Report Content Requirements

ElementContent
System identificationAI system name, version, unique ID
Incident descriptionWhat occurred, when, where
Impact assessmentWho affected, nature of harm
Root cause (if known)Preliminary or confirmed cause
Immediate actionsSteps taken to address
Planned actionsFurther remediation planned
Contact informationPoint of contact for follow-up

Reporting Process

StepActionResponsibility
1. DetectionIdentify potential serious incidentOperations/Support
2. EscalationNotify incident response teamDetector
3. ClassificationDetermine if serious incidentCompliance/Legal
4. NotificationReport to relevant authorityCompliance
5. InvestigationFull root cause analysisTechnical team
6. ResponseImplement corrective measuresCross-functional
7. Follow-upProvide updates to authorityCompliance
8. ClosureDocument resolutionCompliance

PMM System Design

Organisational Structure

RoleResponsibilities
PMM OwnerOverall system responsibility, authority liaison
Data AnalystCollect and analyse monitoring data
Technical LeadAssess technical issues, implement fixes
Compliance LeadRegulatory reporting, documentation
Deployer RelationsManage deployer feedback channels
Quality AssuranceVerify corrective actions effective

System Architecture

ComponentFunctionImplementation
Data collectionGather inputs from all sourcesAPIs, forms, integrations
Data storageStore monitoring data securelyDatabase with retention
Analysis engineProcess and analyse dataAnalytics platform
Alert systemNotify of threshold breachesAutomated alerts
ReportingGenerate reports for stakeholdersDashboards, reports
DocumentationMaintain recordsDocument management

Integration with QMS

QMS ElementPMM Integration
Document controlPMM procedures documented, controlled
Corrective actionsPMM-identified issues in CAPA system
Management reviewPMM data in management reviews
Internal auditsPMM system audited
TrainingPMM responsibilities in training

PMM Documentation Requirements

PMM Plan

SectionContent
ScopeAI systems covered, monitoring boundaries
Data sourcesAll sources, collection methods
Metrics and thresholdsWhat measured, acceptable limits
Analysis proceduresHow data analysed, frequency
Action triggersWhen action required
ResponsibilitiesWho does what
Reporting proceduresInternal and regulatory reporting
Review cycleWhen PMM system reviewed

Records to Maintain

RecordContentRetention
Performance dataRaw and analysed monitoring dataLifetime + 10 years
Incident reportsAll incidents, serious and minorLifetime + 10 years
Corrective actionsActions taken, effectivenessLifetime + 10 years
Authority reportsSubmitted reports, correspondenceLifetime + 10 years
Analysis reportsPeriodic analysis outputsLifetime + 10 years
System changesUpdates made based on monitoringLifetime + 10 years

PMM Implementation Checklist

System Setup

  • PMM Owner designated
  • PMM Plan documented
  • Data collection mechanisms established
  • Analysis procedures defined
  • Thresholds and triggers specified
  • Reporting templates prepared
  • System integrated with QMS

Deployer Relationships

  • Feedback mechanisms communicated
  • Reporting requirements in contracts
  • Regular review meetings scheduled
  • Incident escalation path clear
  • Training provided on feedback

Ongoing Operations

  • Data collection active
  • Analysis performed per schedule
  • Thresholds monitored continuously
  • Corrective actions tracked
  • Documentation updated
  • Management reviews conducted

Authority Readiness

  • Reporting procedures in place
  • Contact points identified
  • Report templates available
  • Escalation path to legal/compliance clear
  • Training on serious incident definition

What You Learned

Key concepts from this chapter

**Post-market monitoring** is mandatory for high-risk AI—it's a continuous obligation, not a one-time activity

**Data collection** must be active and systematic—don't wait for problems to come to you

**Analysis** should be structured with clear thresholds and trigger points for action

**Corrective actions** must be proportionate, documented, and verified for effectiveness

**Serious incidents** require reporting to market surveillance authorities within 2, 10, or 15 days depending on incident type (Art. 73(2)-(4))

Chapter Complete

Governance & Penalties

6/8

chapters

Market SurveillanceCompliance Strategy Development