ISO/IEC 5338: Get to know the global standard on AI systems

The much-anticipated international standard on how to develop and manage AI systems has been published on Dec 20th, 2023: the ISO/IEC 5338 on AI lifecycle. At Software Improvement Group, we are proud to have had the honour of leading the writing effort.

Why ISO/IEC 5338 matters to your organization

Finally, organizations can get standardized guidance on what they need to arrange and consider when engineering AI solutions, regarding risk management, quality assurance, project management, data engineering, model engineering, continuous validation, HR, etc.

Most of these processes are already in place in organizations, which is why 5338 discusses AI not as an isolated thing, but as an extension of the existing software lifecycle. It builds on known software best practices, for example, described in ISO/IEC 12207.

AI is often treated as something completely different, leading to the exclusion of data scientists from good governance, software development best practices, and management of information security and privacy. The SIG 2023 Benchmark report highlights this problem: AI software severely lacks documentation, automated testing, and code quality. Therefore, it is highly recommended to treat production AI for what it is: professional software.

Regulatory compliance and ISO/IEC 5338

Adopting ISO/IEC 5338 isn’t just about building better software with integrated AI; it’s about governance and accountability. As regulations evolve, this standard will be critical guidance to prevent organizations from getting into trouble: from failed initiatives and uncontrolled costs to incidents, scandals, and broken laws.

The duty of care for AI is proper governance, and ISO/IEC 5338 provides the direction to make that happen.

What’s inside ISO/IEC 5338?

The ISO/IEC 5338 covers AI-specific aspects for all software lifecycle processes, following the ISO/IEC 12207 standard. If you don’t have a comprehensive software lifecycle in place, it can be useful to obtain the ISO/IEC 12207 to get you started. Otherwise, you can use the ISO/IEC 5338 without the ISO/IEC 12207, as a checklist of attention points for AI.

See the diagram below for the technical processes in the lifecycle.

My interpretation of Figure 3 in 5338 with a selection of AI particularities in callouts.

The AI activity of Model Engineering is not treated as a separate process because, from a lifecycle perspective, it perfectly fits into the existing Implementation process.

Next to these technical processes, there are also agreement processes, organization-enabling processes, and technical management processes, such as risk management and quality assurance.

ISO/IEC 5338 discussed so-called AI particularities with every lifecycle process: attention points specifically for AI. For example:

• The importance of protecting the sensitive training data that engineers work with to build a model, in contrast to regular software engineering where only anonymous test data is used;
• The range of new risk topics (e.g. transparency, unwanted bias, purpose-binding);
• Project managers will need to know how AI projects can be hard to predict in experimental stages;
• HR-wise it is important to know that you need different skill sets;
• When models run in production their performance can be continuously validated to detect issues and to see if the model is going ‘stale’.

What is ISO/IEC and why is there a fee required for downloading ISO/IEC 5338? 

ISO (International Organization for Standardization) and IEC (International Electrotechnical Commission) form the specialized system for worldwide standardization. Well-known examples are the information security standard 27001, quality management standard 9001, and 13485 (all medical devices need to comply with that). 

ISO and IEC need to fund the efforts for coordinating the creation of standards around the world. It is not a commercial enterprise. Simply put: if you don’t have a business case for purchasing the ISO/IEC 5338, then your organization is probably not ready to build AI systems. 

Is ISO/IEC 5338 Future-Proof? 

Creating global standards like ISO/IEC 5338 is a process marked by thoughtful consideration and forward-thinking. Since the start of writing 5338, there has been a rise of Generative AI and other breakthroughs, and I’m happy to report that the 5338 withstood that test of time by discussing AI attention points on a generic, but still actionable level.

How was ISO/IEC 5338 created? 

The creation of ISO/IEC 5338 was an intensive 3-year journey that involved the collective expertise of a diverse group of experts from over 30 countries. This process involved extensive analysis and integration of hundreds of comments and suggestions.  

In this period, I had the privilege of setting up and leading the writing group within the ISO working group, providing the main content.  

This was an incredible collaborative global effort, engaging many stakeholders: we organized numerous workshops and interviews with experts. A significant contribution came from SIG, which donated its AI engineering framework as a base model. Additionally, Joost Visser from Leiden University provided the excellent framework of SE-ML, a collection of best software engineering practices tailored for machine learning. 

A final thank you to my editor, Yuchang Cheng, and my co-writers Harm Ellens, Arjen Goedegebure, Leon Doorn, among many other experts involved for the memorable teamwork, which was instrumental in bringing this standard to life.  

Our collective efforts have culminated in a standard that not only reflects our shared knowledge, but also our commitment to advancing the field of AI responsibly.