AI Regulatory Affairs Specialist Interview Questions

A strong answer defines SaMD per IMDRF, explains it is intended for medical purposes without being part of a hardware medical device, and contrasts it with Software in a Medical Device (SiMD).

Cover the predicate-device concept for 510(k), De Novo as a novel low-to-moderate risk pathway, and PMA as the highest-risk pathway requiring clinical trial data.

Explain that a PCCP pre-specifies allowable modifications to an AI model-data updates, retraining schedules, performance thresholds-so changes can be made without a new submission.

Describe the EU AI Act's risk-based framework, highlight that health-related AI is often classified as high-risk, and note requirements for transparency, data governance, and conformity assessment.

A model card (per Mitchell et al.) documents model performance across subgroups, intended use, limitations, and ethical considerations-it supports transparency and regulatory review.

Cover FDA SaMD risk categorization (informed by healthcare situation and significance of information), EU MDR classification rules, and EU AI Act high-risk designation, noting overlaps and divergences.

Discuss data source documentation, inclusion/exclusion criteria, labeling methodology, de-identification, consent review, data versioning, and alignment with datasheets-for-datasets or FDA data management guidance.

Locked algorithms produce fixed outputs from fixed logic; adaptive algorithms change over time. Locked models follow traditional submission; adaptive models require PCCPs, change management, and ongoing monitoring.

Discuss literature-based clinical evidence, usability studies, and clinical investigations. Lower-risk products may rely on bench testing and published literature; higher-risk products typically need prospective clinical trials.

ISO 14971 provides the risk management framework. AI-specific hazards include data drift, distributional shift, automation bias, model opacity, adversarial inputs, and demographic performance gaps.

Cover real-world performance monitoring metrics, adverse event reporting triggers, periodic safety update reports, user feedback loops, automated drift detection, and re-validation cadence.

IEC 62304 defines software lifecycle processes for medical device software. Map ML lifecycle stages (data prep, training, validation, deployment) to IEC 62304 processes, assigning safety classes A/B/C based on potential harm.

Discuss root-cause analysis (distribution shift, dataset bias), immediate risk mitigation, plan for additional diverse validation data, regulatory notification requirements, and updating the PCCP.

Describe generating global and local feature-importance explanations, documenting them in model reports, relating them to clinical plausibility, and acknowledging limitations of post-hoc explanation methods.

Cover device description, intended purpose, design and manufacturing info, general safety and performance requirements, benefit-risk analysis, clinical evaluation, labeling, and software lifecycle documentation.

Address classification as high-risk under both FDA and EU AI Act, clinical validation for text generation accuracy and safety, hallucination risk management, human-in-the-loop requirements, and the challenge of explainability for generative models.

Discuss data provenance gaps in pre-trained models, transfer learning validation, bias inheritance from pre-training data, computational cost of re-validation, and evolving FDA thinking on modular AI systems.

Explain aligning CI/CD pipelines with IEC 62304 change management, using PCCPs for pre-approved change envelopes, automated validation gates, and maintaining a regulatory audit trail through Git-based version control.

Cover selecting protected attributes relevant to the clinical context, defining performance metrics across subgroups, setting minimum subgroup sample sizes, establishing statistical significance thresholds, and documenting limitations and mitigation strategies.

Evaluate whether the change falls within the PCCP's pre-approved envelope, assess clinical significance of the pediatric specificity drop, determine if a supplemental submission is needed, notify the health system customers, and update risk management and labeling.

Discuss the challenge of validating each modality and their interaction, clinical study design for composite AI, traceability requirements across data pipelines, and the need for modular risk analysis per IEC 62304.

Prepare a comprehensive briefing document with clinical need justification, proposed regulatory pathway (likely De Novo), predicate search results, proposed special controls, draft clinical validation plan, and specific questions for the agency.

Discuss sharing sufficient detail for regulatory and clinical review while protecting proprietary architecture and training data, using confidential commercial information designations in submissions, and structured disclosure strategies.

Address the dual regulatory burden, Notified Body scope under IVDR, AI Act's additional requirements for data governance and transparency, how to create a unified technical file, and timeline considerations for the transition period.

Design automated dashboards tracking clinical performance metrics, drift detection, fairness metrics, and adverse events. Explain integration with CAPA systems, periodic reporting cadence, and harmonized reporting to both FDA and EU authorities.

Assess the severity and likelihood of harm, check if the PCCP covers this type of retraining, coordinate with the data science team to source additional rare-subtype data, evaluate regulatory reporting obligations, and update risk management documentation.

Block deployment until subgroup validation is complete, explain the regulatory requirement for demographic performance data, propose a rapid validation protocol, and check alignment with the approved PCCP.

