The Summary of Safety and Clinical Performance (SSCP) is a public-facing document required under MDR Article 32 for implantable devices and Class III devices, with the explicit exceptions of custom-made devices and investigational devices. It summarises the device's identification, intended purpose, clinical evaluation conclusions, residual risks, and post-market performance in a form accessible to both intended users and, where relevant, patients. The manufacturer drafts it, the Notified Body validates it as part of the conformity assessment, and once the device is certified the SSCP is published through EUDAMED so it is available to the public. MDCG 2019-9 provides the template and the content expectations in detail.

By Tibor Zechmeister and Felix Lenhard. Last updated 10 April 2026.

TL;DR

  • MDR Article 32 requires an SSCP for implantable devices and for Class III devices, except custom-made and investigational devices.
  • The SSCP is drafted by the manufacturer, validated by the Notified Body during conformity assessment, and published via EUDAMED.
  • The document has two distinct sections where relevant: one written for intended healthcare professional users, and one written in plain language for patients.
  • MDCG 2019-9 is the standing guidance on SSCP structure, content, and validation, and Notified Bodies audit against it.
  • The SSCP is a living document — it is updated in line with the clinical evaluation, the PSUR under MDR Article 86, and post-market safety information.

Why Article 32 exists at all

The SSCP is one of the transparency instruments the MDR introduced that had no real equivalent under the old Directives. Under 93/42/EEC, a clinician who wanted to understand a Class III implant's clinical evidence had to ask the manufacturer, the hospital procurement team, or a sales representative. Most of the time they got a brochure. The MDR decided that for the highest-risk devices — implantables and Class III — the clinical performance and safety picture should be a public record, written to a structure the regulation defines, and published through a database the public can read.

The motivation is not abstract. When the PIP breast implant scandal broke, patients and clinicians discovered how little publicly available information existed on the evidence base of implanted devices they lived with. The SSCP is part of the MDR's answer to that gap. It is not a marketing document. It is not a technical file summary for the Notified Body. It is a public-facing statement, written under the manufacturer's name, that a patient or a clinician can find, read, and use.

For a startup placing an implantable or a Class III device on the market, this changes the economics of honesty. Whatever the SSCP says about residual risks, about the population studied, about the limits of the clinical evidence — it says in public, with the manufacturer's name attached, for the life of the device. It cannot be a brochure. It cannot be a legal disclaimer. It has to be an accurate, readable summary that survives scrutiny by the clinician, the patient, the competent authority, and the next Notified Body auditor.

What MDR Article 32 actually requires

The scope clause of Article 32 is narrow and specific. For implantable devices and for Class III devices — other than custom-made or investigational devices — the manufacturer shall draw up a summary of safety and clinical performance. The SSCP shall be written in a way that is clear to the intended user and, if relevant, to the patient. It shall be made available to the public via EUDAMED.

Article 32(2) sets out the minimum content. The SSCP must contain the identification of the device and the manufacturer (including the Basic UDI-DI and, where applicable, the SRN), the intended purpose of the device, indications and contraindications, target populations, a description of the device (including a reference to previous generations or variants where applicable), possible diagnostic or therapeutic alternatives, a reference to any harmonised standards and CS applied, the summary of the clinical evaluation under Annex XIV and relevant information on post-market clinical follow-up, the suggested profile and training for users, information on any residual risks and any undesirable effects, warnings and precautions, and other aspects of safety including the summary of any field safety corrective actions.

Article 32(3) is the sentence most startups underestimate. The draft SSCP shall be part of the documentation submitted to the Notified Body responsible for the conformity assessment, and shall be validated by that body. After validation, the Notified Body uploads the SSCP to EUDAMED. The manufacturer indicates on the label or the instructions for use where the summary is available.

The role of MDCG 2019-9

The legal text of Article 32 sets the skeleton. MDCG 2019-9 provides the operational detail Notified Bodies actually audit against. The guidance, first published in August 2019 and subsequently updated, lays out the expected structure of an SSCP, the content expectations for each section, the distinction between the section written for the intended healthcare professional user and the section written for the patient where the device is intended to be used by or on patients who should reasonably be informed, and the validation workflow a Notified Body runs during the conformity assessment under MDR Article 52 and the relevant conformity assessment annex.

The practical consequence is that a startup producing an SSCP that satisfies Article 32 on a literal reading but ignores MDCG 2019-9 will fail Notified Body validation. The guidance is how NBs translate Article 32 into a deliverable they can review page by page. Startups that treat MDCG 2019-9 as optional commentary and not as the operational standard spend weeks rewriting the document during the audit. Startups that build the SSCP against the MDCG 2019-9 structure from day one hand it over once and move on.

