DeepAI
Log In Sign Up

Responsible AI Pattern Catalogue: A Multivocal Literature Review

09/12/2022
by   Qinghua Lu, et al.
CSIRO
0

Responsible AI has been widely considered as one of the greatest scientific challenges of our time and the key to increase the adoption of AI. A number of AI ethics principles frameworks have been published recently. However, without further best practice guidance, practitioners are left with nothing much beyond truisms. Also, significant efforts have been placed at algorithm-level rather than system-level, mainly focusing on a subset of mathematics-amenable ethical principles (such as fairness). Nevertheless, ethical issues can occur at any step of the development lifecycle crosscutting many AI and non-AI components of systems beyond AI algorithms and models. To operationalize responsible AI from a system perspective, in this paper, we present a Responsible AI Pattern Catalogue based on the results of a Multivocal Literature Review (MLR). Rather than staying at the principle or algorithm level, we focus on patterns that AI system stakeholders can undertake in practice to ensure that the developed AI systems are responsible throughout the entire governance and engineering lifecycle. The Responsible AI Pattern Catalogue classifies the patterns into three groups: multi-level governance patterns, trustworthy process patterns, and responsible-AI-by-design product patterns. These patterns provide a systematic and actionable guidance for stakeholders to implement responsible AI.

READ FULL TEXT VIEW PDF

page 1

page 2

page 3

page 4

03/02/2022

Responsible-AI-by-Design: a Pattern Collection for Designing Responsible AI Systems

Although AI has significant potential to transform society, there are se...
01/03/2023

Operationalising Responsible AI Using a Pattern-Oriented Approach: A Case Study on Chatbots in Financial Services

Responsible AI is the practice of developing and using AI systems in a w...
06/22/2020

Where Responsible AI meets Reality: Practitioner Perspectives on Enablers for shifting Organizational Practices

Large and ever-evolving industry organizations continue to invest more t...
05/16/2022

How Different Groups Prioritize Ethical Values for Responsible AI

Private companies, public sector organizations, and academic groups have...
04/03/2022

Data Cards: Purposeful and Transparent Dataset Documentation for Responsible AI

As research and industry moves towards large-scale models capable of num...
11/20/2020

Training Ethically Responsible AI Researchers: a Case Study

Ethical oversight of AI research is beset by a number of problems. There...
09/14/2021

Just What do You Think You're Doing, Dave?' A Checklist for Responsible Data Use in NLP

A key part of the NLP ethics movement is responsible use of data, but ex...

1 Introduction

Artificial Intelligence (AI) has been transforming our society and listed as the top strategic technology in many organizations. Although AI has huge potential to solve real-world challenges, there are serious concerns about its ability to behave ethically and make decisions in a responsible way. Compared to traditional software systems, AI systems involve higher degree of uncertainty and more ethical risk due to their dynamic, autonomous and opaque decision making and historical-data-dependent behaviors. Responsible AI refers to the ethical development of AI systems to benefit the humans, society, and environment. The concept of responsible AI has attracted significant attention from governments, organizations, companies and societies. According to the 2022 Gartner CIO and Technology Executive Survey, 48% of organizations have already adopted or plan to adopt AI technologies within the next 12 months while 21% of organizations have already deployed or plan to deploy responsible AI technologies within the next 12 months111https://www.gartner.com/en/articles/it-budgets-are-growing-here-s-where-the-money-s-going. Responsible AI has been widely considered as one of the greatest scientific challenges of our time and the key to unlock the market and increase the adoption of AI.

To address the responsible AI challenges, a number of AI ethics principles frameworks have been published recently  [1], which AI systems are supposed to conform to. There has been a consensus made around the AI ethics principles [2]. A principle-based approach allows technology-neutral, future-proof and context-specific interpretations and operationalization. However, without further best practice guidance, practitioners are left with nothing much beyond truisms. For example, it is a very challenging and complex task to operationalize the the human-centered value principle regarding how it can be designed for, implemented and monitored throughout the entire lifecycle of AI systems. In addition, significant efforts have been put on algorithm-level solutions which mainly focus on a subset of mathematics-amenable ethical principles (such as privacy and fairness). However, issues (including ethical issues) can occur at any step of the development lifecycle crosscutting many AI, non-AI and data components of systems beyond AI algorithms and models. To try to fill the principle-algorithmic gap, further guidance such as guidebooks222https://www.microsoft.com/en-us/haxtoolkit/333https://pair.withgoogle.com/guidebook, questions to generate discussions [3, 4], checklists [5, 6] and documentation templates [7, 8, 9, 10, 11, 12] have started to appear. Those efforts tend to be ad-hoc sets of more detailed prompts for practitioners to think about all the issues and come up with their own solutions.

Figure 1: Overview of RAI pattern catalogue.

In this paper, we therefore adopt a pattern-oriented approach and present a Responsible AI Pattern Catalogue for operationalizing responsible AI from a system perspective. In software engineering, a pattern is a reusable solution to a problem that occurs commonly within a given context in software development [13]. Rather than staying at the ethical principle level or algorithm level, we focus on patterns that practitioners can utilize in practice to ensure that the developed AI systems are responsible throughout the entire software development lifecycle. As shown in Fig. 1, the Responsible AI Pattern Catalogue classifies patterns into three groups: 1) governance patterns for establishing multi-level governance for responsible AI; 2) process patterns for setting up trustworthy development processes; 3) product patterns for building responsible-AI-by-design paradigm into AI systems. These patterns are identified through conducting a systematic Multivocal Literature Review. The full version of our Responsible AI Pattern Catalogue can be accessed online 444Responsible AI Pattern Catalogue: https://research.csiro.au/ss/science/projects/responsible-ai-pattern-catalogue/ Each of the patterns is described following the traditional pattern structure (i.e., context, problem, solution, benefits, drawbacks,related patterns, known uses).

The remainder of the paper is organized as follows. Section 2 introduces the methodology for building up the pattern catalogue. Section 3 presents the AI system stakeholders and governance patterns. Section 4 discusses the process patterns for each stage of the development lifecycle. Section 5 introduces the project patterns. Section 6 discusses the related work. Section 5 concludes the paper.

Figure 2: Methodology.

2 Methodology

To build up a Responsible AI (RAI) Pattern Catalogue, we performed a systematic Multivocal Literature Review (MLR) to collect patterns. Fig. 2 presents the research design and methodology. The high level research question that has guided this research is: ”What responsible AI solutions can be identified?”. The research question focuses on identifying the reusable patterns for responsible AI.

2.1 Data preparation

The benefit of an MLR is to cover both academic literature and grey literature in the study. Grey literature is written by practitioners (such as governments, organizations, companies) and not published in books or scientific journals/conferences. However, grey literature can provide valuable insights on the state of practice and may include many industry solutions that are not discussed in academic papers. Given the nature of patterns, we decided to also review grey literature to understand the state of the practice in the field of Responsible AI and collect patterns from industry. In our MLR, we identify: (1) all relevant academic peer-reviewed academic literature and (2) all relevant grey literature for this study.

2.2 Search strategy

The study has been carried out separately for academic literature and grey literature. We adopted Kitchenham’s Systematic Literature Review (SLR) guideline [14] to review the academic literature and used Garousi et al’s guideline [15] to perform the grey literature review. The complete MLR protocol is available as online material 555https://drive.google.com/file/d/18Jiap714N1uprFVYU0jGmKSxKa-y2awJ/view?usp=sharing.

We first determined the search strings by deriving relevant keywords from the research question. Before conducting the systematic search, we did a pilot study by experimenting with the search terms to compare the results. We used “AI”, “Responsible”, “Solution” as the key terms and included synonyms and abbreviations as supplementary terms to increase the search results. We designed the search strings for each primary source to check the title. After completing the first draft of search strings, we examined the results of each search string against each database to check the effectiveness of the search strings. The finalised search terms are shown in Table 1. We use Australia’s AI ethics principles [16] to idenify the supplementary terms for “Responsible” as a close-enough representation of the many similar ones [1, 2] around the world. The eight AI ethics principles include human, societal and environmental wellbeing, human-centred values, fairness, privacy protection and security, reliability and safety, transparency and explainability, contestability, accountability. The search strings and the respective paper quantities of the initial search for each primary source are listed in our MLR protocol. We applied the search string to both scholar search engines for academic literature and Google Search Engines for grey literature. The scholar search engines include: ACM Digital Library, IEEE Xplore, Science Direct, Springer Link, and Google Scholar. The search period is until 31 July 2022.

Key Term Supplementary Terms
AI

Artificial Intelligence, Machine Learning, ML

Responsible Ethics, Ethical, Responsibility, Trust, Trusted, Trustworthiness, Trustworthy, Human Values, Wellbeing, Accountability, Accountable, Transparency, Transparent, Explainability, Explainable, Interpretability, Interpretable, Contestability, Contestable, Fairness, Fair, Reliability, Reliable, Safety, Safe, Privacy, Private, Security, Secure
Solution Tactic, Practice, Process, Design, Architecture, Solution, Approach, Method, Mechanism, Tool, Toolkit
Table 1: Key and supplementary search terms

We screened the initial results against inclusion and exclusion criteria. The inclusion criteria include: (1) A paper/article that presents a governance or process or design solution for responsible AI. (2) A paper/article that presents a tool or toolkit for developing responsible AI systems. (3) A paper/article that is in the form of a published scientific paper or industry article. The exclusion criteria are: (1) A paper/article that only discusses high-level principles or frameworks. (2) A paper/article that only focuses on algorithm-level techniques. (3) A paper/article that is not written in English. (4) Conference version of a study that has an extended journal version. (5) PhD/Master’s dissertations, tutorials, editorials, books.

The snowballing technique has been recommended and used in place of database searches in systematic literature reviews. For the academic literature, we identified a set of papers that serve as the starting point (i.e., seed set) for snowballing. The seed set papers were selected based on the source databases and Australia’s AI ethics principles to cover various communities. For each of the 5 source databases, we selected 1 top cited paper for responsible AI in general and each of the 8 principles respectively. For some principles, there is no paper found in one particular database. We only collected the grey literature from the first 10 Google pages. For the grey literature, snowballing is conducted if related responsible AI solutions are mentioned on the webpage. We finally identified 205 academic items and 69 grey items for the MLR. For the grey literature, we organized the responsible AI solutions according to the corresponding companies. For example, we found 13 responsible AI tools/solutions on Microsoft’s website but only counted Microsoft as one grey item in our study.

2.3 Data extraction, synthesis, and analysis

We extracted data and summarized findings from the selected academic and grey items based on the pre-defined research question. Based on the answers extracted for the research question, we identified different types of patterns. For example, there are a few papers using federated learning to deal with data privacy issues, thus federated learner is identified as a product pattern that can be built into the architecture of AI systems. We also extract some general information, e.g. authors name, organization, publication venue, publication year. We performed a pilot study on 20 items to test the research question and the way to extract the required data. We stored all the extracted data in a spreadsheet for analysis. Once we identified the pattern, we describe the pattern details on our RAI Pattern Catalogue website according to the traditional pattern structure [17]: context, problem, solution, benefits, drawbacks,related patterns, known uses. The known uses were identified through the data extraction and additional manual search.

Figure 3: Stakeholders for RAI governance.

3 Governance Patterns

The governance for responsible AI systems can be defined as the structures and processes that are employed to ensure the development and use of AI systems meet AI ethics principles. According to Shneiderman’s structure [18], governance can be built at three levels: industry-level, organization-level, and team-level. As illustrated in Fig. 3, we identified the stakeholders for RAI governance and classified them into three groups:

  • Industry-level stakeholders

    • AI technology producers: develop AI technologies for others to build on top to produce AI solutions, e.g., parts of Google, Microsoft, IBM. AI technology producers may embed RAI in their technologies and/or provide additional RAI tools.

    • AI technology procurers: procure AI technologies to build their in-house AI solutions, e.g., companies or government agencies buying/using AI platform/tools. AI technology procurers may care about RAI issues and embed RAI into their AI technology procurement process.

    • AI solution producers: develop in-house/blended unique solutions on top of technology solutions and need to make sure the solutions adhere to RAI principles/standards/regulations, e.g., parts of MS/Google providing Office/Gmail “solutions”. They may offer the solutions to AI consumers directly or sell to others. They may use RAI tools (provided by AI technology producers or RAI tool producers) and RAI processes during their solution development.

    • AI solution procurers: procure complete AI solutions (with some further configuration and instantiation) to use internally or offer to external AI consumers, e.g., a government agency buying from a complete solution from vendors. They may care about RAI issues and embed RAI into their AI solution procurement process.

    • AI users: who use an AI solution to make decisions that may impact on a subject, e.g., a loan officer or a gov employee. AI users may exercise additional RAI oversight as the human-in-the-loop.

    • AI impacted subjects: who are impacted by some AI-human dyad decisions, e.g., a loan applicant or a tax payer. AI impacted subjects may care about RAI issues and contest the decision on dyad AI ground.

    • AI consumers: who consume AI solutions (e.g., voice assistants, search engines, recommender engines) for their personal use (not affecting 3rd parties). AI consumers may care about RAI issues and the dyad AI aspects of AI solutions.

    • RAI governors: those that set and enable RAI policies and controls within their culture. RAI governors could be functions within an organization in the above list or external (regulators, consumer advocacy groups, community).

    • RAI tool producers: technology vendors and dedicated companies offering RAI features integrated into AI platforms or AIOps/MLOps tools.

    • RAI tool procurers: any of the above stakeholders who may purchase or use RAI tools to improve or check solutions/technology’s RAI aspects.

  • Organization-level stakeholders

    • Management teams: individuals at the higher level of an organization who are responsible for establishing RAI governance structure in the organization and achieving RAI at the organization-level. The management teams include board members, executives, and (middle-level) managers for legal, compliance, privacy, security, risk, and sustainability.