Compile detailed data provenance documentation, prepare SHAP/LIME analysis summaries, draft clear narrative explanations tied to clinical rationale, consult with the data-science team on technical accuracy, and review for completeness against FDA's questions.

Conduct an immediate internal audit of your product's demographic performance, review your own training data for similar biases, assess whether your post-market monitoring would have caught the issue, and proactively communicate findings to regulators if needed.

Conduct EU MDR classification, identify a Notified Body, prepare technical documentation per Annex II/III, perform a gap analysis against EU AI Act high-risk requirements, establish EU-authorized representative, and plan clinical evaluation per MEDDEV 2.7/1 Rev 4.

Immediately escalate to legal and ethics teams, conduct a retrospective ethics review, assess whether the submission data is compromised, consider voluntary supplemental notification to the FDA, and implement stronger data governance controls for the future.

Explain the regulatory risk of off-label use for AI devices, assess whether a new 510(k) or De Novo submission is required, evaluate the clinical and liability implications, and recommend a formal regulatory pathway before expanding use.

Present your IEC 62304-compliant change management SOP, version-controlled code and model artifacts in GitHub, PCCP documentation, validation records for each model update, and audit trail from your CI/CD pipeline.

Research the specific requirements of the local regulatory authority, prepare supplementary AI documentation (model cards, bias reports, data governance records), engage local regulatory consultants if needed, and harmonize documentation with existing global submissions.

Activate your adverse event monitoring protocol, assess whether the errors constitute reportable events, implement immediate safeguards (e.g., mandatory disclaimers, escalation to human providers), coordinate communications with PR and legal, and plan a risk mitigation update.

Explain logging hyperparameters, training data versions, model architecture, and validation metrics per training run. Discuss W&B's integration with Git for reproducibility, artifact versioning for datasets, and exporting run reports as supporting documentation for submissions.

Generate global SHAP summary plots showing feature importance aligned with clinical expectations, create patient-level SHAP force plots for representative cases, document the clinical rationale for top features, and acknowledge limitations of post-hoc interpretability.

Configure SageMaker endpoints to log predictions with demographic metadata, schedule periodic Fairlearn evaluation jobs to compute fairness metrics (e.g., equalized odds, demographic parity), set alert thresholds, and feed results into a Grafana dashboard for regulatory review.

Configure GitHub Actions to run automated tests, model validation checks, and documentation generation on every push. Use signed commits, branch protection rules, required reviews, and artifact storage. Explain how this maps to IEC 62304 change control requirements.

Use MLflow Tracking for experiment logging, MLflow Model Registry for staging (development, validation, production) with approval workflows, and MLflow's deployment monitoring capabilities. Discuss how registry metadata supports regulatory traceability.

Include intended use and out-of-scope use cases, training data description with demographic breakdown, performance metrics disaggregated by subgroup, bias and limitations discussion, ethical considerations, and regulatory context. Reference Model Card Push-to-Hub workflow for versioning.

Use LangChain's evaluation chains to run batch evaluations against curated clinical question sets, implement toxicity and hallucination checks, compare outputs against ground-truth clinical guidelines, log results for regulatory traceability, and iterate on prompt engineering based on failure modes.

Define baseline data statistics from the validation dataset, configure SageMaker to compare incoming inference data against baselines using statistical tests (KL divergence, chi-squared), set alerting thresholds tied to clinical significance, and generate automated periodic reports.

Load the model and test dataset, configure performance and fairness metrics across demographic features, explore counterfactual examples (e.g., changing a patient's age or sex), document findings with screenshots and narrative, and translate insights into actionable bias mitigation steps.

Structure the notebook with clear narrative sections (data loading, preprocessing, model inference, metric computation, subgroup analysis), use pinned library versions via requirements.txt or Docker, execute with nbval for reproducibility checks, and export as PDF with embedded outputs.

Look for evidence of clear communication, ability to explain regulatory risk in business terms, willingness to escalate when necessary, and a collaborative rather than adversarial approach.

Assess the candidate's learning strategy, resourcefulness, ability to synthesize complex information, and how they translated new knowledge into actionable recommendations.

Look for strategies like early involvement in product development, creating lightweight regulatory playbooks, using agile regulatory milestones, and building mutual respect through education and shared goals.

Evaluate the candidate's proactive risk identification, ability to communicate urgency without causing panic, documentation of the risk, and the outcome of their intervention.

Look for systematic approaches: subscribing to regulatory intelligence services, participating in industry working groups (e.g., AdvaMed, MDMA), following FDA guidances and EU AI Office publications, attending RAPS conferences, and engaging with professional communities.