How to assess risk according to ISO 12100 – analysis of the risk formula and methods for machine safety

How to assess risk according to ISO 12100 – analysis of the risk formula and methods. You design machines, you operate them, and you carry the responsibility for people who work near them. Even with modern safeguards, fatal accidents still occur in European workplaces every year. That is why engineers need a rigorous, repeatable way to identify hazards, measure risk, and reduce it to an acceptable level. ISO 12100 provides the base framework, while ISO/TR 14121-2 offers practical tools you can adopt. This article breaks down the ISO 12100 risk formula into actionable factors and compares the main methods used in practice so you can select and justify the approach that fits your application.

How to assess risk according to ISO 12100 – analysis of the risk formula and methods: what the standard really asks you to do

ISO 12100 defines risk as a combination of the probability of occurrence of harm and the severity of that harm. To turn this into engineering work, you must consider four drivers that determine the probability side: the frequency and duration of exposure (F), the probability of a hazardous event occurring (P1), and the possibility of avoiding or limiting harm (A). Many teams include the time element within exposure; either way, you should cover all four ideas explicitly. ISO 12100 does not prescribe scales, weights, or formulas. It requires a systematic process that considers S, F, P1, and A for each identified hazard, followed by risk reduction until you reach an acceptable residual risk.

ISO/TR 14121-2 complements the base standard with practical techniques: scoring models, risk matrices, risk graphs, and hybrid methods. These techniques differ in how they capture the probability side and how fine-grained the result is. You can use one method or combine several: for example, use a matrix for initial prioritization, then switch to a semi-quantitative scoring model for the most critical hazards to support design decisions and documentation.

Decomposing risk in ISO 12100: severity (S), exposure (F), occurrence (P1) and avoidance (A)

Risk always depends on what can happen and how bad it would be. By decomposing the probability of occurrence into F, P1, and A you avoid blind spots and keep the analysis evidence‑based. The following sections summarize each driver and how to rate it in a consistent way across a machine or line.

Severity of harm (S): from reversible injury to fatality

Severity reflects the worst credible outcome if the hazardous situation produces harm. Define a short, unambiguous scale that fits your product family, for example: S1 – minor reversible injury; S2 – serious or irreversible injury; S3 – single fatality or multiple severe injuries; S4 – multiple fatalities. If you design a cutter, a press, or a robot cell, anticipate the human body parts involved, possible crushing, shearing, ejection of parts, or energy release. Do not average outcomes: rate the worst credible harm under realistic conditions. A higher S should push stronger safeguards even when the probability is low.

Frequency and duration of exposure (F): how often and how long

Exposure combines how frequently people enter the hazardous zone and how long they remain there. Define F in operational terms tied to tasks and modes: setup, production, clearing jams, cleaning, adjustment, troubleshooting, service. Typical bands include: F1 – rare/short exposure (e.g., monthly, seconds to minutes); F2 – occasional/moderate (e.g., weekly, minutes); F3 – frequent/long (e.g., daily or each cycle, minutes to continuous). Document task frequencies with estimates per hour, shift, or week where possible. The same probability of failure yields higher risk when exposure is frequent and prolonged.

Probability of a hazardous event (P1): failure, misuse and human error

P1 captures the chance that a hazardous event will actually occur while exposure exists. Consider the reliability of components, foreseeable misuse, systematic failures, loss of energy control, and human error such as unexpected start, bypassing guards, or entering with stored energy present. You can rate P1 qualitatively (e.g., negligible, unlikely, possible, likely, very likely) or with a coarse numerical scale. Use field data, supplier reliability data, and incident histories when available; if not, use conservative engineering judgment and record your assumptions. If you justify a low P1, keep the evidence in the technical file.

Possibility of avoidance or limitation (A): can a person escape or mitigate?

A expresses how likely it is that a person can avoid harm or limit its severity once the hazardous event starts. High speeds, sudden movements, and confined spaces reduce avoidance chances. Good sightlines, warning time, low kinetic energy, emergency stop reachability, and two‑hand control improve them. Many teams use two categories for clarity: A1 – avoidance possible under favorable conditions; A2 – avoidance hardly possible. You can introduce a third middle band if your portfolio demands finer resolution, but keep the criteria crisp so engineers rate scenarios consistently.