    • Employees: individuals who are hired by an organization to perform work for the organization and expected to adhere to RAI principles in their work.

  • Team-level stakeholders

    • Development teams: those who are responsible for developing and deploying AI systems, including product managers, project managers, team leaders, business analysts, architects, UX/UI designers, data scientists, developers, testers, and operators. The development teams are expected to implement RAI in their development process and embed RAI into the product design of AI systems.

As shown in Fig. 4, we identify a set of governance patterns and classify them into industry-level governance patterns, organization-level governance patterns, and team-level governance patterns based on Shneiderman’s governance structure [18]. The target users of industry-level governance patterns are RAI governors, while the impacted stakeholders include AI technology producers and procurers, AI solution producers and procurers, RAI tool producers and procurers. For the organization-level patterns, the target users are the management teams and the impacted stakeholders are employees, AI users, AI consumers, and AI impacted subjects. The target users of team-level patterns are the development team, whilst the impacted stakeholders are AI users, AI consumers, and AI impacted subjects.

Figure 4: Governance patterns for responsible AI.

3.1 Industry-level governance patterns

3.1.1 RAI regulation


Laws already apply to AI systems, however the processes/requirements to ensure compliance are not always certain, also some regulations may need to be updated e.g. administrative law. There is an urgent need for clear guidance to ensure that AI systems are developed and used responsibly in compliance with existing and upcoming laws, e.g., discrimination law. RAI regulations are developed by governments in their jurisdiction to enable the trustworthy development of AI systems by industry  [18, 19, 20, 21, 22, 23, 24]. Organisations will be required to ensure that they comply with the requirements of the EU AI Act when the applications fall into the high risk category 666https://artificialintelligenceact.eu. In US, the Algorithmic Accountability Act of 2022 777https://www.congress.gov/bill/117th-congress/house-bill/6580/text?r=2&s=1 was introduced in the Senate and House of Representatives, while an AI Bill of Rights 888https://www.wired.com/story/opinion-bill-of-rights-artificial-intelligence/ is under development by the White House Office of Science and Technology Policy. The aim of RAI regulations is to prevent illegal or negligent, malicious use of AI systems. However, there are many regulations in developments in each jurisdictions, which may cause an interoperability challenge for organisations. Also, it usually takes a long time to enact AI regulations due to the lengthy consultation and approval process.

3.1.2 Regulatory sandbox


To enable the trial of the innovative AI products in the market, a regulatory sandbox can be designed to allow testing the innovative AI products in the real-world under relaxed regulatory requirements but with appropriate safeguards in place on a time-limited and small-scale basis [21]. An AI Regulatory Sandbox 999https://www.eipa.eu/publications/briefing/sandboxes-for-responsible-artificial-intelligence/ is introduced in the EU’s AI Act proposal submitted in 2021. The UK Information Commissioner’s Office advised a Regulatory Sandbox 101010https://ico.org.uk/for-organisations/regulatory-sandbox/the-guide-to-the-sandbox/ for utilising personal data. The Australian Government released the Enhanced Regulatory Sandbox111111https://asic.gov.au/for-business/innovation-hub/enhanced-regulatory-sandbox/ for innovative financial services. AI products can enter the market under more flexible regulatory requirements in a faster pace and be tested in the real-world market to ensure they are designed ethically. However, it might incur extra cost to apply for a regulatory sandbox. Also, the AI products might not work well with large scale deployment in different context.

3.1.3 Building code


AI systems may have various degrees of risk depending on the design and application domains. To ensure that AI systems are trustworthy and meet certain minimum standards, building code can be designed to provide mandatory regulatory rules for authority parties (e.g., independent oversight and advisory committee) to assess the compliance of AI systems before they are allowed to launch [18]. For example, IEEE has released a set of building codes for developing smart cities 121212https://cybersecurity.ieee.org/blog/2017/10/04/building-code-for-the-internet-of-things/, Medical Device Software Security  131313https://ieeecs-media.computer.org/media/technical-activities/CYBSI/docs/BCMDSS.pdf, and Power System Software Security  141414https://ieeecs-media.computer.org/media/technical-activities/CYBSI/docs/BCPSSS.pdf. Building code sets out clear compulsory regulatory requirements for developing AI systems. AI systems cannot be sold in the market until an approval is issued by the assessment authority.

3.1.4 RAI standard


An AI system may use data or components from multiple jurisdictions where may have conflicting regulatory requirements on their usage. To enable interoperability between jurisdictions, RAI standards are developed to describe repeatable processes to develop and use AI systems responsibly that are recognised internationally and can be either mandated by law or by contract [18, 19, 23]. ISO/IEC JTC 1/SC42 AI Technical Committee is developing ISO/IEC 42001 IT-AI-Management System Standard 151515https://www.iso.org/standard/77304.html that provides a pathway for the certification of AI systems and WG3 trustworthiness that covers risk management and bias 161616https://www.iso.org/committee/6794475.html. IEEE has released Guide for Architectural Framework and Application of Federated Learning 171717https://standards.ieee.org/ieee/3652.1/7453/, Standard for Technical Framework and Requirements of Trusted Execution Environment based Shared Machine Learning 181818https://standards.ieee.org/ieee/2830/10231/, and IEEE p7000 IEEE Standards for Model Process for Addressing Ethical Concerns During System Design  191919https://ethicsinaction.ieee.org/p7000/. Those AI standards provide repeatable processes and guidance for the use and development of AI systems that are recognised internationally.

3.1.5 RAI maturity model


Organizations can face challenges that can hurt their business if they are not aware of their RAI maturity. RAI maturity model can be used to assess an organization’s RAI capabilities and the degree of readiness to take advantage of AI based on a set of dimensions [18, 25, 26, 27]. RAI maturity model can guide organizations on how to increase their RAI capabilities. The assessment results depend on the model quality, e.g., assessment dimensions and rating methods. There have been a few AI maturity models developed in industry, such as Gartner’s AI Maturity Model 202020https://www.gartner.com/smarterwithgartner/the-cios-guide-to-artificial-intelligence, Microsoft’s AI Maturity Model 212121https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE4DIvg, and IBM’s AI Maturity Framework 222222https://www.ibm.com/downloads/cas/OB8M18WR.

3.1.6 RAI certification


AI is a high-stake technology that requires evidence to prove AI products’ compliance with AI standards or regulations in order to operate in the society. RAI certification can be designed to recognize that an organization or a person has the ability to develop or use an AI system in a way that is compliant with standards or regulations [18, 19, 28, 29, 30, 24, 31, 32, 33]. Malta AI-ITA certification 232323https://mdia.gov.mt/wp-content/uploads/2019/10/AI-ITA-Guidelines-03OCT19.pdf is the world’s first AI certification scheme for RAI systems. DO-178C Certification 242424https://my.rtca.org/nc__store?search=do-178c has been used to approve commercial software-based aerospace systems. Queen’s University offers an executive education program on Principles of AI Implementation 252525https://smith.queensu.ca/ConversionDocs/Execdev/Trusted_Data_AI_Canadian_Business.pdf. The evidence of compliance can be provided through RAI certification to improve human trust in AI systems. However, like other types of certificates, RAI certificates may be forged, which makes the verification of authenticity of certificates challenging. The certification process is usually complex, costly and time consuming.

3.1.7 Trust mark


Consumers in the market usually do not have professional knowledge about AI. To improve public confidence on AI and dispel their ethical concerns, trust mark, a seal of endorsement, is easy to understand by all consumers and can be used to inform consumers about AI system. Trust mark is important for small companies which are often not well-known in the AI market. However, consumers may not trust the AI systems with trust mark performing more responsible than those without one. There have been several trust marks designed for responsible use of data, such as Australian Data and Insights Association Trust Mark 262626https://dataandinsights.com.au/trust-mark/, New Zealand Privacy Commissioner’s Privacy Trust Mark 272727https://www.privacy.org.nz/resources-2/applying-for-a-privacy-trust-mark/, and Singapore’s Data Protection Trustmark (DPTM) 282828https://www.pdpc.gov.sg/overview-of-pdpa/data-protection/business-owner/data-protection-trustmark.

3.1.8 Independent oversight


Decisions made by AI systems may lead to severe failures due to its autonomous decision-making process. To audit AI systems and investigate failures in a trusted way, independent oversight can be conducted by the independent oversight boards that consist of experts who are knowledgeable to perform the review and has no conflict of interest with the reviewed organizations[18, 19, 34, 35]. The U.S. National Transportation Safety Board 292929https://www.ntsb.gov/ investigates every civil aviation accident. The U.S. National Artificial Intelligence Advisory Committee  303030https://www.ai.gov/naiac/#ABOUT-NAIAC advises on AI-related issues. Independent oversight provides a trusted review infrastructure to gain public confidence. Planning oversight provides early feedback on the new development proposals. Failures of independent oversight could happen due to lack of sufficient independence.

3.2 Organization-level governance patterns

3.2.1 Leadership commitment for RAI


The management teams need to understand the values, cost and risk for adopting AI in an the organization. Commitment needs to be made by the management team to build RAI culture within an organization [18]. Leadership commitment is achieved by the management team dedicating their time and efforts on establishing ethics principles and governance structure (e.g., appointment of chief RAI officer, RAI advisory boards) [36], as well as incorporating RAI into organization’s values, vision, mission [19], board’s strategy planning, executives’ performance reviews[21], audit and risk committee’s scope [20], and ESG commitments. Leadership commitment enables organizational culture on RAI and visible sponsorship to build RAI capability. IBM has established an AI ethics board 313131https://www.ibm.com/au-en/artificial-intelligence/ethics to support a culture of RAI throughout IBM. Axon has assembled an independent AI ethics board 323232https://www.axon.com/company/ai-and-policing-technology-ethics to provide guidance on AI system development. Schneider Electric has appointed its first Chief AI Officer  333333https://www.iteuropa.com/news/schneider-electric-appoints-new-caio-and-opens-new-ai-hub to advance its AI strategy.

3.2.2 Ethics committee


Organizations need to build capability incorporating multiple areas of expertise to address RAI issues. An AI ethics committee is an AI governance body that is established to develop standard processes for decision-making, as well as to approve and monitor AI projects [29, 32]. Accenture released a report on how to build AI ethics committees 343434https://www.accenture.com/au-en/insights/software-platforms/building-data-ai-ethics-committees. Adobe has created an AI ethics committee 353535https://www.adobe.com/about-adobe/aiethics.html which includes experts with different background. Sony has established AI ethics committee 363636https://www.sony.com/en/SonyInfo/sony_ai/responsible_ai.html to ensure the ethically development of AI systems. The ethics committee provides feedback and guidance to the project team after reviewing the proposal. However, the committee might not have the expertise to review a particular case, which might cause bias issues.

3.2.3 Code of ethics for RAI


AI may make wrong decisions or behave inappropriately, e.g. impact human lives or buy the wrong product. To guide AI related activities in an organization, a code of ethics is a set of rules that employees should uphold when developing an AI system [18, 29, 37, 23]. AAAI has issued Code of Professional Ethics and Conduct 373737https://www.aaai.org/Conferences/code-of-ethics-and-conduct.php for all members. Bosch sets out code of ethics 383838https://www.bosch-ai.com/industrial-ai/code-of-ethics-for-ai/ to establish guidelines for the development of AI. BMW has released a code of ethics for AI  393939https://www.press.bmwgroup.com/global/article/detail/T0318411EN/seven-principles-for-ai-bmw-group-sets-out-code-of-ethics-for-the-use-of-artificial-intelligence. A code of ethics provides employees with the same concrete rules on developing AI systems, but it relies on individuals to do the right thing with limited monitoring and enforcement.

3.2.4 Ethical risk assessment


Although there are increasing concerns on AI ethics, RAI regulation is still at a very early stage. To assess the ethical risks associated with AI systems, an organization needs to extend the existing IT risk framework or design a new one to cover AI ethics [18, 29, 38, 20, 39, 40, 7, 9, 41]. ISO/IEC JTC 1/SC 42 committee is developing ISO/IEC 23894 on Artificial Intelligence and Risk Management 404040https://www.iso.org/standard/77304.html. NIST released the initial draft of AI Risk Management Framework that provides a standard process for managing risks of AI systems 414141https://www.nist.gov/itl/ai-risk-management-framework. The Canadian government has released the Algorithmic Impact Assessment tool to identify the risks associated with automated decision-making systems 424242https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/responsible-use-ai/algorithmic-impact-assessment.html. The Australian NSW government is mandating all its agencies that are developing AI systems to go through the NSW AI Assurance Framework 434343https://www.digital.nsw.gov.au/policy/artificial-intelligence/nsw-ai-assurance-framework. Singapore launches AI Verify Toolkit to test responsible AI 444444https://file.go.gov.sg/aiverify.pdf. UK ICO released ai and data protection risk toolkit 454545https://ico.org.uk/for-organisations/guide-to-data-protection/key-dp-themes/guidance-on-ai-and-data-protection/ai-and-data-protection-risk-toolkit/ which is built up on their guidance for organizations using AI systems. Although ethical risk assessment has the potential to prevent majority of incidents and increase awareness of RAI, it is often a one-off type of risk assessment with subjective judgement on measurement [42].

