Method A vs Method B: Choosing Your EN 50742 Dual Compliance Path
When you begin exploring the pr EN 50742 standard, you’ll immediately face a critical question: which compliance path should you choose? The standard provides two equivalent but distinct paths—Method A and Method B. This choice impacts not only the certification process but also your timeline, costs, and long-term maintenance strategy.
What is Dual-Path Compliance?
pr EN 50742 considers different manufacturer backgrounds and requirements by designing two equivalent compliance paths:
┌────────────────────────────────────────────────────────────────────┐
│ pr EN 50742 Dual-Path Architecture │
├────────────────────────────────────────────────────────────────────┤
│ │
│ Common Foundation Requirements (Mandatory) │
│ ┌────────────────────────────────────────┐ │
│ │ • EN ISO 12100 Risk Assessment │ │
│ │ • Clause 4 - Corruption Protection │ │
│ │ • Clause 9 - Use Information │ │
│ └────────────────────────────────────────┘ │
│ │ │
│ ┌───────────────┴───────────────┐ │
│ │ │ │
│ ▼ ▼ │
│ ┌───────────────────┐ ┌───────────────────┐ │
│ │ Method A │ │ Method B │ │
│ │ (Clauses 5, 7) │ │ (Clauses 6, 8) │ │
│ ├───────────────────┤ ├───────────────────┤ │
│ │ • Self-contained │ │ • Reference │ │
│ │ requirements │ │ IEC 62443 series│ │
│ │ • SRSL level │ │ • SL security │ │
│ │ system │ │ levels │ │
│ │ • Independent │ │ • Complete │ │
│ │ and complete │ │ integration │ │
│ └───────────────────┘ └───────────────────┘ │
│ │
└────────────────────────────────────────────────────────────────────┘
Both paths are completely equivalent in compliance effectiveness, satisfying the essential requirements of EU machinery regulations. The choice depends on your organizational context, product characteristics, and strategic objectives.
Method A vs Method B: Core Differences Comparison
Overall Comparison Table
| Comparison Dimension | Method A (Self-contained) | Method B (Referencing IEC 62443) |
|---|---|---|
| Standard References | Only pr EN 50742 required | Additionally requires EN IEC 62443-3-3, 4-1, 4-2 |
| Level Concept | SRSL (0-3) | SL (SL-C0 to SL-C4) |
| Target Audience | Manufacturers without cybersecurity experience | Manufacturers with existing industrial cybersecurity frameworks |
| Complexity | Lower, self-contained requirements | Higher, requires understanding 62443 framework |
| Certification Cost | Lower | Higher |
| Certification Timeline | Shorter (2-3 months) | Longer (3-4 months) |
| Documentation Effort | ~20-38 person-days | ~30-50 person-days |
| Scalability | Independent system | Can reuse 62443 investment |
| Market Recognition | EU machinery sector | Global industrial automation sector |
Detailed Comparison Analysis
1. Conceptual Framework Differences
Method A: SRSL (Safety-Related Security Level)
┌─────────────────────────────────────────────────────────────┐
│ SRSL0 │ Complete isolation, no special requirements │
│ SRSL1 │ Low attack potential - password auth, boot │
│ │ checksum, boundary checking │
│ SRSL2 │ Medium attack potential - regular verification, │
│ │ strict input validation, signature verification│
│ SRSL3 │ High attack potential - multi-factor auth, │
│ │ encryption, secure boot │
└─────────────────────────────────────────────────────────────┘
Method B: SL (Security Level - based on IEC 62443)
┌─────────────────────────────────────────────────────────────┐
│ SL-C0 │ No special security requirements │
│ SL-C1 │ Protection against accidental errors or chance │
│ │ attacks │
│ SL-C2 │ Protection against simple intentional attacks │
│ SL-C3 │ Protection against organized professional attacks│
│ SL-C4 │ Protection against government-level targeted │
│ │ attacks │
└─────────────────────────────────────────────────────────────┘
2. Process Requirements Comparison
| Phase | Method A Requirements | Method B Requirements |
|---|---|---|
| Risk Assessment | Based on EN ISO 12100 | Based on EN ISO 12100 |
| Threat Assessment | Standard Annex B guidance | IEC 62443 methodology |
| Level Determination | AP = (EL × WoO) + AC → SRSL | SL based on 7 Foundational Requirements (FR) |
| Security Measures | Clause 7.4 detailed list | References 62443-3-3/4-2 specific requirements |
| Lifecycle | Covers full lifecycle | Follows 62443-4-1 SDL |
3. Product Requirements Comparison
| Security Domain | Method A (SRSL) | Method B (IEC 62443) |
|---|---|---|
| Authentication | SRSL1: Entity authentication SRSL3: Unique authentication | FR1 (IAC): SL-C2 requirements |
