Next generation sequencing guidances intended to further precision medicine

The FDA is doing its part to support the precision medicine initiative by focusing on genomic study. Two draft guidances related to next generation sequencing (NGS) are intended to help industry continue pursuing innovation in the field while ensuring that tests are accurate and provide actionable results. The first draft guidance provides recommendations for NGS tests for hereditary diseases, and the second involves reliance on clinical evidence from existing genome databases to assist in obtaining marketing clearance or approval. The notices will officially publish in the Federal Register on July 8, 2016.

Sequencing for diagnosing hereditary diseases

Most in vitro diagnostic (IVD) tests are designed to search for certain genetic variants to test for known conditions, but NGS tests are designed to measure millions of substances and may detect new variations. These tests have broad uses, and the FDA has held various discussions to determine the best approach for regulatory oversight. At this time, NGS-based tests are automatically classified as Class III devices and subject to a premarket approval application (PMA). These tests may be reclassified into Class II following the de novo review process.

NGS-based testing will typically include several elements, from reagents to software, as well as a lengthy number of steps. Test developers should support the analytical validation by conforming with FDA standards or special controls to demonstrate that the developer has properly identified the intended clinical use and that the test is designed appropriately. This includes providing the indications for use, specific user needs for the test, specimen type, genome regions, performance needs, and components and methods for the test.

Database use

The FDA acknowledged that the adoption of NGS testing has generated an increasing amount of data, but noted that the newly discovered genetic variants are difficult to obtain and not publicly accessible. The aggregation of clinical genotype-phenotype association in generic variant databases could increase the amount of useful clinical evidence, which the agency encourages. If these databases follow the recommendations contained in the guidance, the agency would consider data and assertions obtained from these databases valid scientific evidence.

A database should: (1) provide sufficient information and assurances regarding the quality of source data; (2) provide transparency about the data source; (3) collect, store, and report data in compliance with regulations governing protected health information, data security, and subject protections; and (4) include information generated from validated methods. The database should strive for transparency and public accessibility, have a defined standard operating procedure (SOP), preserve data, and strive for a high level of security and privacy. The data must be of sufficient quality to ensure that the assertions made are accurate. Interpretation and assertions should conform to well-defined SOPs. The agency will also implement a recognition process for databases and their assertions.

FDA provides guidance on addressing cybersecurity threats to medical devices

The FDA released a draft guidance to notify the industry and FDA staff about its recommendations for dealing with postmarket cybersecurity vulnerabilities for marketed medical devices. The draft guidance, which was announced in an advance release, provides specific recommendations for manufacturers but also encourages them to address cybersecurity issues throughout the entire lifecycles of their products.

Networked devices

An increasing number of medical devices are designed so that they can be networked to assist with patient care. Such networked devices, like any networked computer system, use software that can be vulnerable to cybersecurity threats, which can present a risk to the safety and effectiveness of the devices. Therefore, manufacturers should take a proactive approach to addressing cybersecurity risks in medical devices to reduce the risks to patient safety and public health.

Postmarket recommendations

The draft guidance contains the FDA’s postmarket recommendations and emphasizes that manufactures should monitor and address any cybersecurity vulnerabilities as part of their postmarket management of medical devices. In most cases, the manufacturers will be performing routine updates or patches, which would not require advance notification to the FDA or reporting under 21 C.F.R. part 806. However, for cybersecurity vulnerabilities that could compromise a device’s essential clinical performance and present a probability of serious adverse health consequences or death, the manufacturers would be required to notify the FDA (21 C.F.R. Sec. 806.10).

Proactive approach

The FDA believes that the public and private stakeholders must collaborate to use available resources and tools to assess risks and identify vulnerabilities in medical devices so as to mitigate cybersecurity threats. It recommends that manufacturers take a proactive, risk-based approach for the postmarket phases of medical devices, which includes cybersecurity information sharing, “good cyber hygiene” or routine device cyber maintenance, postmarket information assessments, vulnerability identification, and timely implementation of necessary risk mitigation actions.


The draft guidance applies to medical devices that contain software, including firmware or programmable logic. It also applies to software that is a medical device. However, the guidance does not apply to experimental or investigational medical devices.