3.2.5 Standardized reporting


Standardized reporting is essential to address the opaque black box issue of AI systems. Organizations should set up standarized processes and templates for informing the development process and product design of AI systems to different stakeholders (e.g., AI governors, users, consumers) [43]. RAI regulations may request such obligations to ensure transparency and explainability of AI systems. The Cyberspace Administration of China published transparent disclosure requirements for online service providers 464646http://www.cac.gov.cn/2022-01/04/c_1642894606364259.htm. The service providers are requested to file with the regulators (i.e., AI governors) for impact assessment when realising new services. In addition, the online services must inform users when AI is being used to recommend contents to them and explain the purposes and design of recommended systems. In EU’s AI Act 474747https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0206, the incidents of AI systems are required to be reported and disclosed by AI system providers (i.e., AI technology or solution producers). Helsinki 484848https://ai.hel.fi/en/ai-register/ and Amsterdam 494949https://algoritmeregister.amsterdam.nl/en/ai-register/ released AI registers describing where and how the two cities are using AI, how AI is built, which data and algorithms are used, how the applications impact the citizens’ daily lives, and development team’s contact information.

3.2.6 Role-level accountability contract


It is necessary that organizations have an appropriate approach to enable accountability throughout the entire lifecycle of AI systems. Role-level accountability can be established through formal contracts to define the boundary of responsibility and identify who should be held accountable when an AI system misbehaves [35]. For example, Australia’s National Data Commissioner creates a data sharing agreement template for using Australian Government data 505050https://www.datacommissioner.gov.au/data-management/data-sharing-agreement. Developers primarily focus on the technique aspects of AI systems and may not be familiar with the ethical principles. Role-level accountability contracts make the developers keep ethics in mind at every step, but may create stress for employees at all levels within an organization.

3.2.7 RAI software bill of materials


From a software supply chain angle, development of AI systems involves complex and dynamic software supply chain. Many organizations procure AI technologies/solutions to build their AI systems. The AI systems are often assembled by using commercial or open-source AI and/or non-AI components from third parties. Despite cost efficiency, the underlying security and integrity issues of the third party components have attracted significant attentions. According to Sonatype’s report on 2021 state of the software supply chain 

515151https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021, the software supply chain attacks increased 650% in 2021, while it was 430% in 2020. RAI software bill of materials keeps a list of components used to create an AI software product, which can be used by AI solution procurers and consumers to check the supply chain details of each component of interest and make buying decisions [44]. The supply chain details should at least include component name, version, supplier, dependency relationship, author of software bill of materials data, and timestamp [45]. This provides traceability and transparency about components and allows AI solution procurers and consumers to easily check component information (such as supply chain details and context information) and track ethical issues. RAI software bill of materials enables faster vulnerability identification but may need to be updated frequently since AI systems may evolve over time. Dependency-Track 525252https://dependencytrack.org/ is widely used by practitioners to track components’ supply chain information and identify known vulnerabilities. Software Package Data Exchange (SPDX) 535353https://spdx.dev/ and CycloneDX 545454https://cyclonedx.org/ are two standards for exchanging software bill of material information for security analysis.

3.2.8 Ethics training


It is urgent that the employees of an organizations begin to think through the potential implications of AI on their work and make ethical choices during the development and use of AI systems. Ethics training provides employees with knowledge on how to deal with ethical issues during development [18, 46, 19, 21, 47, 40, 23, 35, 48]. MIT offers a 3-day course ”Ethics of AI: Safeguarding Humanity” 555555https://professional.mit.edu/course-catalog/ethics-ai-safeguarding-humanity introducing the ethics of AI development and deployment. The University of Technology Sydney (UTS) designed a short course ”Ethical AI: from Principles to Practice” 565656https://open.uts.edu.au/uts-open/study-area/Technology/ethical-ai-from-principles-to-practice/ for business executives. The University of Helsinki created a free online course ”The Ethics of AI” 575757https://ethics-of-ai.mooc.fi/ for anyone who is interested in AI ethics. Halmstad University provides a short course on critical design and practical ethics for AI 585858https://learning4professionals.se/showCourse/158/Critical_Design_and_Practical_Ethics_for_AI. Ethics training can improve organizational awareness on RAI and sharpen the employees’ RAI skills. However, RAI covers a broad range of knowledge and skills and ethics training may only offer a subset of knowledge and skills within limited time.

3.3 Team-level governance patterns

3.3.1 Customized agile process


Agile development has been increasingly adopted by organizations to incrementally and iteratively develop software systems, including AI systems. However, the existing agile development methods mainly focus on business value and largely neglect the AI ethics principles. To address ethical issues in the AI system development process, agile methods need to be extended and customized to allow consideration of ethics principles. Extension points could be artefacts, roles, ceremonies, practices, and culture [49]. Microsoft’s Azure DevOps allows the customization of inherited processes595959https://docs.microsoft.com/en-us/azure/devops/organizations/settings/work/inheritance-process-model?view=azure-devops&tabs=agile-process. Atola Technology provides customized agile methodology that contains different development practices606060https://www.airtable.com/universe/exp4OppRObzXbhOQE/custom-agile-methodology-by-atola. Apptio Targetprocess is a web-based visual tool for managing projects with flexibility at various levels616161https://www.apptio.com/products/targetprocess/.

3.3.2 Tight coupling of AI and non-AI development


AI system development involves the development of both AI and non-AI components with rapid iterations. This requires more frequent integration of AI and non-AI components. Compared with non-AI components, the development of AI components that support the AI model pipeline is more experimental with still limited methodological support and mostly done by data scientists and data engineers who are not familiar with software engineering. To bridge the methodological gap between AI and non-AI development, both AI team and non-AI team need to be clear about what exactly is being delivered by a project and share the same sprints and use a common co-versioning registry to track the progress [50]

. The close coupling of AI and non-AI development results in improved trust within the project team and better communication on both system-level and model-level ethical requirements. The challenge for the tight coupling might be that the non-AI component development is application centric while the AI component development is mostly data centric. There have been a few attempts in industry on continuously integrating AI components/models into the software, such as Microsoft Team Data Science Process 

626262https://docs.microsoft.com/en-us/azure/architecture/data-science-process/overview, Amazon SageMaker Pipelines  636363https://aws.amazon.com/sagemaker/pipelines/?nc1=h_ls, Azure Pipelines 646464https://www.azuredevopslabs.com/labs/vstsextend/aml/.

3.3.3 Diverse team


AI pipelines are built by humans and thus may imply bias (such as racism and sexism) and produce discriminating results. Also, the code of AI systems is written by developers who are primarily focused on technical aspects. Building a diverse project team can effectively eliminate bias and improve diversity and inclusion in AI systems [40, 33, 51]. The diversity can be across gender, race, age, sextual orientation, expertise, etc. A diverse team can drive creative thinking for greater innovation, but communication could become challenging due to different background and preference 656565https://futureofworking.com/11-advantages-and-disadvantages-of-diversity-in-the-workplace/. Google published 2022 Diversity Annual Report 666666https://about.google/belonging/at-work/ which introduces the actions to build an inclusive workplace. Microsoft aims to integrate diversity and inclusion principles into their organization 676767https://careers.microsoft.com/us/en/diversityandinclusion. Meta has been working on creating diverse and inclusive work communities 686868https://www.workplace.com/diversity-and-inclusion.

3.3.4 Stakeholder engagement


Stakeholders may have various ethical concerns about the development and use of AI systems. Keeping stakeholder engagement throughout the AI project is essential to building AI systems responsibly. Stakeholder engagement allows AI systems to better reflect their stakeholders’ needs and expectations [18, 52, 53, 51]. There are various manners to engage stakeholders: interviews, online and offline meetings, project planning/review, participatory design workshops, crowd sourcing etc. Stakeholders may help the project team identify potential ethical risks before they become threats, but there maybe conflicting opinions from different stakeholders. Association for project management published ten stakeholder engagement principles 696969https://www.apm.org.uk/resources/find-a-resource/stakeholder-engagement/key-principles/. Australian Public Service Commission released stakeholder engagement guidelines 707070https://www.apsc.gov.au/initiatives-and-programs/workforce-information/taskforce-toolkit/stakeholder-engagement. Deloitte published a report on stakeholder engagement 717171https://www2.deloitte.com/content/dam/Deloitte/za/Documents/governance-risk-compliance/ZA_StakeholderEngagement_04042014.pdf.

3.3.5 Continuous documentation using templates


Developers primarily focus on the code and often neglect updating the documentation during rapid iterations. The project teams need to create and continuously update documentations for the key artifacts of AI systems that may lead to ethical issues, such as data and models. Continuous documentation using templates helps track the evolution of artifacts and clarify the context in which AI systems are trustworthy [7, 8, 9, 10, 11, 12]. Google’s model cards 727272https://modelcards.withgoogle.com/about enables transparent model reporting on model provenance and ethical evaluation [54, 55]. Microsoft’s datasheets for datasets 737373https://www.microsoft.com/en-us/research/project/datasheets-for-datasets/ allows every dataset to be accompanied with a datasheet document [56]. IBM’s AI service factsheets 747474https://www.ibm.com/blogs/research/2018/08/factsheets-ai/ maintains AI services’ performance, safety, security, and provenance information [57]. Meta’s method cards provides a prescriptive model specification templates that provides guidance on how to mitigate potential issues [58, 12].

3.3.6 Failure mode and effects analysis (FMEA)


Ethical defects in AI systems are often detected through extensive simulation and testing in the later stages of development. However, this may lead to significant delays to timelines and additional development cost. FMEA is a bottom-up risk assessment method that can be used to identify ethical risks and calculate their priorities at the beginning of the development process [59]. FMEA was originally proposed in US Armed Forces Military Procedures document MIL-P-1629 in 1949  757575https://web.archive.org/web/20110722222459/https://assist.daps.dla.mil/quicksearch/basic_profile.cfm?ident_number=37027. Ford Motor Company firstly introduced FMEA to the automotive industry since mid 1970s  767676https://fsp.portal.covisint.com/documents/106025/14555722/FMEA+Handbook+v4.2/4c14da5c-0842-4e60-a88b-75c18e143cf7?version=1.0. FMEA has been extended and adopted by Toyota’s Design Review Based on Failure Modes (DRBFM)  777777https://www.sae.org/standards/content/j2886_201303/ for assessing potential risk and reliability for Automotive and Non-Automotive applications. FMEA replies on experts to apply their professional knowledge and experience to the ethical risk assessment process. Also, FMEA is better suited for bottom up analysis and not able to detect system-level complex ethical failures.

3.3.7 Fault tree analysis (FTA)


Undesired system behaviors or decisions could lead to serious consequence and even cause loss of human lives. FTA [59] can be used to describe how system-level ethical failures are led by small ethical failure events through an analytical graph, i.e., fault tree. The development team can easily capture how ethical failures propagate in the AI system. Fault tree analysis can be done during the design or operation stage to anticipate the potential ethical risks and to recommend mitigation actions. FTA was firstly introduced by Bell Laboratories in 1962 to assess the safety of a missile launch control system787878https://www.osti.gov/servlets/purl/1315144. Boeing started using FTA to design civil aircrafts from 1966797979https://apps.dtic.mil/sti/citations/AD0847015. FTA was included in U.S. Army Materiel Command’s Engineering Design Handbook on Design for Reliability808080https://apps.dtic.mil/sti/pdfs/ADA026006.pdf. FTA assists in analyzing the ethical issues related to AI system artifacts and prioritizes the issues to address that contribute to an ethical risk. Hoever, it is complex to use for large system analysis, which may involve many ethical events and gates. Also, time can hardly be captured in FTA.

3.3.8 Verifiable claim for AI system artifacts


The potential users of AI systems need methods for assessing an AI system’s ethical properties and compare the system to other systems. A verifiable claim platform can be built to support developers in making claims on ethical properties [60] and conducting the verification [30]. Such platform must consider the disparity of the stakeholder’s views. For example, developers might focus on reliability, while users might be interested in fairness. A verifiable claim is a statement about an AI system or an artifact (such as model or dataset) that is substantiated by a verification mechanism. The platform itself provides management capabilities such as claim creation and verification, access control, and dispute management. W3C Verifiable Claims Working Group aims to make expressing and exchanging claims 818181https://www.w3.org/2017/vc/WG/. The Open Web Application Security Project has published a Verifiable Claims documentation  828282https://owasp.org/www-pdf-archive//OWASP-Austin-Mtg-2018Jan-CryptoParty-Dave-Sanford.pdf. The Ethereum Verifiable Claims is a method for off-chain variable claims838383https://eips.ethereum.org/EIPS/eip-1812#ethereum-verifiable-claims.

4 Process Patterns

In this section, we discuss the process patterns that can be incorporated into responsible AI system development processes. The process patterns are reusable methods and best practices which can be used by the development team during the development process. Fig. 5 illustrates the process patterns collected for each stage of the development process.

Figure 5: Process patterns for responsible AI system development.

4.1 Requirement engineering

4.1.1 AI suitability assessment


AI has a huge potential to provide effective solutions to tackle critical problems. However, it does not necessarily add value to every software system. Before starting to build a software system with AI, the development team first needs to identify the right problem to solve and the corresponding user needs. Once the problem is found and the environment where the system will be situated fully explored, the development team needs to analyse whether the system and the users benefit from AI or are they potentially degraded by AI [61]

. It is essential to make sure AI adds value to the design. Oftentimes, a heuristic-based design may be easier and cheaper to develop and may work better than an AI-based design in terms of predictability and transparency. AI suitability assessment can help the development team understand whether AI can add unique value to the design but may incur additional cost and require extra resources.

4.1.2 Verifiable ethical requirement


The development of AI systems needs to adhere to AI ethics principles which are generally abstract and domain-agnostic. Ethical requirements need to be derived from the AI ethics principles to fit into a specific domain and system context [62, 35, 63, 64, 65]. Every ethical requirement specified in a requirements specification document should be put into a verifiable form (i.e., with acceptance criteria). This means a person or machine can later check that the AI system meets the ethical requirements that are derived from AI ethics principles and grounded in users’ needs. Vague or unverifiable statements should be avoided [66]. If there is no way to determine whether the AI system meets a particular ethical requirement, then this ethical requirement should be revised or removed. Ethical risk can be reduced via considering ethical requirements from the beginning of the development process and explicitly verifying ethical requirements. Some ethical principles/requirements may not be easily quantitatively validated [35], such as human-centered values. There may be trade-offs between some ethical principles or requirements. The current practice to deal with the trade-offs is usually the developers following one principle while overwriting the others rather than building balanced trade-offs through patterns.