| Authorization | SRSL1+: Authorization required for intervention | FR2 (UC): SL-C2 requirements |
| Integrity | SRSL1: Verification at boot SRSL2: Regular verification SRSL3: Encrypted verification | FR3 (SI): SL-C2 requirements |
| Data Flow | Requirements implied in integrity | FR5 (RDF): SL-C1 requirements |
| Availability | Requirements implied in safety functions | FR7 (RA): SL-C2 requirements |
4. Documentation Requirements Comparison
| Document Type | Method A | Method B |
|---|---|---|
| Threat Assessment | TÜV provides dedicated templates | 62443 standard format |
| Level Assessment | SRSL assessment template | SL target level table |
| Security Requirements | SRSL requirements checklist | FR/SR mapping table |
| Evidence Collection | Clause 7.3 detailed specifications | 62443-4-2 common requirements |
| Logging | Clause 7.3 detailed specifications | CR2.8 auditable events |
Use Case Analysis
Method A: When It’s Right for You
┌────────────────────────────────────────────────────────────────┐
│ Method A Use Case Assessment │
├────────────────────────────────────────────────────────────────┤
│ │
│ ✅ First-time cybersecurity certification │
│ ─────────────────────────────────────────────────────────── │
│ If your team hasn't done cybersecurity certification before, │
│ Method A provides complete guidance without needing to learn │
│ the 62443 framework. │
│ │
│ ✅ No dedicated cybersecurity team │
│ ─────────────────────────────────────────────────────────── │
│ Method A templates and support can be completed by mechanical │
│ engineers with minimal cybersecurity support. │
│ │
│ ✅ Product is relatively independent, not requiring │
│ integration with larger systems │
│ ─────────────────────────────────────────────────────────── │
│ If your machinery is a standalone product not requiring │
│ integration into large ICS systems. │
│ │
│ ✅ Want to reduce certification complexity and costs │
│ ─────────────────────────────────────────────────────────── │
│ Method A has shorter certification cycles and lower costs. │
│ │
│ ✅ Target market is primarily EU │
│ ─────────────────────────────────────────────────────────── │
│ EN 50742 directly addresses EU machinery regulation requirements.│
│ │
└────────────────────────────────────────────────────────────────┘
Typical Product Types:
- Small to medium industrial machinery (packaging machines, machine tools, food processing equipment)
- Standalone automated equipment
- Mechanical equipment used internally in factories
- Standard products with 5-10 year lifecycle
Method B: When It’s Right for You
┌────────────────────────────────────────────────────────────────┐
│ Method B Use Case Assessment │
├────────────────────────────────────────────────────────────────┤
│ │
│ ✅ Existing EN IEC 62443 certification experience │
│ ─────────────────────────────────────────────────────────── │
│ If your organization is already familiar with the 62443 │
│ framework, Method B can leverage existing experience. │
│ │
│ ✅ Have a dedicated cybersecurity team │
│ ─────────────────────────────────────────────────────────── │
│ Requires understanding requirements from multiple standards: │
│ 62443-3-3, 4-1, 4-2. │
│ │
│ ✅ Need to integrate with 62443-compliant industrial control │
│ systems │
│ ─────────────────────────────────────────────────────────── │
│ If your product is part of a larger ICS, Method B ensures │
│ compatibility. │
│ │
│ ✅ Already have a 62443-based security framework │
│ ─────────────────────────────────────────────────────────── │
│ Method B can reuse existing security processes and documents. │
│ │
│ ✅ Target markets recognize 62443 certification │
│ ─────────────────────────────────────────────────────────── │
│ North America, Asia, and other markets more widely recognize │
│ IEC 62443 certification. │
│ │
└────────────────────────────────────────────────────────────────┘
Typical Product Types:
- Large industrial control system components (PLCs, DCSs, SCADA components)
- Critical equipment requiring integration into automated production lines
- Intelligent machinery connecting to enterprise networks or cloud services
- Complex automation products sold globally
Decision Tree
Do you have
62443 experience?
│
┌─────────────┴─────────────┐
│No │Yes
▼ ▼
Does product need to │ Target market?
integrate into large │ Primarily EU
ICS systems? │ │
│ │ ▼
┌───────┴───────┐ │ ┌─────┐
│Yes │No │ │Method B│
▼ ▼ │ └─────┘
┌─────┐ ┌─────┐ │
│Method B│ │Method A│ │
└─────┘ └─────┘ │
│
Have dedicated
cybersecurity team?
