ALTAI self-assessment

AI systems should empower human beings, support their autonomy and informed decision-making, and be subject to proper oversight through governance mechanisms such as human-in-the-loop, human-on-the-loop, or human-in-command.

• Every AI-generated output enters a PENDING review state; a qualified reviewer must approve, reject, or correct before any downstream use.
• 21 CFR Part 11-style e-signature (password plus reason) is captured at approval of regulator-facing deliverables.
• Praxara does not auto-submit to EudraVigilance, MHRA, or any other regulator; every export is user-initiated and e-signed.
• Workflow gates are declarative, auditable, and cannot be bypassed by role escalation.

AI systems should be resilient and secure, accurate, reliable, reproducible, and provide fallbacks where relevant.

• Foundation model versions are pinned per skill in the ModelRegistry; changes go through e-signed change control.
• Every skill output is validated against a Zod schema before it is persisted or shown to the reviewer.
• Golden-set regression runs weekly for HIGH_PATIENT_RISK skills and monthly for HIGH_REGULATORY_IMPACT skills; thresholds and suspension triggers are documented in the System Risk Management Plan.
• Multi-provider routing (Anthropic, Google, Azure OpenAI) with automatic fallback; failover is logged.
• SHA-256 checksum chain on every audit entry with on-demand integrity verification endpoint.

• Production drift-monitoring dashboard (GoldenCase / SkillEval schema in place; dashboard surfaces TBD).
• Adversarial-input regression suite for free-text intake skills.

Full respect for privacy and data protection must be ensured, alongside adequate data governance mechanisms, taking into account the quality and integrity of the data and ensuring legitimised access to data.

• DPIA template published (docs/compliance/DPIA_template.md) aligned with UK GDPR Article 35, EU GDPR Article 35, and EMA Reflection Paper Section 2.7.
• Tenant isolation enforced at application and database row level (Postgres RLS).
• AES-256 at rest, TLS 1.2+ in transit; EU region residency by default.
• Foundation models are not fine-tuned on tenant data; provider enterprise terms exclude training use.
• GDPR Article 30 record (ROPA) and data subject request workflow (Articles 15 to 22) implemented in platform.
• Retention policy model enforces per-resource TTL.

• Free-text narrative redaction pre-processor (tenant-configurable); blocker for deployments that require it.
• Customer-managed keys on Enterprise tier rollout.

Traceability, explainability, and open communication about the AI system's capabilities and limitations must be ensured.

• Every AI call is logged with provider, model name, version, prompt hash, input and output token counts, cost, latency, and reviewer decision.
• Model cards are maintained per deployed LLM (EU AI Act Article 11 alignment) and accessible to enterprise customers.
• Source-cited outputs: the cross-reference skill traces every factual claim to the exact source passage; the safety-narrative skill forbids non-source content.
• Skills expose confidence signals and "AI suggestion, qualified human must verify" labels at the UI layer.
• Instructions for Use (IFU) per EU AI Act Article 13 published as JSON endpoint.

• Public-facing model card index beyond enterprise DPA.

Unfair bias must be avoided; AI systems should be accessible to all, including persons with disabilities, and involve relevant stakeholders throughout the lifecycle.

• Praxara is a decision-support tool for regulated PV workflows; it does not make decisions about individuals beyond the coding and classification of their case reports.
• Skill prompts are reviewed to avoid inferences about patients beyond what the source document contains; enrichment from external sources is disabled.
• Human-in-the-loop review is mandatory, which places the qualified human (not the model) as the decision-maker for every coded or classified record.
• Golden-sets include case types that exercise vulnerable populations (paediatric, pregnancy, geriatric) to surface performance gaps.
• Accessibility targets for the reviewer UI: WCAG 2.1 AA (ongoing).

• Formal bias evaluation protocol per skill (beyond golden-set accuracy): stratified performance by age, sex, reporter type, country of origin.
• Stakeholder consultation programme with tenant QPPVs and patient groups (scoping).

AI systems should benefit all human beings, be sustainable and environmentally friendly, and take into account broader societal, democratic, and environmental effects.

• Praxara supports statutory pharmacovigilance, a public health activity; its intended effect is to strengthen safety surveillance and shorten the path from signal to action.
• Praxara discloses the energy cost of each inference call via AI telemetry (token counts and provider region), enabling carbon reporting.
• EU-region hosting reduces cross-border data flow energy and latency.
• No use of Praxara for political, manipulative, or behavioural-targeting purposes; Terms of Service forbid such use.

• Publication of an annual environmental impact statement covering aggregate inference workload.
• Provider selection criteria weighting EU-region low-carbon data centres.

Mechanisms should be in place to ensure responsibility and accountability for AI systems and their outcomes, including auditability, minimisation of negative impact, trade-off handling, and redress.

• SHA-256-chained immutable audit log records every action, including every AI call and every human approval, with tamper-evidence verification.
• Five-role RBAC with tenant isolation; every approval binds to an identified user via e-signature.
• Published roles and responsibilities in the System Risk Management Plan (QPPV, Head of PV, DPO, Tech Lead, QA Lead, Skill Owner, Reviewer).
• Incident response and personal data breach notification procedures aligned with GDPR Article 33 (72 hours).
• Responsible disclosure channel: [email protected]; safe-harbour policy published.
• Quarterly review cadence for the SRMP; annual (or event-driven) review cadence for the DPIA.

• External ISO/IEC 42001 (AI management system) certification.
• Public-facing annual trustworthy-AI report.