4.1.3 Data requirements throughout the entire lifecycle


The quality of an AI model is largely dependent on the quality of the data used to train or evaluate. The lifecycle of data consists of several phases, including data collection, cleaning, preparation, validation, analysis, and termination. Unfortunately, the scope of data requirements [62, 18] often focuses on the data analysis phase and largely neglects the other key phases in the data lifecycle. This may lead to downstream ethical concerns such as AI model reliability, accountability, and fairness. AI systems can hardly be trusted when the data lifecycle is poorly managed. Data requirements need to be listed explicitly and specified throughout the data lifecycle (i.e., collection, cleaning, preparation, validation, analysis, and termination) taking into account ethical principles and involved stakeholders (i.e., data providers, data engineers, data scientists, data consumers, data auditors). Data requirements can be managed through data requirements specification. The specification could include detailed requirements for each phase in the data lifecycle, e.g., data collection requirements including data sources and collection methods. Google has created a template for dataset requirements specification [10].

4.1.4 Ethical user story


Requirements elicitation methods are needed to collect detailed ethical requirements from stakeholders to capture AI ethics principles. In agile processes, ethical user stories [67, 65] can help the development team elicit ethical requirements for AI systems and implement AI ethics principles from the early stage of development. Ethical user stories are created to serve as items of the product backlog which is to be worked on by the development team in iterations (i.e., sprints). Card-based toolkits can be used to list questions related to AI ethics principles. The answers to those questions are integrated into ethical user stories to be included in sprint backlogs. The development team or users can write ethical user stories on cards or notes using predefined template and assign them to different sprints based on the priority. Ethical user stories make ethical requirements traceable both backward and forward, but they are difficult to scale for larger projects. Guide for Artificial Intelligence Ethical Requirements Elicitation848484https://josesiqueira.github.io/RE4AIEthicalGuide/index.html consists of 25 cards which are used by the development team to answer questions related to ethical principles. The answers are used to create ethical requirements in the form of ethical user stories which are included in sprint backlogs. ECCOLA [67] consists of 21 cards which are divided into 8 themes and with questions to be answered by the development team.

4.2 Design

4.2.1 Multi-level co-architecting


Compared with traditional software, the architecture of AI systems is more complex due to different levels of integration. On the one hand, AI models are developed by data scientists/engineers via an AI model pipeline. The AI model pipeline usually comprises of a sequence of automatic steps including data collection, data cleaning, feature engineering, model training, and model evaluation. These steps can be viewed as software components for producing AI models from a software architecture perspective. On the other hand, the produced AI models cannot work alone and need to be integrated into software systems that are to be deployed in the real-world [68]. The decisions made by the AI model need to be executed as actions via other software components. The architecture of an AI ecosystem consists of three layers: AI software supply chain, AI system, and operation infrastructure. The focus of AI software supply chain layer is about developing and managing AI and non-AI components [69], including AI model pipeline components, deployment components, co-versioning components, provenance tracking components, credential management components, etc. The AI system layer comprises AI components that embed AI models and non-AI components that use the outputs of AI components for overall system functionalities [70]. The operation infrastructure layer is mainly about monitoring and feedback components. Multi-level co-architecting is required to ensure the seamless integration of different components, including co-architecting AI components and non-AI components and co-architecting of different AI model pipeline components. Multi-level co-architecting allows both system and model level requirements to be considered in design decision making.

4.2.2 Envisioning card


AI ethics principles, including the human-centred values principles, are too high-level for developers who often lack the technical means to assure human values and ethics. Envisioning cards [71, 52] are designed to help the development team operationalize human values during design processes of AI systems. The design of envisioning cards is based on four envisioning criteria, including stakeholder, time, value, and pervasiveness. The stakeholder criterion helps the development team takes into account the effects of an AI system on both direct stakeholders and indirect stakeholders. The time criterion emphasizes the long-term implication of AI systems on human, society, and environments. The value criterion guides the development team to consider the impact of AI systems on human values. The pervasiveness criterion discusses the challenges encountered if an AI system is widely adopted in terms of geography, culture, demographics, etc. The adoption of envisioning cards comes at a relatively low cost, in terms of both money and time. However, envisioning cards are hard to scale when the number of participants are large or the AI systems are complex.

4.2.3 Design modelling for ethics


To reduce ethical risks, AI ethics principles need to be adhered to during the design process. Design modelling methods can be extended and used to support the modelling of AI components and the ethical aspects, including: using UML to describe the architecture of AI systems and represent their ethical aspects [72], designing formal models taking into account human values [73], using ontologies to model the AI system artifacts for accountability [74, 75], establishing RAI knowledge bases for making design decisions considering ethical concerns [76]

, using logic programming to implement ethical principles 

[77]. UML is an option to describe the AI systems and represent their ethical aspects [72]. UML extension could be a declarative graphic notation for AI system architecture. Additional stereotypes/metamodel elements can be added for responsible-AI-by-design reference architecture (e.g., to describe AI pipeline components). Use case diagrams can help define the stakeholders and explain the functions they use, which are valuable for achieving accountability. State diagrams are useful to analyse the system states and identify the states that may cause ethical failures. Design patterns like AI mode switcher can take effect to change the state of an AI system to a more human controlled state. Sequence diagrams describe the human-AI interactions to ensure all the required explanations are provided. Using design modelling methods are helpful to capture and analyse ethical principles in design. One disadvantage when using modelling languages is the time to create and manage the models. Also, the modelling languages do not scale up for large and complex systems.

4.2.4 System-level ethical simulation


To avoid ethical disasters and gain public trust, it is necessary to model the real-world situations of AI systems without ethical risk. System-level simulation (e.g.  [78, 59, 79, 80]), is a cost-effective way to imitate real-world situations and assess the behaviors of AI systems before deploying the AI systems in real-world. A simulation model needs to be built to mimic the possible behaviors and decisions of the AI system and assess the ethical impacts. The assessment results can be sent to the development team or potential users before the AI systems are deployed in the real-world. System-level simulation can predict potential ethical risks and avoid serious ethical disasters before deploying the AI systems in the real-world. However, the simulation model cannot represent all the behaviors and ethical impacts of AI systems in the real-world. The accuracy of assessment results is limited by the quality of the simulation model.

4.2.5 Human-centered interface design for explainable AI


The end users often do not understand how decisions are made by AI systems and are not aware of the capabilities or limitations of the AI systems. The missing explainability may lead to a lack of trust and has been identified as one of the most urgent challenges of RAI to be addressed. Explainable AI (XAI) can be viewed as a human-AI interaction problem and achieved by effective human-centered interface design. Checklists (such as question bank) are often used to help design the explainable user interfaces [3, 4, 5] and understand the user needs, choices of XAI techniques, and XAI design factors [4]. For example, the checklist questions could consider the following aspects [3] for different stakeholders: input, output, how, performance (can be extended to ethical performance), why and why not, what if, etc. The design of conversational interfaces can be experimented via a Wizard of Oz study [81], in which users interact with a system that they believe to be autonomous but is actually being operated by a hidden human, called the Wizard. The conversation data is collected and analysed to understand requirements for a self-explanatory conversational interface. There can be several ways to increase human trust in AI systems through human-centered user interface, including anthropomorphism [33], proactive informing (such as capability/limitation of AI systems, ethics credentials, explanations of decisions/behaviors, potential outcomes, data use information).

4.3 Implementation

4.3.1 RAI governance of APIs


APIs allow developers to solve problems more efficiently and can effectively reduce the development cost and time of AI systems. However, there may be ethical quality issues with APIs (e.g., data privacy breaches or fairness issues). Ethical compliance checking for APIs is needed to detect if any ethics violation exists [82]

. A knowledge-driven approach can be adopted to detect ethics issues through ethical knowledge graphs. Ethical knowledge graphs make meaningful entities and concepts, and their relationships in development of AI systems. With the ethical knowledge graph, the rich semantic relationships between entities are explicit and traceable across heterogeneous high-level documents and various AI systems artifacts. Ethical knowledge graphs can be built based on the ethical principles and guidelines (e.g., privacy knowledge graph based on GDPR 

[83, 84]) and technical documents (e.g., API documentation) to support the ethical compliance checking for APIs.

4.3.2 RAI governance via APIs


Some AI systems may provide high risk capabilities, which can be used or modified to implement harmful tasks. To avoid harmful dual uses in AI systems [85], developers should carefully design how their AI systems can be directly used and indirectly used (i.e., potential ways their systems can be adapted). Developers must restrict the way AI systems are used and preventing the users from getting around of restrictions by unauthorized reverse engineering or modification to the system design. Rather than fully opening the access to AI systems by allowing AI systems to run locally, developers could provide AI services on cloud and control the interactions with the AI services via APIs [86]

. For example, OpenAI’s language model GPT-3 can be only integrated with AI systems through an API by approved users 

858585https://openai.com/api/

. Google Vision AI limit its facial recognition feature to a few celebrities through API 

868686https://cloud.google.com/vision.

4.3.3 Ethical construction with reuse


Building AI systems from scratch can be very complex and time consuming. Very big companies usually have massive AI investments and large volumes of data to compete in the market, while smaller companies may only have a couple of data scientist and can hardly keep up with larger companies. To speed up the development and reduce cost, it is highly desirable and valuable to reuse the AI artifacts (i.e., AI components and/or AI pipeline artifacts) across different applications. However, there might be ethical quality issues with the reused AI artifacts, which requires further assurance mechanisms. Ethical construction with reuse means to develop responsible AI systems with the use of existing AI artifacts that are compliant with AI ethics principles, e.g., from an organizational repository or an open-source platform. A marketplace can be built up to trade the reusable AI artifacts, including component code, models, and datasets. Blockchain can be adopted to design an immutable and transparent marketplace enabling the auction-based trading for AI artifacts and material assets (e.g., cloud resources) [87]. Ethics credentials might be required to be attached to the traded AI artifacts. Also, tooling support might be needed, such as model migration tool pytorch2keras878787https://github.com/gmalivenko/pytorch2keras) and glue code for compatibility  888888https://insights.sei.cmu.edu/blog/software-engineering-for-machine-learning-characterizing-and-detecting-mismatch-in-machine-learning-systems/. Low/no code tools can also help to achieve ethical construction with reuse.

4.4 Testing

4.4.1 Ethical acceptance testing


Since the AI Ethical principles are very high-level, they need to be captured through ethical requirements, which can be viewed as the agreed commitments by the development team and customers. Ethical acceptance testing (e.g., bias testing) is designed to detect the ethics-related design flaws and verify the ethical requirements (e.g. whether the data pipeline has appropriate privacy control, fairness testing for training/validation data) [88, 89, 90]. In agile process, the ethical requirements can be framed as ethical user stories and associated with ethical acceptance tests. The ethical acceptance tests are a contract between the customer and development team. The behavior of the AI system should be quantified by the acceptance tests and the acceptance criteria for each of the ethical principles should be defined in a testable way. The history of ethical acceptance testing should be recorded and tracked, such as how and by whom the ethical issues were fixed. A testing leader may be appointed to lead the ethical acceptance testing for each ethics principle. For example, when bias detected at runtime, the monitoring reports are returned to the bias testing leader [18, 91]. Ethical acceptance tests capture the ethical requirements and measure how well the AI system meets ethical requirements, but may need to be amended frequently as ethical requirements change.

4.4.2 Ethical assessment for test cases


The ethical quality assurance for AI systems is heavily dependent on ethical acceptance testing which is aimed at detecting and solving ethical issues in the AI system. A collection of test cases with expected results should be generated [92] and maintained for to detect possible ethical failures in a variety of extreme situations [93]. However, there might be ethical issues within the test cases. For example, the test data may introduce fairness or privacy issues [94]. Preparing quality test cases is an integral part of ethical acceptance testing. A test case usually is composed of ID, description, preconditions, test steps, test data, expected results, actual results, status, creator name, creation date, executor name, execution date. All the test cases for verification and validation should pass the ethics assessment. This includes ethical risk assessment for test steps and test data. The creation and execution information are essential to track the accountability of ethical issues with test cases. Ethical assessment for test cases improves the ethical quality of the development process of AI systems, but new test cases need to be continually added and assessed when there is a new ethical requirement added or the operation context changes.

4.5 Operation

4.5.1 Continuous deployment for RAI


AI systems may frequently evolve due to their data dependency. When ethical performance degradation occurs over time, AI models need to be retrained with new data or features and reintegrated into AI components. The non-AI component may also need to be upgraded to meet new requirements or changing context. New versions of AI systems need to be frequently and continuously deployed into production environments. On the other hand, AI systems involve higher degree of uncertainty and risks associated with the autonomy of the AI systems. Thus, there is a strong desire for various deployment strategies to support continuous deployment [35, 95]. There are various deployment strategies for AI systems. Phased deployment means deploying AI systems for a subset group of users initially to reduce ethical risk [96]. The new version of AI systems rollouts incrementally and serves alongside the old version. Phased deployment can be also about automating decisions in phases to better supervise and control automation. This usually depends on the stakes of the situations and the level of confidence that users may have with automatic decisions made by AI systems. Further, A/B testing deployment[97] is a common deployment strategy undertaken in industry, where different versions of the AI model deployed to production. The models are compared and selected based on their ethical performance. In addition, the existing reliability practices, like redundancy, are also applicable to AI components in an AI system. Multiple AI models work independently to improve the ethical performance of the AI components. Applying various deployment strategies helps to reduce the ethical risk. Users can be quickly redirected to the older version or the other version of AI systems/models. However, it is complex and expensive to adopt different deployment strategies during operations.