The two-audience problem

The hardest thing about writing an SSCP is that it has to speak to two audiences at once, and sometimes the same sentence has to do the work.

The first audience is the intended user — in almost all cases the clinician implanting the device, prescribing it, or operating it. That section is written in technical language, with clinical terminology, references to the clinical evaluation conclusions, and the level of detail a specialist expects to see. It is close in register to a journal article's clinical discussion section.

The second audience, where the device is intended to be used by or on patients who should reasonably be informed about the device, is the patient. That section is a plain-language summary. It uses everyday words. It explains what the device is, what it is for, what the alternatives are, what the main risks are, and what the clinical evidence shows, in a form a patient without medical training can read and understand. This is genuinely difficult to write. Regulatory teams used to writing for reviewers find plain-language writing uncomfortable because the instinct is to hedge, qualify, and cite. A patient does not need hedges — they need a clear, accurate, honest statement.

The patient section is not a translation of the professional section. It is a separate piece of writing, produced from the same underlying clinical evaluation and risk data, aimed at a different reader. Treat it as two documents bound into one. Notified Bodies will audit both.

How EUDAMED publication works

Once the Notified Body has validated the SSCP as part of the conformity assessment and issued the relevant certificate, the SSCP is uploaded to EUDAMED. The EUDAMED UDI/Device registration module links the SSCP to the Basic UDI-DI of the device, which means a clinician or a patient searching EUDAMED for that device finds the validated SSCP as an attached record. The public-facing modules of EUDAMED are what make Article 32 actually transparent.

The label or the instructions for use must tell the reader where to find the summary. In practice this means a reference to EUDAMED and the device identifier the reader uses to search. For a startup this is a concrete labelling obligation that is easy to miss in the rush to market.

Startups building their EUDAMED registration workflow should plan the SSCP upload as part of the same workstream that handles the device registration and the certificate publication. See the EUDAMED certificates module post for how the certificate, the SSCP, and the UDI data interact inside EUDAMED.

A good SSCP and a bad SSCP

A bad SSCP is the easy one to spot. It reads like a marketing brochure. It downplays residual risks. It buries limits of the clinical evidence in technical language. It does not distinguish the professional section from the patient section. It cites no standards. It treats undesirable effects as a small boilerplate list copied from the instructions for use. Its summary of the clinical evaluation is one paragraph that asserts the device is safe and effective without indicating the population studied, the endpoints, or the follow-up period. A Notified Body validator reading this returns it on day one.

A good SSCP is unmistakable. It identifies the device and the manufacturer cleanly, with Basic UDI-DI and SRN. It states the intended purpose in the same words as the clinical evaluation report and the instructions for use, with no drift between documents. It describes the population studied in the pivotal clinical evidence, with the sample size, the follow-up period, the primary endpoints, and the results. It is honest about the limits — a first-generation device with twelve-month follow-up says so, and does not pretend to long-term evidence it does not have. It lists residual risks in the same taxonomy as the risk management file. It distinguishes the professional and patient sections by structure and by language, not by font colour. It references the harmonised standards applied and the common specifications where relevant. Its summary of post-market clinical follow-up points to the PMCF plan and the expected data streams, not to a vague promise of continuous surveillance.

For the clinical evaluation inputs the SSCP depends on, see the Clinical Evaluation Report under MDR post. The SSCP is downstream of the CER — if the CER is weak, the SSCP cannot be strong, and no amount of drafting rescues the underlying evidence gap.

The SSCP drafting playbook

A startup writing its first SSCP can do so in a predictable sequence that Notified Bodies recognise and validate cleanly.

Step 1 — Confirm scope. Is the device implantable or Class III? Is it custom-made or investigational? If the device is in scope of Article 32, an SSCP is required. If it is not, it is not, and producing one voluntarily is not useful.

Step 2 — Work from the MDCG 2019-9 template. Do not invent a structure. Use the section headings and the order the guidance lays out, because that is what the Notified Body validates against.

Step 3 — Draft the professional section from the CER, the risk management file, and the instructions for use. Every claim in the SSCP should be traceable to one of these source documents. The SSCP is a summary, not new content. If a claim appears in the SSCP that is not in the CER or the RMF, one of the two documents is wrong.

Step 4 — Draft the patient section separately. Assign this to someone whose job is to write for a non-expert reader. Read it aloud. If a patient could not read the paragraph once and explain it back in their own words, rewrite the paragraph.

Step 5 — Cross-check against the technical documentation. Intended purpose, indications, contraindications, residual risks, warnings — every one of these must match the corresponding entries in the technical file, the CER, the risk management file, and the instructions for use. Drift between documents is the most common SSCP finding.

