Policy: Public information

Overview

Scarlet is an independent, non-governmental, certifying organisation.

Scarlet certifies medical software. Our approach is designed to enable customers (or “Clients”) to implement frequent software releases.

Scarlet operates in the European Union and in the United Kingdom. We only accept submissions and correspondence in English.

This policy is relevant to potential or current Clients of Scarlet’s conformity assessment services.

This policy is for information only. In the event of any conflict between this policy and our customer contract, we rely on our customer contract.

Systems and schemes that we certify

Scarlet provides conformity assessment activities in respect of:

ISO 13485: ISO 13485:2016 (Medical Devices - Quality Management Systems - Requirements for Regulatory Purpose)

  • This assessment covers quality management systems in the EU and in the UK. It does not cover product conformity.
  • Clients wanting to release medical devices must therefore achieve certification under EU MDR or UK MDR, as follows.

EU MDR: Regulation (EU) 2017/745; Annex IX Chapters I, II and III.

  • This assessment is for those wanting to sell their product in the EU, Norway, Iceland, Lichtenstein, Switzerland, Turkey, or for a limited time, the UK, under a CE marking.
  • It extends to medical devices of the following risk classes: Class Im, Class IIa, Class IIb, Class III.
  • Class Im devices will only be assessed on the aspects relating to the conformity of the devices with metrological requirements.

UK MDR: Part II of The Medical Devices Regulations 2002.

  • This assessment is for those wanting to sell their product in the UK under a UKCA marking.
  • It extends to medical devices of the following risk classes: Class Im, Class IIa, Class IIb, Class III.

ISO 13485 is harmonised under EU MDR and UK MDR. Scarlet uses the requirements of ISO 13485 in combination with respective regulatory requirements to assess the quality management system.

Although Clients must show compliance with ISO 13485, an ISO 13485 certificate is not a prerequisite to obtaining a CE or UKCA marking.

Clients can, however, choose to obtain an ISO 13485 certificate from Scarlet.

Application and audit cycles

Clients apply to Scarlet by:

  • completing a pre-application eligibility and risk classification check; then
  • inputting a full set of data about their quality management systems and/or products into Scarlet's structured application form.

Scarlet will review the full set of data against the relevant regulatory requirements.

Pre-application verification process

Our pre-application process includes 2 parts;

  • Part 1: a Product Call and technical set up;
  • Part 2: pre-application eligibility and risk classification check.

Scarlet will assess the data that Clients provide in the pre-application verification process to:

  • verify eligibility of a product for certification by Scarlet;
  • verify the risk class of the device(s) a product is comprised of; and
  • calculate a bespoke quote for the cost of certifying a product.

We then sign a contract.

ISO 13485:2016

Our review of Client’s quality management systems for ISO 13485:2016 involves the following audit processes:

  1. Stage 1 audit;
  2. Stage 2 audit;
  3. (optional) Close out audit;
  4. ISO 13485:2016 certification decision;
  5. within 12 months after certification, surveillance audit;
  6. within 12 months after surveillance audit, a second audit;
  7. unannounced audits;
  8. 4 months before certificate expiry, a recertification audit.

The total certification cycle will not exceed 3 years.

EU MDR and UK MDR

Our review of Client’s devices under EU MDR and UK MDR involves the following audit processes:

  1. Stage 1 audit;
  2. Stage 2 audit;
  3. (optional) Close out audit;
  4. Technical documentation review;
  5. surveillance audits, at least every 12 months;
  6. unannounced audits;
  7. 4 months before certificate expiry, a recertification audit.

At the time of granting the certificate, Scarlet will decide its expiry date, taking into account the novelty, risk classification, clinical evaluation, and conclusions from the risk analysis of the product.

The total certification cycle will not exceed 5 years.

The number of surveillance audits will be determined by the length of the certification cycle.

Audit processes

This section describes our audit processes in more detail.

Stage 1 audit

  • Our Stage 1 audit involves an initial assessment of the state of Client's quality management system and determines Client’s readiness for a Stage 2 audit.
  • A Client may be required to repeat a Stage 1 audit.

Stage 2 audit

  • A Stage 2 audit is a further assessment of Client’s quality management system and its alignment with the applicable standard and regulations.
  • Following a Stage 2 audit, Scarlet may either:
    • approve the quality management system (subject to identified nonconformities being addressed appropriately) and (if applicable) issue Client a certificate under ISO 13485:2016; or
    • refuse to approve Client's quality management system and provide an explanation for that decision to Client.