4.5.2 Extensible, adaptive and dynamic ethical risk assessment


The current risk-based approach to ethical principles is often a done-once-and-forget type of algorithm-level risk assessment [98, 18, 29, 99, 100] and mitigation for a subset of ethical principles (such as privacy or fairness 898989https://www.nist.gov/artificial-intelligence/proposal-identifying-and-managing-bias-artificial-intelligence-sp-1270) at a particular development step (such as Canada’s Algorithmic Impact Assessment Tool909090https://www.canada.ca/en/government/system/digital-government/digital-government-innovations/responsible-use-ai/algorithmic-impact-assessment.html), which is not sufficient for the highly uncertain and continual learning AI systems. In addition, the context of AI systems varies with the application domains, organizations, culture, and regions. It is essential to perform continuous risk assessment and mitigation of responsible AI systems [101, 38]. The ethical risk assessment framework can be built with guided extension points for different context (e.g. culture context). The risk mitigation can be designed from three aspects: reducing frequency occurrence, consequence size, and consequence response. Extensible, adaptive and dynamic risk assessment can effectively ensure an AI system adheres to AI ethics principles throughout the whole lifecycle, but it might be hard to measure some of the ethical principles, e.g., human-centered values.

4.5.3 Multi-level co-versioning


AI systems involve two levels of relationships and dependencies across various AI artifacts, including supply chain level and system level. At the system level, there are multiple versions of AI components and non-AI components. At the supply chain level, there are different versions of data, model, code, and configuration, which are used to produce different versions of AI components [70]. At the system level, the AI components that embed AI models are integrated into AI systems and interact with non-AI components. On the other hand, the retraining of AI models introduces new versions of data, code and configuration parameters. If federated learning is adopted, for each round of training, a global model is ensembled based on local models sent from participating clients [102]. It is important to capture all these dependencies during the development process. Multi-level co-versioning provides end-to-end traceability and accountability throughout the whole lifecycle of AI systems, but the collection and documentation of co-versioning information incur additional development cost. There have been many version control tools in industry focusing on supply chain level co-versioning, e.g., MLflow Model Registry on Databricks 919191https://docs.databricks.com/applications/mlflow/model-registry.html and Amazon provenance tool929292https://www.amazon.science/publications/automatically-tracking-metadata-and-provenance-of-machine-learning-experiments, and Data Version Control (DVC)939393https://dvc.org/.

5 Product Patterns

This section provides a system-level guidance on how to design the architecture of responsible AI systems. We present a collection of product patterns (i.e., design patterns) for building responsible-AI-by-design into AI systems. Broadly, an AI system is comprised by three layers: (1) the supply chain layer that generates the software components which compose the AI system, (2) the system layer which is deployed AI system, and (3) the operation infrastructure layer that provides auxiliary functions to the AI system. Fig. 7 presents the identified products patterns for each of the three layers. Those product patterns can be embedded into the AI ecosystems as product features. Fig. 7 illustrates a state diagram of a provisioned AI system and highlights the patterns associating with relevant states or transitions, which show when the product patterns could take effect.

Figure 6: Product patterns for responsible-AI-by-design architecture of an AI system.
Figure 7: Product patterns for responsible-AI-by-design.

5.1 Supply chain patterns

5.1.1 Bill of materials registry


Bill of materials registry [103, 44] can be designed to keep a formal machine-readable record of the supply chain details of the components used in building an AI system, including component name, version, supplier, dependency relationship, author, and timestamp. In addition to supply chain details of the components, context documents (like model cards [54] for reporting AI models, and datasheets for the datasets [56] used to train AI models) can also be integrated to the bill of materials registry. The main purpose of bill of materials registry is to provide traceability and transparency into the components within AI systems so that ethical issues can be tracked and addressed [104]. Some platforms manage bill of materials registry, such as OpenBOM 949494https://www.openbom.com/, Codenotary 959595https://codenotary.com/, Snorkel Flow 969696https://snorkel.ai/. Immutable data infrastructure can store the bill of materials to enable integrity. For example, the manufacturers of autonomous vehicles could maintain a material registry contract on blockchain to track their components’ supply chain information, e.g., the version and supplier of the third-party navigation component. Stakeholders can access the supply chain details of each component of interest in AI systems via bill of materials registry. As AI systems evolve over time, the bill of materials may need to be updated frequently. The cost of managing the bill of materials of all the components depends on the complexity of the AI system.

5.1.2 Verifiable ethical credential


Verifiable ethical credentials can be used as evidence of ethical compliance for AI systems, components, models, developers, operators979797https://certnexus.com/certification/ceet/, users, organizations, and development processes [105, 33, 106]. Verifiable credentials are data that could be cryptographically verified and be presented with strong proofs [107]. Publicly accessible data infrastructure needs to be built to support the generation and verification of the ethical credentials on a neutral platform. Before using AI systems, users may verify the systems’ ethical credential to check if the systems are compliant with AI ethics principles or regulations [105]. On the other hand, the users may be required to provide the ethical credentials to use and operate the AI systems, e.g., to ensure the flight safety of drones. Verifiable ethical credential helps increase user trust towards an AI system through conferring the trust that the user has with the authority that issues the credential to AI systems, organizations that develop AI systems and the operators that operate AI systems. Such transitive trust relationship is critical in the efficient functioning of the AI system. With an ethical credential, an AI system could provide proof of compliance as an incentive for the users to use the AI system, thus increase AI adoption. Ethical credential may be forged, which makes the verification of authenticity of the ethical credentials becomes challenging. Blockchain could be adopted to build the credential infrastructure to ensure data integrity. For example, Securekey 989898https://securekey.com/ is a blockchain-based infrastructure for ID management with support of verifiable credential.

5.1.3 Co-versioning registry


Compared with traditional software, AI systems involve different levels of dependencies and may evolve more frequently due to their data-dependent behaviors. From the viewpoint of the AI system, it is important to know the version of the AI component integrated into the system. From the viewpoint of the AI component, it is important to know what datasets and parameters were used to train the AI model and what data was used to evaluate the AI model. Co-versioning of the components or AI artifacts of AI systems provides end-to-end provenance guarantees across the entire lifecycle of AI systems. Co-versioning registry can track the co-evolution of components or AI artifacts [70, 102]. There are different levels of co-versioning: co-versioning of AI components and non-AI components, co-versioning of the artifacts within the AI components (i.e., co-versioning of data, model, code, configurations, and co-versioning of local models and global models in federated learning). Co-versioning enables effective maintenance and evolution of AI component because the deployed model or code can be traced to the exact set of artifacts, parameters and metadata that were used to develop the model and code. MLflow Model Registry 999999https://docs.databricks.com/applications/mlflow/model-registry.html is a model repository and set of APIs that enable management of the full lifecycle of MLflow Models, including model lineage and versioning.

5.1.4 Federated learner


Despite the widely deployed mobile or IoT devices generating massive amounts of data, lack of training data is still a challenge for AI systems given the increasing concern in data privacy. Federated learner trains an AI model across multiple edge devices or servers with local data samples. Federated learner [69, 102, 108, 109, 110, 111, 112, 113] preserves the data privacy by training models locally on the client devices and formulating a global model on a central server based on the local model updates, e.g., train the visual perception model locally in each vehicle. Decentralized learning is a variant of federated learning, which could use blockchain to remove the single point of failure and coordinate the learning process in a fully decentralized way [114]

. TensorFlow Federated 

100100100https://www.tensorflow.org/federated is an open-source framework for machine learning on decentralized data sources. FATE 101101101https://fate.fedai.org/ is an open-source project that support the federated AI ecosystem.

5.2 System patterns

5.2.1 AI mode switcher


When to use AI at decision making points can be a major architectural design decision when designing an AI system. Adding an AI mode switcher to the AI system offers users efficient invocation and dismissal mechanisms for activating and deactivating the AI component whenever needed, thus, defer the architectural decision to the execution time which is decided by the end user or the operator of the AI system. AI mode switcher is like a kill switch of AI system that could immediately shut down the AI component and thus, stop its negative effects [115, 116, 61], e.g., turning off the automated driving system and disconnecting it from the internet. The decisions made by the AI component can be executed automatically or reviewed by a human expert before being executed in critical situations. The human expert serves to approve or override the decisions (e.g., skipping the path generated by the navigation system). Human intervention can also happen after acting the AI decision through the fallback mechanism that reverses the system back to the state before executing the AI decision. A built-in guard can be used to ensure that the AI component is only activated within the predefined conditions (such as domain of use, boundaries of competence). The end users or the operators can ask questions or report complaints/failures/near misses through a recourse channel after observing a bad decision from AI component. Tesla autopilot 102102102https://www.tesla.com/autopilot has multiple driver assistance features that can be enabled or disabled during the driving. Users maintain control of the vehicles and can override the operations by these features at runtime. Baidu autonomous mini-bus Robobus 103103103https://apollo.auto/minibus/ requires a staff in the seat to supervise the self-driving operations, and the bus can be switched to manual driving mode by braking.

5.2.2 Multi-model decision maker


In reliability community of software system, traditional architecture-based software reliability is based on software component. The existing reliability practices, like redundancy, are also applicable to AI components in an AI system. In addition, reasonable combination of multiple AI models that are normally work independently could improve the performance (e.g., accuracy) of the AI component. Multi-model decision-maker employs different models to perform the same task or enable a single decision, e.g., deploying different algorithms for visual perception. It improves the reliability by deploying different models under different context (e.g., different geo-location regions) and enabling fault-tolerance by cross-validating ethical requirements for a single decision [117, 118]. Different consensus protocols could be defined to make the final decision, for example, taking the majority decision. Another strategy is to only accept the same results from the employed models. In addition, the end user or the operator could step in to review the output from the multiple models and make a final decision based on human’s expertise. Scikit-learn 104104104https://github.com/scikit-learn/scikit-learn

is a Python package that supports using multiple learning al-gorithms to obtain better performance through ensemble learning. AWS Fraud Detection Using Machine Learning solution trains an unsupervised anomaly detection model in addition to a supervised model, to augment the prediction results 

105105105https://aws.amazon.com/solutions/implementations/fraud-detection-using-machine-learning/. IBM Watson Natural Language Understanding uses an ensemble learning framework to include predictions from multiple emotion detection models 106106106https://www.ibm.com/au-en/cloud/watson-natural-language-understanding.

5.2.3 Homogeneous redundancy


N-version programming is a software design pattern to ensure fault tolerance of software [119]. Similarly, deploying multiple redundant and identical AI components (e.g., two brake control components) can be a solution to tolerate the individual AI component with high uncertainty that may make unethical decisions or the individual adversary hardware component that produces malicious data or behaves unethically [118]. A cross-check can be conducted for the outputs provided by multiple components of a single type. The results are accepted only there is a consensus among the redundant components. The results that are not accepted automatically according to a consensus protocol can be further reviewed by the end user or the operator of the AI system. Waymo 107107107https://waymo.com/ contains multiple redundant components at various levels, including redundant braking, steering, and inertial measurement systems for vehicle positioning.

5.3 Operation infrastructure patterns

5.3.1 Continuous ethical validator


AI components of an AI system often require continual learning based on new data collected during operation of the AI system. Continuous ethical validator deployed in an AI system continuously monitors and validates the outcomes of AI components (e.g., the path recommended by the navigation system) against the ethical requirements [101, 97]. The outcomes of AI systems are about whether the AI system provides the intended benefits and behaves appropriately given the situation. The time and frequency of validation can be configured. Version-based feedback and rebuild alert are sent when the predefined conditions regarding the ethical requirement are met. AWS SageMaker Model Monitor 108108108https://docs.aws.amazon.com/sagemaker/latest/dg/model-monitor.html continuously monitors the bias drift of the AI models in production. Qualdo 109109109https://www.qualdo.ai/monitor-ml-model-performance-monitoring/ is an AI monitoring solution that monitors data quality and model drift. Azure Machine Learning 110110110https://docs.microsoft.com/en-us/azure/machine-learning/monitor-azure-machine-learning uses Azure Monitor to create monitoring data. Azure Monitor is a full stack monitoring service.

5.3.2 Ethical sandbox


Given AI systems are of high stake, it is risky to run the entire system in the same execution environment. Ethical sandbox can be applied to isolate an AI component from other AI components and non-AI components by running the AI component separately in a safe environment [120]

, e.g. sandboxing the unverified visual perception component. Thus, the AI component could execute without affecting other components and the output of the AI system. Ethical sandbox is an emulated environment with no access to the rest of the AI system. An emulation environment duplicates all the hardware and software functionality of an AI system. Thus, developers could run an AI component safely to determine how it works and whether it is responsible before widely deploying the AI component. Maximal tolerable probability of violating the ethical requirements should be defined as ethical margin for the sandbox. A watch dog can be used to limit the execution time of the AI component to reduce the ethical risk, e.g., only activating the visual perception component for 5 mins on the bridges built especially for autonomous vehicles. Fastcase AI Sandbox 

111111111https://www.fastcase.com/sandbox/ provides a secure platform for the users to upload dataset and do data analysis in a safe environment. AI Sandbox 112112112https://aisandbox.dev/ provides an AI execution and RESTful interface that could be used by modern programming languages.