│
┌─────────┴─────────┐
│Yes │No
▼ ▼
┌─────┐ ┌─────┐
│Method B│ │Method A│
└─────┘ └─────┘
Not sure? Start with Method A → Can upgrade to Method B later
Cost and Time Comparison
Certification Timeline Comparison
| Item | Method A | Method B |
|---|---|---|
| Preparation Phase | 2-4 weeks | 3-5 weeks |
| Documentation Preparation | 2-3 weeks | 3-4 weeks |
| Document Review | 1-3 weeks | 2-4 weeks |
| On-site Audit | 1-2 weeks | 2-3 weeks |
| Certification Decision | 1-2 weeks | 2-3 weeks |
| Total | 2-3 months | 3-4 months |
Effort Comparison (Client Side)
| Complexity Level | Method A | Method B |
|---|---|---|
| Simple Product | 10-15 person-days | 15-25 person-days |
| Medium Complexity | 20-38 person-days | 30-50 person-days |
| Complex Product | 40-60 person-days | 50-80 person-days |
Certification Fee Comparison (TÜV Side)
| Complexity Level | Method A | Method B |
|---|---|---|
| Simple Product | 6-8 person-days | 8-10 person-days |
| Medium Complexity | 8-10 person-days | 10-14 person-days |
| Complex Product | 10-14 person-days | 14-20 person-days |
Note: Actual fees depend on product complexity; above are estimates
Switching Possibilities
Switching from Method A to Method B
┌─────────────────────────────────────────────────────────────┐
│ Method A → Method B Transition Path │
├─────────────────────────────────────────────────────────────┤
│ │
│ Current State: Certified via Method A │
│ │
│ Transition Steps: │
│ 1. Establish IEC 62443 knowledge foundation │
│ 2. Perform SRSL to SL level mapping │
│ 3. Supplement 62443-specific requirement documents │
│ 4. Implement additional security measures (if required) │
│ 5. Apply for Method B certification │
│ │
│ Advantages: │
│ ✅ Complete threat assessment and security measure │
│ foundation already established │
│ ✅ Most documentation can be reused │
│ ✅ Security measure implementation experience is │
│ transferable │
│ │
└─────────────────────────────────────────────────────────────┘
Level Correspondence
| Method A SRSL | Method B SL | Correspondence |
|---|---|---|
| SRSL0 | SL-C0 | Equivalent |
| SRSL1 | SL-C1 | Equivalent |
| SRSL2 | SL-C2 | Equivalent |
| SRSL3 | SL-C2 | Functionally equivalent |
Case Examples
Case A: Packaging Machinery Manufacturer Chooses Method A
Background:
- Sino-German joint venture producing food packaging machinery
- Products primarily sold to European markets
- No dedicated cybersecurity team
- First-time cybersecurity certification
Choice: Method A
Results:
- Certification timeline: 1.5 months
- Effort invested: 25 person-days
- Successfully obtained SRSL1 certification
- Good customer recognition
Key Measures:
- Password authentication
- Boot-time checksum verification
- Input boundary checking
- Tamper-evident seals
Case B: PLC Manufacturer Chooses Method B
Background:
- Internationally renowned industrial automation company
- Products as large ICS components
- Already holds IEC 62443-4-1 certification
- Global sales
Choice: Method B
Results:
- Reused existing 62443 framework
- Certification timeline: 3 months
- Integrated with existing product line certifications
- Unified certification for global markets
Key Takeaways
- Both paths are equivalent—Method A and Method B are completely identical in compliance effectiveness
- Method A suits beginners—self-contained requirements, comprehensive templates, shorter certification cycle
- Method B suits experts—requires 62443 knowledge but can leverage existing investments
- Paths can be switched—start with Method A, upgrade to Method B in the future
- Strategic considerations—long-term product line planning should influence path selection
Next Steps
After selecting your compliance path, the next steps are:
- Determine security level: Conduct threat assessment, determine SRSL/SL target level
- Assemble project team: Appoint project manager and core engineers
- Prepare foundation documents: Collect technical specifications, system architecture, etc.
- Contact certification body: Conduct pre-assessment communication, confirm certification scope
- Begin assessment work: Fill out threat assessment and level assessment templates
Choosing the appropriate compliance path is the first and most important strategic decision in EN 50742 certification. Make a wise choice based on your organizational situation, product characteristics, and market requirements.