Step 6 — Submit the draft to the Notified Body as part of the conformity assessment. Expect questions. Revise. The validated version is what EUDAMED publishes.

Step 7 — Plan the update cycle. The SSCP is not a static document. It is updated in line with the clinical evaluation, the PSUR under MDR Article 86, and post-market safety information. Build a recurring review into the PMS plan. See the PMS plan post for the surrounding cadence, and how to handle a market surveillance inspection for why the SSCP is one of the first documents a competent authority will ask for.

Reality Check — Where do you stand?

  1. Is your device implantable or Class III, and have you confirmed it is not custom-made or investigational? If yes, an SSCP is required under Article 32.
  2. Have you drafted the SSCP against the MDCG 2019-9 structure, or against a template you built yourself? If the latter, expect a rewrite during Notified Body validation.
  3. Does the intended purpose statement in the SSCP match, word for word, the intended purpose in the CER, the risk management file, and the instructions for use?
  4. If your device is intended to be used by or on patients who should reasonably be informed, have you produced a separate patient section in genuine plain language, or translated the professional section into shorter sentences?
  5. Can every claim in the SSCP be traced to a source document — the CER, the risk management file, the post-market clinical follow-up plan, or the instructions for use?
  6. Does the SSCP honestly represent the limits of the clinical evidence, including the population studied, the follow-up period, and the primary endpoints?
  7. Is the SSCP update cycle documented in the PMS plan, with triggers tied to the CER update, the PSUR under Article 86, and any field safety corrective actions?

Frequently Asked Questions

Which devices need an SSCP under MDR Article 32? Implantable devices and Class III devices, with two exceptions written into Article 32 itself: custom-made devices and investigational devices. For every other implantable or Class III device placed on the EU market, the manufacturer must draw up an SSCP, have it validated by the Notified Body, and make it available to the public through EUDAMED.

Who writes the SSCP — the manufacturer or the Notified Body? The manufacturer writes the SSCP. The Notified Body validates it as part of the conformity assessment under MDR Article 52 and the relevant conformity assessment annex. After validation, the Notified Body uploads the SSCP to EUDAMED. The manufacturer owns the content; the Notified Body certifies that the content meets the requirements of Article 32 and MDCG 2019-9.

Where is the SSCP published? In EUDAMED. The SSCP is linked to the Basic UDI-DI of the device and is accessible through the public-facing modules of EUDAMED. The label or the instructions for use of the device must indicate where the summary is available, which in practice means a reference to EUDAMED and to the device identifier a reader uses to find it.

Does the SSCP need a patient-facing section? Where the device is intended to be used by or on patients who should reasonably be informed about the device, yes. The patient section is written in plain language, distinct from the section aimed at the intended healthcare professional user. MDCG 2019-9 details the structure and the content expectations for the patient-facing section.

How often is the SSCP updated? The SSCP is a living document. It is updated in line with the clinical evaluation, the PSUR under MDR Article 86 for Class III and implantable devices, and any new safety information — including field safety corrective actions. The update cadence should be defined in the post-market surveillance plan, and the Notified Body revalidates the SSCP in line with the surveillance and recertification cycle.

Is the SSCP the same as the PSUR? No. The PSUR under Article 86 is a periodic safety update report submitted to the Notified Body and, for Class III and implantables, available to competent authorities through EUDAMED. The SSCP is a public-facing summary document for clinicians and, where relevant, patients. They share inputs — the clinical evaluation, the post-market data, the risk management file — but their audiences, their formats, and their legal bases in the MDR are different.

Sources

  1. Regulation (EU) 2017/745 of the European Parliament and of the Council of 5 April 2017 on medical devices, Article 32 (Summary of safety and clinical performance), Article 33 (European database on medical devices), Article 52 (conformity assessment procedures), Article 86 (Periodic Safety Update Report). Official Journal L 117, 5.5.2017.
  2. MDCG 2019-9 — Summary of safety and clinical performance: A guide for manufacturers and notified bodies (August 2019, with subsequent revisions).
  3. Commission Implementing Regulation (EU) 2021/2078 of 26 November 2021 laying down rules for the application of Regulation (EU) 2017/745 as regards EUDAMED. Official Journal L 426, 29.11.2021.

This post is part of the Post-Market Surveillance & Vigilance series in the Subtract to Ship: MDR blog. Authored by Felix Lenhard and Tibor Zechmeister. The SSCP is the most public document a medical device manufacturer writes — treat it with the honesty that public scrutiny deserves, and the professional and patient readers will both recognise the difference.