5.3.3 Ethical knowledge base


The ecosystem of AI systems involves broad ethical knowledge, such as AI ethics principles, regulations, and guidelines. Such ethical knowledge is scattered and is usually implicit or abstract to end users or even developers and data scientists who primarily without legal background and focus more on the technical aspects of AI systems. Ethical knowledge base, such as a knowledge graph, makes meaningful entities and concepts, and their relationships in design, implementation, deployment, and operation of AI systems [74, 76, 121]. With the ethical knowledge based, the rich semantic relationships between entities are explicit and traceable across heterogeneous high-level documents on one hand, and different artifacts across the AI system lifecycle on the other hand. Thus, ethical requirements of the AI system can be systematically accessed and analyzed using the ethical knowledge base. Awesome AI guidelines 113113113https://github.com/EthicalML/awesome-artificial-intelligence-guidelines aims to provide a mapping between ecosystem of guidelines, principles, codes of ethics, standards and regulation around artificial intelligence. The responsible AI community portal 114114114https://portal.responsible.ai/ is provided by AI Global, which is an evolving repository of reports, standards, models, government policies, datasets, and open-source software to inform and support responsible AI development. Responsible AI Knowledge-base 115115115https://github.com/alexandrainst/responsible-ai is a knowledge base of different areas of using and developing AI in a responsible way.

5.3.4 Ethical digital twin


Simulation is designed to imitate a real-world situation. Before running AI system in real-world, it is important to perform system-level simulation through an ethical digital twin running on a simulation infrastructure to understand the behaviors of the AI system and assess ethical risks in a cost-effective way. Digital twin [122] is introduced by NASA as a digital representation of a real system used in lab-testing activities. The digital twin of an AI system could be used to represent the behaviors of the AI system and forecast change impacts. Ethical digital twin can also be used during operation of the AI system to assess the system’s runtime behaviors and decisions based on the simulation model using the real-time data. The assessment results can be sent back to alert the system or user before the unethical behavior or decision takes effect [79]. Vehicle manufacturers can use the ethical digital twin to explore the limits of autonomous vehicles based on the collected real-time data, such as NVIDIA DRIVE Sim 116116116https://developer.nvidia.com/drive/drive-sim and rfPro 117117117https://www.rfpro.com/.

5.3.5 Incentive registry


Incentive mechanisms are effective treatments in motivating AI systems and encouraging the stakeholders involved in the AI system ecosystem to execute tasks in a responsible manner. An incentive registry records the rewards that correspond to the AI system’s ethical behavior and outcome of decisions [123, 124]

, e.g., rewards for path planning without ethical risks. There are various ways to formulate the incentive mechanism, for example, using reinforcement learning, or building the incentive mechanism on a publicly accessible data infrastructure like blockchain 

[124]. Traditional incentive mechanisms for human participants include reputation-based and payment-based. However, it is challenging to formulate the form of rewards in the context of responsible AI as the ethical impact of AI systems’ decisions and behaviors might hardly to be measured for some of the ethical principles (such as human values). Furthermore, the incentive mechanism needs to be agreed by all the stakeholders who may have different views on the ethical impact. In addition, there may be trade-offs between different principles, which makes the design harder. The Open Science Rewards and Incentives Registry 118118118https://openscienceregistry.org/ incentivizes the development of an academic career structure that fosters outputs, practices and behaviors to maximize contributions to a shared research knowledge system. FLoBC 119119119https://github.com/Oschart/FLoBC is a tool for federated learning over blockchain which utilizes a reward/punishment policy to incentivize legitimate training, and to punish and hinder malicious trainers.

Figure 8: Top 5 major industry players on responsible AI according to the number of tools.

5.3.6 Ethical blackbox


Black box was introduced initially for aircraft several decades ago for recording critical flight data. The intention of adding a black box to aircrafts is to collect evidence of the actions of system and the surrounding context information for analysis after near misses and failures. The near misses and failures are specific to the use cases. Although the primary usage of a black box is accident investigation, black boxes are useful for other purposes. Data collection and the analysis could support improvement of the system. The purpose of embedding an ethical black box in an AI system is to investigate why and how an AI system caused an accident or a near miss. The ethical black box continuously records sensor data, internal status data, decisions, behaviors (both system and operator) and effects [125, 126, 127]. For example, an ethical black box could be built into the automated driving system to record the behaviors of the system and driver and their effects [125]. All these data need to be kept as evidence with the timestamp and location data. Designing the ethical black box is challenging as the ethical metrics need to be identified for data collection. Also, design decisions need to be made on what data should be recorded and where the data should be stored (e.g. using a blockchain-based immutable log or a cloud-based data storage). RoBoTIPS 120120120https://www.robotips.co.uk/ aims to develop an ethical black box for social robots, to enable the explainability of their behavior.

5.3.7 Global view auditor


When an accident happens, there might be more than one AI systems or multiple AI components within on AI system involved (e.g., multiple autonomous vehicles in an accident). The data collected from each involved AI systems/components might conflict with each other since the individual AI system/component may have their own perception. Global-view auditor is a component that collects information from multiple AI components/AI systems, process the information to identify discrepancies among the information collected [128]. Based on the result, the global-view auditor may alert the AI system/component with wrong perception, thus, avoid negative impacts or identify liability when negative events occur. This pattern can be also used to improve the decision-making of an AI system by taking the knowledge from other systems. For example, an autonomous vehicle may increase their visibility using the perceptions of others to make better decisions at runtime. Global-view auditor enables accountability that cover different perceptions of AI components/systems that are involved and redresses the conflicting information collected from multiple AI components/ systems.

6 Related Work

The challenge of responsible AI has attracted significant attention in both industry and academia. To achieve responsible AI, there have been nearly 100 high-level AI ethics principles and guidelines issued by governments, organizations, and companies [1]. Some degree of consensus around AI ethics principles has been achieved [2]. A principle-based approach allows technology-independent operationalization of responsible AI. However, these principles are very abstract and high-level for stakeholders of AI systems to use in practice.

Significant efforts have been put on algorithm-level solutions which mainly focus on a subset of principles. Fig. 8 lists the top 5 major industry players on responsible AI according to their number of responsible AI tools based on the results of our MLR study. Most of these tools focus on privacy, security, reliability, safety, fairness, and explainability from an AI model perspective. More work is needed on transparency, accountability, contestability, human-centered values, and human, societal, and environmental wellbeing, particularly from a system perspective.

Overall, AI ethics principles need to be operationalized in the form of concrete patterns and best practices that are usable by AI developers and other stakeholders to build up responsible AI systems. Some add-hoc sets of guidebooks, question banks, checklists and templates have started to appear. Microsoft’s Human AI Interaction (HAX) Toolkit provides a set of HAX guidelines and patterns 121121121https://www.microsoft.com/en-us/haxtoolkit/ai-guidelines/. However, those guidelines and patterns only focus on interaction design and do not provide any guidance on development and governance. Google’s People AI Guidebook (PAIR) summaries 23 design patterns 122122122https://pair.withgoogle.com/guidebook/patterns which mainly address some of the AI ethics principles for AI models, including explainability, privacy, reliability. Process and governance guidelines are not discussed in Google’s PAIR. Although OECD provides a framework of tools for trustworthy AI [129], the framework largely contains categorised but disjointed software tools, lacking process-related linkages. Thus, a systematic and operationalized guidance for AI system stakeholders is required throughout the entire lifecycle of AI systems.

There have been a few survey papers on operationalizing responsible AI [98, 130, 131]. However, the findings and insights in these papers are still around principles and do not provide concrete and actionable guidelines for stakeholders to use in practice. Our previous roadmap paper [132] discusses the current state and identify the critical research challenges in the area of software engineering for responsible AI based on an initial systematic literature review. This pattern catalogue paper is built on top of the published roadmap and provides a comprehensive list of concrete patterns from multi-level governance patterns to process and product patterns based on the results of a multivocal literature review. In the Responsible AI Pattern Catalogue, we present structured knowledge about the patterns, including context, problem, solution, benefits, drawbacks, and known uses. The full version of the Responsible AI Pattern Catalogue is available online4.

7 Threats to Validity

External Validity - First, ”responsible AI” is loosely defined with many terms that refer to emerging technologies in this area. There is a set of terms currently being used in the community to mean largely the same thing: responsible AI, AI ethics, ethical AI, trustworthy AI, and trust in AI. This issue has been addressed by including search terms that are being used interchangeably in the search string to ensure that all the relevant work were covered. Another issue is that many solutions were initially designed only for addressing one of the AI ethics principles but could be identified as a pattern and extended to implement responsible AI. To mitigate this threat, we included all the AI ethics principles in the search string as supplementary terms.

Internal Validity - To mitigate the threat of not finding all relevant studies, we performed a rigorous search using defined keywords and executed snowballing that allows us to recover the missing studies from the literature. To address the bias, one researcher performed the screening of titles, abstracts and full-texts. The other researcher evaluated a random sample of the selected studies after screening to check the consistency of their inclusion/exclusion decisions.

8 Conclusion

To operationalize responsible AI, this paper adopts a pattern-oriented approach and presents a comprehensive responsible AI pattern catalogue that AI system stakeholders can utilise to ensure the developed AI systems are trustworthy throughout the entire governance and engineering lifecycle, from multi-level governance patterns to concrete process and product patterns. These patterns offer a systematic and actionable system-level guidance with consequence analysis and well-known uses for AI system stakeholders to reference during the governance and development processes. We are currently designing an ethical risk assessment tool that will use the responsible AI pattern catalogue as one of the knowledge sources to recommend mitigation strategies. For future work, we plan to design and develop tools to support the navigation and utilisation of the RAI pattern catalogue. We also plan to validate the utility, usability and effectiveness of the pattern catalogue and the supporting tools in industrial projects.