Technical documentation review

  • Scarlet will conduct an assessment of Client's technical documentation.
  • This review is a requirement for Client's wishing to place a CE or UKCA mark on their product (if their product is Class Im, Class IIa, Class IIb, or Class III).
  • Following a technical documentation review, Scarlet may either:
    • issue a technical documentation assessment certificate to the relevant Annex of the relevant regulations (subject to final review and decision making process); or
    • refuse to grant certification and provide an explanation for that decision to Client.

Surveillance audits

  • Once Client's compliance data has been approved and certified, Client enters the certification cycle.
  • During the cycle, surveillance audits will be carried out in 12 month intervals.
  • Following each surveillance audit, Scarlet may either:
    • recommend continuation of the certification cycle (subject to identified nonconformities being addressed appropriately); or
    • suspend Client’s certificate.

Unannounced audits

  • Scarlet performs unannounced audits at least once every 5 years and at least once every 3 years for class III devices.
  • Scarlet may also perform an unannounced audit in responding to a complaint.
  • Scarlet may include one or more of the manufacturer's suppliers and/or subcontractors in an unannounced audit.

Recertification audit

  • As Client’s certificate nears expiry (i.e. at the end of the certification cycle), a recertification audit is carried out.
  • Based on the findings throughout the audit cycle, Scarlet may either:
    • recommend renewal of the certificate (subject to identified nonconformities being addressed appropriately); or
    • refuse to renew Client’s certificate.

Certification

Scarlet does not promise to grant certification.

Scarlet promises to conduct conformity assessment services against Client's compliance data and to grant certification, if eligible and if warranted, based on Scarlet’s assessment of Client’s application.

Scarlet may decline, restrict, suspend or withdraw Client’s certificate or authorisation.

This might happen if Client, or (any part of) Client’s product:

  • persistently or seriously fails to comply with regulations or our contract; or
  • raises material safety concerns; or
  • Scarlet doesn’t have sufficient access to conduct valid audits.

It could also happen if Client asks us to do so.

Suspended or restricted certificates can be restored if the issue triggering the suspension or restriction is resolved.

We would of course notify any decisions affecting certification, including our reasoning, to the affected Client, and to the regulatory authorities.

Appeals and complaints

Neither appeals nor complaints will result in any discriminatory actions against the complainant or the appellant.

Both are subject to strict confidentiality requirements, as set out in our Code of Conduct.

If the complainant or appellant remains unsatisfied with the outcome of the complaint or appeal, they may escalate the complaint or appeal to the relevant competent authority.

Appeals

Any Client has the right to appeal against a decision made by Scarlet about their certification.

Appeals must be submitted within 15 working days of the certification decision.

Appeals may be submitted through the form (here).

Scarlet will ensure investigations into appeals are completed within 20 working days of the appeal being validly lodged. Investigations comply with our stringent risk processes around impartiality.

If an appeal is ultimately found to be valid, Scarlet will undertake one or more of the following steps:

  • undertaking an external action (e.g. redoing an assessment);
  • undertaking an internal action (e.g. changing our processes, disciplinary action, providing training);
  • notifying the relevant competent authority; and/or
  • changing the decision on certification and updating relevant records.

We will do our best to keep appellants informed as their appeal progresses.

Complaints

Complaints may be submitted through the same form as appeals (available here).

We divide complaints into three categories:

  • complaints about our conformity assessment activities;
  • complaints about our Client’s medical devices (which may relate to a public health threat; a counterfeit medical device; or fraudulent activity); and
  • complaints about our Client’s certified quality management system.

In light of potential public health risks, we make sure that complaints are initially assessed within 1 calendar day. Where a potential public health risk exists, the complaint will be investigated and reported within 2 calendar days. Where a potential counterfeit medical device or fraudulent activity exists, the complaint will be investigated and reported within 5 working days. Otherwise, complaints will be investigated and reported within 30 working days.

A Scarlet member of personnel will be assigned to collate evidence and conduct an investigation into the complaint.

We do our best to ensure that those involved in the subject matter of the complaint are not involved in the investigation. Where that is not possible, we ensure a second line of review and follow our risk procedures relating to impartiality.

All evidence collected must be impartial and factual. It might include (but is not limited to):

  • confirmation / contradiction of any claims made in the complaint;
  • indication that procedures were not followed correctly;
  • results of previous similar complaints;
  • previous communications; and
  • previous audit findings / non-conformities.

We undertake one or more of the following steps in response to valid complaints.

  • notifying the relevant competent authority;
  • undertaking an internal action (e.g. changing our processes, disciplinary action, providing training)
  • undertaking an external action (e.g. conducting an announced audit); and/or
  • requiring action of our Clients.

We ensure that investigation outcomes, responsive actions and outcomes are communicated to the complainant.

Our policy on impartiality

Scarlet is committed to maintaining the highest levels of impartiality and follows the requirements set out in applicable standards, regulation and guidance.