References

  • [1] A. Jobin, M. Ienca, and E. Vayena, “The global landscape of ai ethics guidelines,” Nature Machine Intelligence, vol. 1, no. 9, pp. 389–399, 2019.
  • [2] J. Fjeld et. al., “Principled artificial intelligence: Mapping consensus in ethical and rights-based approaches to principles for ai,” Berkman Klein Center Research Publication, no. 2020-1, 2020.
  • [3] Q. V. Liao, D. Gruen, and S. Miller, “Questioning the ai: informing design practices for explainable ai user experiences,” in Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, 2020, pp. 1–15.
  • [4] Q. V. Liao, M. Pribić, J. Han, S. Miller, and D. Sow, “Question-driven design process for explainable ai user experiences,” arXiv preprint arXiv:2104.03483, 2021.
  • [5] R. Larasati, A. De Liddo, and E. Motta, “Ai healthcare system interface: Explanation design for non-expert user trust,” in ACMIUI-WS 2021: Joint Proceedings of the ACM IUI 2021 Workshops, vol. 2903.   CEUR Workshop Proceedings, 2021.
  • [6] S.-H. Han and H.-J. Choi, “Checklist for validating trustworthy ai,” in 2022 IEEE International Conference on Big Data and Smart Computing (BigComp).   IEEE, 2022, pp. 391–394.
  • [7] I. D. Raji, A. Smart, R. N. White, M. Mitchell, T. Gebru, B. Hutchinson, J. Smith-Loud, D. Theron, and P. Barnes, “Closing the ai accountability gap: Defining an end-to-end framework for internal algorithmic auditing,” in Proceedings of the 2020 conference on fairness, accountability, and transparency, 2020, pp. 33–44.
  • [8] A. Jacovi, A. Marasović, T. Miller, and Y. Goldberg, “Formalizing trust in artificial intelligence: Prerequisites, causes and goals of human trust in ai,” in Proceedings of the 2021 ACM conference on fairness, accountability, and transparency, 2021, pp. 624–635.
  • [9] M. K. Ahuja, M.-B. Belaid, P. Bernabé, M. Collet, A. Gotlieb, C. Lal, D. Marijan, S. Sen, A. Sharif, and H. Spieker, “Opening the software engineering toolbox for the assessment of trustworthy ai,” arXiv preprint arXiv:2007.07768, 2020.
  • [10] B. Hutchinson, A. Smart, A. Hanna, E. Denton, C. Greer, O. Kjartansson, P. Barnes, and M. Mitchell, “Towards accountability for machine learning datasets: Practices from software engineering and infrastructure,” in Proceedings of the 2021 ACM Conference on Fairness, Accountability, and Transparency, 2021, pp. 560–575.
  • [11] Z. Zhou, Z. Li, Y. Zhang, and L. Sun, “Transparent-ai blueprint: Developing a conceptual tool to support the design of transparent ai agents,” International Journal of Human–Computer Interaction, pp. 1–28, 2022.
  • [12] D. Adkins, B. Alsallakh, A. Cheema, N. Kokhlikyan, E. McReynolds, P. Mishra, C. Procope, J. Sawruk, E. Wang, and P. Zvyagina, “Prescriptive and descriptive approaches to machine-learning transparency,” in CHI Conference on Human Factors in Computing Systems Extended Abstracts, 2022, pp. 1–9.
  • [13] K. Beck and W. Cunningham, “Using pattern languages for object oriented programs,” in Conference on Object-Oriented Programming, Systems, Languages, and Applications (OOPSLA), 1987.
  • [14] B. A. Kitchenham and S. Charters, “Guidelines for performing systematic literature reviews in software engineering,” Tech. Rep., 2007.
  • [15] V. Garousi, M. Felderer, and M. V. Mäntylä, “Guidelines for including grey literature and conducting multivocal literature reviews in software engineering,” Information and Software Technology, vol. 106, pp. 101–121, 2019. [Online]. Available: https://www.sciencedirect.com/science/article/pii/S0950584918301939
  • [16] DISER (Australian Government), “Australia’s AI Ethics Principles,” https://industry.gov.au/data-and-publications/australias-artificial-intelligence-ethics-framework/australias-ai-ethics-principles, 2020, accessed: 17 Aug 2022.
  • [17] R. C. Martin, D. Riehle, and F. Buschmann, Pattern languages of program design 3.   Addison-Wesley Longman Publishing Co., Inc., 1997.
  • [18] B. Shneiderman, “Bridging the gap between ethics and practice: Guidelines for reliable, safe, and trustworthy human-centered ai systems,” ACM Trans. Interact. Intell. Syst., vol. 10, no. 4, 2020.
  • [19] ——, “Responsible ai: Bridging from ethics to practice,” Communications of the ACM, vol. 64, no. 8, pp. 32–35, 2021.
  • [20] B. R. Jackson, Y. Ye, J. M. Crawford, M. J. Becich, S. Roy, J. R. Botkin, M. E. de Baca, and L. Pantanowitz, “The ethics of artificial intelligence in pathology and laboratory medicine: principles and practice,” Academic Pathology, vol. 8, p. 2374289521990784, 2021.
  • [21] J. Schaich Borg, “Four investment areas for ethical ai: Transdisciplinary opportunities to close the publication-to-practice gap,” Big Data & Society, vol. 8, no. 2, p. 20539517211040197, 2021.
  • [22] E. Papagiannidis, I. M. Enholm, C. Dremel, P. Mikalef, and J. Krogstie, “Deploying ai governance practices: A revelatory case study,” in Conference on e-Business, e-Services and e-Society.   Springer, 2021, pp. 208–219.
  • [23] J. C. Ibáñez and M. V. Olmeda, “Operationalising ai ethics: how are companies bridging the gap between practice and principles? an exploratory study,” AI & SOCIETY, pp. 1–25, 2021.
  • [24] V. Dignum, “Ensuring responsible ai in practice,” in Responsible Artificial Intelligence.   Springer, 2019, pp. 93–105.
  • [25] A. Zhobe, H. Jahankhani, R. Fong, P. Elevique, and H. Baajour, “The magic quadrant: Assessing ethical maturity for artificial intelligence,” in Cybersecurity, Privacy and Freedom Protection in the Connected World.   Springer, 2021, pp. 313–326.
  • [26] P. Fukas, J. Rebstadt, F. Remark, and O. Thomas, “Developing an artificial intelligence maturity model for auditing.” in ECIS, 2021.
  • [27] S. Alsheiabni, Y. Cheung, and C. Messom, “Towards an artificial intelligence maturity model: from science fiction to business facts,” 2019.
  • [28] A. Henriksen, S. Enni, and A. Bechmann, “Situated accountability: Ethical principles, certification standards, and explanation methods in applied ai,” in Proceedings of the 2021 AAAI/ACM Conference on AI, Ethics, and Society, 2021, pp. 574–585.
  • [29] C. D. Martin and T. T. Makoundou, “Taking the high road ethics by design in ai,” ACM Inroads, vol. 8, no. 4, pp. 35–37, 2017.
  • [30] R. H. Yap, “Towards certifying trustworthy machine learning systems,” in International Workshop on the Foundations of Trustworthy AI Integrating Learning, Optimization and Reasoning.   Springer, 2020, pp. 77–82.
  • [31] P. Cihon, M. J. Kleinaltenkamp, J. Schuett, and S. D. Baum, “Ai certification: Advancing ethical practice by reducing information asymmetries,” IEEE Transactions on Technology and Society, vol. 2, no. 4, pp. 200–209, 2021.
  • [32] P. Boza and T. Evgeniou, “Implementing ai principles: Frameworks, processes, and tools,” 2021.
  • [33] D. D. Luxton, “Recommendations for the ethical use and design of artificial intelligent care providers,” Artificial intelligence in medicine, vol. 62, no. 1, pp. 1–10, 2014.
  • [34] M. D. McCradden, S. Joshi, J. A. Anderson, M. Mazwi, A. Goldenberg, and R. Zlotnik Shaul, “Patient safety and quality improvement: Ethical principles for a regulatory approach to bias in healthcare machine learning,” Journal of the American Medical Informatics Association, vol. 27, no. 12, pp. 2024–2027, 2020.
  • [35] L. Zhu, X. Xu, Q. Lu, G. Governatori, and J. Whittle, “Ai and ethics—operationalizing responsible ai,” in Humanity Driven AI.   Springer, 2022, pp. 15–33.
  • [36] M. Sloane and J. Zakrzewski, “German ai start-ups and “ai ethics”: Using a social practice lens for assessing and implementing socio-technical innovation,” in 2022 ACM Conference on Fairness, Accountability, and Transparency, 2022, pp. 935–947.
  • [37] J. N. Hooker and T. W. N. Kim, “Toward non-intuition-based machine and artificial intelligence ethics: A deontological approach based on modal logic,” in Proceedings of the 2018 AAAI/ACM Conference on AI, Ethics, and Society, 2018, pp. 130–136.
  • [38] M. d’Aquin, P. Troullinou, N. E. O’Connor, A. Cullen, G. Faller, and L. Holden, “Towards an” ethics by design” methodology for ai research projects,” in Proceedings of the 2018 AAAI/ACM Conference on AI, Ethics, and Society, 2018, pp. 54–59.
  • [39] R. Benjamins, A. Barbado, and D. Sierra, “Responsible ai by design in practice,” arXiv preprint arXiv:1909.12838, 2019.
  • [40] R. Eitel-Porter, “Beyond the promise: implementing ethical ai,” AI and Ethics, vol. 1, no. 1, pp. 73–80, 2021.
  • [41] M. S. A. Lee and J. Singh, “Risk identification questionnaire for detecting unintended bias in the machine learning development lifecycle,” in Proceedings of the 2021 AAAI/ACM Conference on AI, Ethics, and Society, 2021, pp. 704–714.
  • [42] F. Redmill, “Risk analysisa subjective process,” Engineering Management Journal, vol. 12, no. 2, pp. 91–96, 2002.
  • [43] M. D. Schultz and P. Seele, “Towards ai ethics’ institutionalization: knowledge bridges from business ethics to advance organizational ai ethics,” AI and Ethics, pp. 1–13, 2022.
  • [44] I. Barclay, A. Preece, I. Taylor, and D. Verma, “Towards traceability in data ecosystems using a bill of materials model,” in International Workshop on Science Gateways.   CEUR-WS, 2019.
  • [45] NTIA, “The Minimum Elements For a Software Bill of Materials (SBOM),” https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf, 2021, accessed 18 Aug 2022.
  • [46] D. Kasenberg, T. Arnold, and M. Scheutz, “Norms, rewards, and the intentional stance: Comparing machine learning approaches to ethical training,” in Proceedings of the 2018 AAAI/ACM Conference on AI, Ethics, and Society, 2018, pp. 184–190.
  • [47] M. Sand, J. M. Durán, and K. R. Jongsma, “Responsibility beyond design: Physicians’ requirements for ethical medical ai,” Bioethics, vol. 36, no. 2, pp. 162–169, 2022.
  • [48] S. Amershi, A. Begel, C. Bird, R. DeLine, H. Gall, E. Kamar, N. Nagappan, B. Nushi, and T. Zimmermann, “Software engineering for machine learning: A case study,” in 2019 IEEE/ACM 41st International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP).   IEEE, 2019, pp. 291–300.
  • [49] W. Hussain, M. Shahin, R. Hoda, J. Whittle, H. Perera, A. Nurwidyantoro, R. A. Shams, and G. Oliver, “How can human values be addressed in agilemethods a case study on safe,” IEEE Transactions on Software Engineering, 2022.
  • [50] Q. Lu, L. Zhu, X. Xu, J. Whittle, and Z. Xing, “Towards a roadmap on software engineering for responsible ai,” in 2022 IEEE/ACM 1st International Conference on AI Engineering – Software Engineering for AI (CAIN), 2022, pp. 101–112.
  • [51] R. V. Zicari, J. Brusseau, S. N. Blomberg, H. C. Christensen, M. Coffee, M. B. Ganapini, S. Gerke, T. K. Gilbert, E. Hickman, E. Hildt et al., “On assessing trustworthy ai in healthcare. machine learning as a supportive tool to recognize cardiac arrest in emergency calls,” Frontiers in Human Dynamics, p. 30, 2021.
  • [52] K.-E. K. Bilstrup, M. H. Kaspersen, and M. G. Petersen, “Staging reflections on ethical dilemmas in machine learning: A card-based design workshop for high school students,” in Proceedings of the 2020 ACM Designing Interactive Systems Conference, 2020, pp. 1211–1222.
  • [53] R. V. Zicari, S. Ahmed, J. Amann, S. A. Braun, J. Brodersen, F. Bruneault, J. Brusseau, E. Campano, M. Coffee, A. Dengel et al.

    , “Co-design of a trustworthy ai system in healthcare: deep learning based skin lesion classifier,”

    Frontiers in Human Dynamics, vol. 3, p. 688152, 2021.
  • [54] M. Mitchell, S. Wu, A. Zaldivar, P. Barnes, L. Vasserman, B. Hutchinson, E. Spitzer, I. D. Raji, and T. Gebru, “Model cards for model reporting,” in Proceedings of the conference on fairness, accountability, and transparency, 2019, pp. 220–229.
  • [55] A. Wadhwani and P. Jain, “Machine learning model cards transparency review: Using model card toolkit,” in 2020 IEEE Pune Section International Conference (PuneCon).   IEEE, 2020, pp. 133–137.
  • [56] T. Gebru, J. Morgenstern, B. Vecchione, J. W. Vaughan, H. Wallach, H. D. Iii, and K. Crawford, “Datasheets for datasets,” Communications of the ACM, vol. 64, no. 12, pp. 86–92, 2021.
  • [57] M. Arnold, R. K. Bellamy, M. Hind, S. Houde, S. Mehta, A. Mojsilović, R. Nair, K. N. Ramamurthy, A. Olteanu, D. Piorkowski et al., “Factsheets: Increasing trust in ai services through supplier’s declarations of conformity,” IBM Journal of Research and Development, vol. 63, no. 4/5, pp. 6–1, 2019.
  • [58] D. Adkins, B. Alsallakh, A. Cheema, N. Kokhlikyan, E. McReynolds, P. Mishra, C. Procope, J. Sawruk, E. Wang, and P. Zvyagina, “Method cards for prescriptive machine-learning transparency,” in 2022 IEEE/ACM 1st International Conference on AI Engineering–Software Engineering for AI (CAIN).   IEEE, 2022, pp. 90–100.
  • [59] C. Ebert and M. Weyrich, “Validation of autonomous systems,” IEEE Software, vol. 36, no. 5, pp. 15–23, 2019.
  • [60] L. Gauerhof, R. Hawkins, C. Picardi, C. Paterson, Y. Hagiwara, and I. Habli, “Assuring the safety of machine learning for pedestrian detection at crossings,” in International Conference on Computer Safety, Reliability, and Security.   Springer, 2020, pp. 197–212.
  • [61] G. PAIR, “People + ai guidebook,” pair.withgoogle.com/guidebook, 2021, accessed: 17 Aug 2022.
  • [62] A. Vogelsang and M. Borg, “Requirements engineering for machine learning: Perspectives from data scientists,” in 2019 IEEE 27th International Requirements Engineering Conference Workshops (REW).   IEEE, 2019, pp. 245–251.
  • [63] J. Horkoff, “Non-functional requirements for machine learning: Challenges and new directions,” in 2019 IEEE 27th international requirements engineering conference (RE).   IEEE, 2019, pp. 386–391.
  • [64] A. Bibal, M. Lognoul, A. De Streel, and B. Frénay, “Legal requirements on explainability in machine learning,” Artificial Intelligence and Law, vol. 29, no. 2, pp. 149–169, 2021.
  • [65] H. Perera, R. Hoda, R. A. Shams, A. Nurwidyantoro, M. Shahin, W. Hussain, and J. Whittle, “The impact of considering human values during requirements engineering activities,” arXiv preprint arXiv:2111.15293, 2021.
  • [66] I. Society, P. Bourque, and R. Fairley, “Guide to the software engineering body of knowledge (swebok (r)),” 2014.
  • [67] E. Halme, V. Vakkuri, J. Kultanen, M. Jantunen, K.-K. Kemell, R. Rousi, and P. Abrahamsson, “How to write ethical user stories? impacts of the eccola method,” in International Conference on Agile Software Development.   Springer, Cham, 2021, pp. 36–52.
  • [68] H. Muccini and K. Vaidhyanathan, “Software architecture for ml-based systems: what exists and what lies ahead,” in 2021 IEEE/ACM 1st Workshop on AI Engineering-Software Engineering for AI (WAIN).   IEEE, 2021, pp. 121–128.
  • [69] S. K. Lo, Q. Lu, H.-Y. Paik, and L. Zhu, “Flra: A reference architecture for federated learning systems,” in European Conference on Software Architecture.   Springer, 2021, pp. 83–98.
  • [70] G. A. Lewis, I. Ozkaya, and X. Xu, “Software architecture challenges for ml systems,” in 2021 IEEE International Conference on Software Maintenance and Evolution (ICSME).   IEEE, 2021, pp. 634–638.
  • [71] S. Umbrello, “The role of engineers in harmonising human values for ai systems design,” Journal of Responsible Technology, vol. 10, p. 100031, 2022.
  • [72] M. Takeda, Y. Hirata, Y.-H. Weng, T. Katayama, Y. Mizuta, and A. Koujina, “Accountable system design architecture for embodied ai: a focus on physical human support robots,” Advanced Robotics, vol. 33, no. 23, pp. 1248–1263, 2019.
  • [73] B. Fish and L. Stark, “Reflexive design for fairness and other human values in formal models,” in Proceedings of the 2021 AAAI/ACM Conference on AI, Ethics, and Society, 2021, pp. 89–99.
  • [74] I. Naja, M. Markovic, P. Edwards, and C. Cottrill, “A semantic framework to support ai system accountability and audit,” in European Semantic Web Conference.   Springer, 2021, pp. 160–176.
  • [75] P. Ayranci, P. Lai, N. Phan, H. Hu, A. Kolinowski, D. Newman, and D. Dou, “Onml: an ontology-based approach for interpretable machine learning,”