Scarlet recognises the significance of its decisions on whether quality management systems and medical device software are sufficiently compliant to go to (and remain in) market.

Scarlet has assessed the risk that conflicts of interest present to this decision making and the importance of having measures in place to protect its impartiality.

Scarlet has implemented procedures, policies and contractual obligations to ensure that all of Scarlet’s people (including its staff, directors and contractors) are aware of, and actively take steps to manage, the key risk areas associated with the performance of their role as decision makers.

These include:

  • requirements on Scarlet’s people to declare potential conflicts;
  • prohibitions on Scarlet’s people having any financial or other involvement in Scarlet’s Clients;
  • ring fencing Scarlet’s people from any of Scarlet’s Clients if those people have had any involvement with those Clients historically;
  • checks against possible conflicts as part of the Client onboarding process.

Scarlet does not undertake any consulting activities for those looking to release medical devices to market.

As an overarching check, Scarlet has appointed an impartiality panel to safeguard Scarlet's impartiality. Scarlet’s impartiality panel meets periodically (every six months) to reassess risks to Scarlet’s impartiality and review the appropriateness of Scarlet’s protective measures.

Our rates

Scarlet charges a €3,000 administrative fee for the provision of Part 2 of our pre-application verification services. The pre-application fee is a fixed fee and the amount is not determined by the assessment outcome of pre-application verification. The fee may be deducted from future invoices if certain conditions are met.

Scarlet charges a flat monthly fee for the provision of conformity assessment services, which include access to our structured application, technical support, and continuous assessment. The quantum of this fee is based on the scope of the overall software product being assessed.

Scarlet issues quotes and structures its rates on a product basis, not a device basis. This is because:

  • the relationship between software products and medical devices is not necessarily 1:1. A medical software product may be composed of several medical devices and medical device accessories.
  • a per-device cost of certification creates unfavourable incentives and may bias medical software manufacturers towards structuring their software product into fewer, interleaved devices.
  • interleaved devices are often poorly designed – frequently cross-caveating usage of different features based on which patient population, clinical setting, user etc is using the product – thereby making them:
    • harder to use safely;
    • harder to change confidently; and
    • have higher liability.

How are the fees for certifying my product determined?

Scarlet’s pre-application verification process allows us to calculate a bespoke quote for the cost of completing conformity assessment(s).

The quote for our conformity assessment services will be calculated on the basis of the following factors:

  • the size of the manufacturing organisation
  • scope of the product
  • risk class(es) of the product’s device component(s)
  • the type of certificate(s) sought

Scarlet charges a flat monthly fee which can range from €9,000 to €25,000*.

By way of example, a small organisation looking to certify a simple product including devices of the lowest risk class in 1 jurisdiction might expect a monthly cost of around €9,000*.

*Scarlet’s fees are quoted excluding VAT, but VAT will be added to invoices if applicable.

What’s included in Scarlet's conformity assessment fees?

Our quoted monthly conformity assessment fees exclude VAT, but they include everything else.

Scarlet's specialised certification process helps our customers to achieve continuous compliance, and our fees reflect that. We might update our monthly pricing from time to time (in accordance with our contracts), but our fees do not differ across pre, during, or post certification phases.

More specifically, Scarlet's monthly fees cover:

  • a dedicated repository with all the necessary data formats;
  • Scarlet’s software;
  • conformity assessment to your requested certification (EU MDR; UK MDR; EU MDR and UK MDR);
  • the granting of that certification (once you're successfully assessed);
  • any audits necessary to maintain that certification, including any reviews of new releases of your product;
  • customer support.

Use of our marks and logo

Scarlet’s logo and ISO marks consist of our intellectual property and remain our property, despite use by Client.

We would like you to keep in mind (and follow) the following restrictions in relation to the use of our marks.

  • Scarlet’s ISO marks are only permitted for use by customers whose quality management systems have a valid certificate issued by Scarlet.
  • UKCA and CE markings granted by Scarlet are only permitted for use by customers on products that currently hold a valid certificate issued by Scarlet.
  • No misleading statements may be made in relation to the marks.
  • Websites and advertising material shall be promptly updated to accurately reflect the scope of authorisation granted (e.g. to reflect restrictions / suspensions / withdrawals) and the precise wording specified by Scarlet.
  • Use of the marks shall be discontinued completely when services are terminated or certificates suspended or withdrawn, subject to some exemptions.

Specifically in relation to the ISO marks:

  • The marks shall not be used on a product or product packaging, or in any way that may be interpreted as denoting product conformity
  • The marks must be used in the forms shown below.

Appendix 1

Scarlet’s ISO 13854 certification badge

Registration number:…


Scarlet’s ISO 13854 certification badge, outlined variant

Registration number:…


Appendix 2

CE mark.