    Journal of Combinatorial Optimization

    , pp. 1–24, 2022.
  • [76] K. Sekiguchi and K. Hori, “Organic and dynamic tool for use with knowledge base of ai ethics for promoting engineers’ practice of ethical ai design,” AI & SOCIETY, vol. 35, no. 1, pp. 51–71, 2020.
  • [77] M. Anderson and S. L. Anderson, “Geneth: A general ethical dilemma analyzer,” Paladyn, Journal of Behavioral Robotics, vol. 9, no. 1, pp. 337–357, 2018.
  • [78] V. Singh, S. K. S. Hari, T. Tsai, and M. Pitale, “Simulation driven design and test for safety of ai based autonomous vehicles,” in

    Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition

    , 2021, pp. 122–128.
  • [79] A. Dosovitskiy, G. Ros, F. Codevilla, A. Lopez, and V. Koltun, “Carla: An open urban driving simulator,” in Conference on robot learning.   PMLR, 2017, pp. 1–16.
  • [80] C. Regli and B. Annighoefer, “An anthropomorphic approach to establish an additional layer of trustworthiness of an ai pilot,” in Software Engineering 2022 Workshops.   Gesellschaft für Informatik eV, 2022.
  • [81] S. F. Jentzsch, S. Höhn, and N. Hochgeschwender, “Conversational interfaces for explainable ai: a human-centred approach,” in International Workshop on Explainable, Transparent Autonomous Agents and Multi-Agent Systems.   Springer, 2019, pp. 77–92.
  • [82] F. Hussain, R. Hussain, B. Noye, and S. Sharieh, “Enterprise api security and gdpr compliance: Design and implementation perspective,” IT Professional, vol. 22, no. 5, pp. 81–89, 2020.
  • [83] H. J. Pandit, D. O’Sullivan, and D. Lewis, “Towards knowledge-based systems for gdpr compliance.” in CKGSemStats@ ISWC, 2018.
  • [84] M. Fan, L. Yu, S. Chen, H. Zhou, X. Luo, S. Li, Y. Liu, J. Liu, and T. Liu, “An empirical evaluation of gdpr compliance violations in android mhealth apps,” in 2020 IEEE 31st international symposium on software reliability engineering (ISSRE).   IEEE, 2020, pp. 253–264.
  • [85] E. Mitchell, P. Henderson, C. D. Manning, D. Jurafsky, and C. Finn, “Self-destructing models: Increasing the costs of harmful dual uses in foundation models,” in First Workshop on Pre-training: Perspectives, Pitfalls, and Paths Forward at ICML 2022, 2002.
  • [86] T. Shevlane, “Structured access to ai capabilities: an emerging paradigm for safe ai deployment,” arXiv preprint arXiv:2201.05159, 2022.
  • [87] N. Six, A. Perrichon-Chrétien, and N. Herbaut, “Saiaas: A blockchain-based solution for secure artificial intelligence as-a-service,” in The International Conference on Deep Learning, Big Data and Blockchain.   Springer, 2021, pp. 67–74.
  • [88] A. Chattopadhyay, A. Ali, and D. Thaxton, “Assessing the alignment of social robots with trustworthy ai design guidelines: A preliminary research study,” in Proceedings of the Eleventh ACM Conference on Data and Application Security and Privacy, 2021, pp. 325–327.
  • [89] W. Xie and P. Wu, “Fairness testing of machine learning models using deep reinforcement learning,” in 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom).   IEEE, 2020, pp. 121–128.
  • [90] A. Aggarwal, P. Lohia, S. Nagar, K. Dey, and D. Saha, “Black box fairness testing of machine learning models,” in Proceedings of the 2019 27th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, 2019, pp. 625–635.
  • [91] R. B. L. Dixon, “A principled governance for emerging ai regimes: lessons from china, the european union, and the united states,” AI and Ethics, pp. 1–18, 2022.
  • [92] C. Murphy, G. E. Kaiser, and M. Arias, “An approach to software testing of machine learning applications,” 2007.
  • [93] N. J. Goodall, “Machine ethics and automated vehicles,” in Road vehicle automation.   Springer, 2014, pp. 93–102.
  • [94] N. Mehrabi, F. Morstatter, N. Saxena, K. Lerman, and A. Galstyan, “A survey on bias and fairness in machine learning,” ACM Computing Surveys (CSUR), vol. 54, no. 6, pp. 1–35, 2021.
  • [95] S. Martínez-Fernández, X. Franch, A. Jedlitschka, M. Oriol, and A. Trendowicz, “Developing and operating artificial intelligence models in trustworthy autonomous systems,” in International Conference on Research Challenges in Information Science.   Springer, 2021, pp. 221–229.
  • [96] T. Hirsch, K. Merced, S. Narayanan, Z. E. Imel, and D. C. Atkins, “Designing contestability: Interaction design, machine learning, and mental health,” in Proceedings of the 2017 Conference on Designing Interactive Systems, 2017, pp. 95–99.
  • [97] M. M. John, H. Holmström Olsson, and J. Bosch, “Architecting ai deployment: A systematic review of state-of-the-art and state-of-practice literature,” in International Conference on Software Business.   Springer, 2020, pp. 14–29.
  • [98] D. Schiff, B. Rakova, A. Ayesh, A. Fanti, and M. Lennon, “Principles to practices for responsible ai: closing the gap,” arXiv preprint arXiv:2006.04707, 2020.
  • [99] R. V. Zicari, J. Brodersen, J. Brusseau, B. Düdder, T. Eichhorn, T. Ivanov, G. Kararigas, P. Kringen, M. McCullough, F. Möslein et al., “Z-inspection®: a process to assess trustworthy ai,” IEEE Transactions on Technology and Society, vol. 2, no. 2, pp. 83–97, 2021.
  • [100] J. Henderson, S. Sharma, A. Gee, V. Alexiev, S. Draper, C. Marin, Y. Hinojosa, C. Draper, M. Perng, L. Aguirre et al., “Certifai: a toolkit for building trust in ai systems,” in Proceedings of the Twenty-Ninth International Conference on International Joint Conferences on Artificial Intelligence, 2021, pp. 5249–5251.
  • [101] M. Staples, L. Zhu, and J. Grundy, “Continuous validation for data analytics systems,” in Proceedings of the 38th International Conference on Software Engineering Companion, 2016, pp. 769–772.
  • [102] S. K. Lo, Q. Lu, L. Zhu, H.-y. Paik, X. Xu, and C. Wang, “Architectural patterns for the design of federated learning systems,” Journal of Systems and Software, vol. 191, p. 111357, 2022.
  • [103] T. U. S. D. of Commerce, “The minimum elements for a software bill of materials (sbom),” https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf, 2021, accessed 17 Aug 2022.
  • [104] I. Barclay, A. Preece, I. Taylor, S. K. Radha, and J. Nabrzyski, “Providing assurance and scrutability on shared data and machine learning models with verifiable credentials,” Concurrency and Computation: Practice and Experience, p. e6997, 2022.
  • [105] W. Chu, “A decentralized approach towards responsible ai in social ecosystems,” in Proceedings of the International AAAI Conference on Web and Social Media, vol. 16, 2022, pp. 79–89.
  • [106] M. C. Paulk, B. Curtis, M. B. Chrissis, and C. V. Weber, “Capability maturity model, version 1.1,” IEEE software, vol. 10, no. 4, pp. 18–27, 1993.
  • [107] W. W. W. Consortium et al., “Verifiable credentials data model 1.0: Expressing verifiable information on the web,” https://www. w3. org/TR/vc-data-model/?# core-data-model, 2019.
  • [108] K. Bonawitz, V. Ivanov, B. Kreuter, A. Marcedone, H. B. McMahan, S. Patel, D. Ramage, A. Segal, and K. Seth, “Practical secure aggregation for privacy-preserving machine learning,” in proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017, pp. 1175–1191.
  • [109] A. A. Süzen and M. A. Şimşek, “A novel approach to machine learning application to protection privacy data in healthcare: Federated learning,” Namık Kemal Tıp Dergisi, vol. 8, no. 1, pp. 22–30, 2020.
  • [110] S. Bennati and C. M. Jonker, “Primal: A privacy-preserving machine learning method for event detection in distributed sensor networks,” arXiv preprint arXiv:1703.07150, 2017.
  • [111] W. Verachtert, T. J. Ashby, I. Chakroun, R. Wuyts, S. Das, S. Halder, and P. Leray, “Privacy preserving amalgamated machine learning for process control,” in Metrology, Inspection, and Process Control for Semiconductor Manufacturing XXXV, vol. 11611.   SPIE, 2021, pp. 329–341.
  • [112] N. Sugianto, D. Tjondronegoro, R. Stockdale, and E. I. Yuwono, “Privacy-preserving ai-enabled video surveillance for social distancing: Responsible design and deployment for public spaces,” Information Technology & People, 2021.
  • [113] S. K. Lo, Y. Liu, Q. Lu, C. Wang, X. Xu, H.-Y. Paik, and L. Zhu, “Blockchain-based trustworthy federated learning architecture,” arXiv preprint arXiv:2108.06912, 2021.
  • [114] S. Warnat-Herresthal, H. Schultze, K. L. Shastry, S. Manamohan, S. Mukherjee, V. Garg, R. Sarveswara, K. Händler, P. Pickkers, N. A. Aziz et al., “Swarm learning for decentralized and confidential clinical machine learning,” Nature, vol. 594, no. 7862, pp. 265–270, 2021.
  • [115] P. Vassilakopoulou, “Sociotechnical approach for accountability by design in ai systems.” in ECIS, 2020.
  • [116] Microsoft, “Microsoft hax toolkit,” https://www.microsoft.com/en-us/haxtoolkit/, 2022, accessed: 17 Aug 2022.
  • [117] J. Dai, S. Lei, L. Dong, X. Lin, H. Zhang, D. Sun, and K. Yuan, “More reliable ai solution: Breast ultrasound diagnosis using multi-ai combination,” arXiv preprint arXiv:2101.02639, 2021.
  • [118] M. Nafreen, S. Bhattacharya, and L. Fiondella, “Architecture-based software reliability incorporating fault tolerant machine learning,” in 2020 Annual Reliability and Maintainability Symposium (RAMS).   IEEE, 2020, pp. 1–6.
  • [119] J. C. Knight, “N-version programming,” Encyclopedia of Software Engineering, 2002.
  • [120] A. Lavaei, B. Zhong, M. Caccamo, and M. Zamani, “Towards trustworthy ai: safe-visor architecture for uncertified controllers in stochastic cyber-physical systems,” in Proceedings of the Workshop on Computation-Aware Algorithmic Design for Cyber-Physical Systems, 2021, pp. 7–8.
  • [121] I. Esnaola-Gonzalez, “An ontology-based approach for making machine learning systems accountable,” 2021.
  • [122] M. Shafto, M. Conroy, R. Doyle, E. Glaessgen, C. Kemp, J. LeMoigne, and L. Wang, “Modeling, simulation, information technology & processing roadmap,” National Aeronautics and Space Administration, vol. 32, no. 2012, pp. 1–38, 2012.
  • [123] J. Weng, J. Weng, J. Zhang, M. Li, Y. Zhang, and W. Luo, “Deepchain: Auditable and privacy-preserving deep learning with blockchain-based incentive,” IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 5, pp. 2438–2455, 2019.
  • [124] W. Zhang, Q. Lu, Q. Yu, Z. Li, Y. Liu, S. K. Lo, S. Chen, X. Xu, and L. Zhu, “Blockchain-based federated learning for device failure detection in industrial iot,” IEEE Internet of Things Journal, vol. 8, no. 7, pp. 5926–5937, 2020.
  • [125] G. Falco and J. E. Siegel, “A distributedblack box’audit trail design specification for connected and automated vehicle data and software assurance,” arXiv preprint arXiv:2002.02780, 2020.
  • [126] A. F. Winfield and M. Jirotka, “The case for an ethical black box,” in Annual Conference Towards Autonomous Robotic Systems.   Springer, 2017, pp. 262–273.
  • [127] G. Falco, B. Shneiderman, J. Badger, R. Carrier, A. Dahbura, D. Danks, M. Eling, A. Goodloe, J. Gupta, C. Hart et al., “Governing ai safety through independent audits,” Nature Machine Intelligence, vol. 3, no. 7, pp. 566–571, 2021.
  • [128] B. S. Miguel, A. Naseer, and H. Inakoshi, “Putting accountability of ai systems into practice,” in Proceedings of the Twenty-Ninth International Conference on International Joint Conferences on Artificial Intelligence, 2021, pp. 5276–5278.
  • [129] OECD, “Tools for trustworthy ai,” 2021. [Online]. Available: https://www.oecd-ilibrary.org/content/paper/008232ec-en
  • [130] K. Smit, M. Zoet, and J. van Meerten, “A review of ai principles in practice,” 2020.
  • [131] M. Anagnostou, O. Karvounidou, C. Katritzidaki, C. Kechagia, K. Melidou, E. Mpeza, I. Konstantinidis, E. Kapantai, C. Berberidis, I. Magnisalis et al., “Characteristics and challenges in the industries towards responsible ai: a systematic literature review,” Ethics and Information Technology, vol. 24, no. 3, pp. 1–18, 2022.
  • [132] Q. Lu, L. Zhu, X. Xu, J. Whittle, and Z. Xing, “Towards a roadmap on software engineering for responsible ai,” arXiv preprint arXiv:2203.08594, 2022.