How to assess risk according to ISO 12100 – analysis of the risk formula and methods: scoring models (additive vs multiplicative)

Scoring models assign numeric ranks to S, F, P1, and A, then aggregate them to a risk index. Two common patterns exist:

• Additive: R = S + F + P1 + A (or S + [F + P1] + A)
• Multiplicative: R = S × F × P1 × A

Additive models ensure each factor contributes to the result. They reflect the idea that even very rare events with catastrophic severity still deserve attention. Multiplicative models amplify extremes: a very low factor drives the whole product down, while a very high factor drives it up. Use a mixed scheme if you want to weight severity more than other drivers (for example, 2×S + F + P1 + A). Whichever formula you adopt, define clear bands that map the score to qualitative categories (e.g., negligible, low, medium, high) and to required actions.

Advantages of scoring models:

• Transparent decomposition of probability into F, P1, and A reduces blind spots.
• Numeric index helps you rank many hazards across machines and sites.
• Good fit for design trade‑offs, because you can simulate alternative safeguards and see the impact on the score.

Challenges you must manage:

• Scales and weights introduce subjectivity; align them across the organization and calibrate with case studies.
• The risk index has no physical units; it needs a policy that defines acceptance thresholds and escalation rules.
• Poorly chosen weights can mask severity or overreact to tiny changes in P1; validate your model on real incidents and near misses.

How to assess risk according to ISO 12100 – analysis of the risk formula and methods: the risk matrix under scrutiny

A risk matrix presents severity on one axis and an overall probability on the other. Teams like it because it is visual and fast. However, a matrix compresses F, P1, and A into one dimension. You still need to think through exposure, occurrence, and avoidance before you pick the probability cell. Define your categories with operational cutoffs (e.g., <1 event/10 years per machine; 1–10 per year; >10 per year) and document the basis for each selection.

Why many organizations rely on matrices:

• Clear communication: color bands (green/amber/red) make priorities obvious to non‑specialists.
• Speed: you can classify dozens of hazards in a single workshop and focus attention on the red zone.
• Governance: managers can define decision rules tied to zones, such as mandatory design changes or senior approval.

Limitations you should acknowledge:

• Coarse resolution: two very different hazards can land in the same cell.
• Hidden drivers: the matrix does not show whether exposure, occurrence, or avoidance dominated the probability choice.
• Inconsistency risk: without well‑defined categories, different assessors may classify the same scenario differently.

Use matrices as a front door, not the whole house. For red and high‑amber items, add a deeper analysis so you can justify the selected safeguards and demonstrate that you reduced the specific driver that inflated the risk.

How to assess risk according to ISO 12100 – analysis of the risk formula and methods: risk graphs and hybrid approaches

Risk graphs guide the assessor through a decision tree based on S, F, and A. You answer binary or few‑level questions and reach a target risk level or a required safety integrity (for example, a required performance level for a safety function). Graphs suit safety‑related control systems because they drive to a concrete requirement for the protective measure. They often treat the hazardous event as something that can occur whenever exposure exists, which makes the approach conservative and fast but less sensitive to very low P1 values.

Hybrid methods combine the strengths of scoring and visual tools. A common pattern rates F, P1, and A numerically, sums them into a likelihood class, and then crosses that class with severity in a matrix to produce the required risk reduction. This keeps the analysis structured while producing a result you can communicate and implement. In projects where you must justify that a new safeguard actually delivers the needed reduction, hybrids give you traceability from assumptions to result.

Choosing the right method, setting acceptance criteria and proving ALARP

Pick a method that fits your decision and your evidence. Use a matrix to triage and align stakeholders. Use a scoring or hybrid model when you need to compare design options, defend choices in a technical file, or allocate performance levels to safety functions. Whatever you choose, define acceptance criteria upfront: what counts as negligible, low, medium, or high risk in your context; who can accept residual risk; and what escalation applies.

ISO 12100 requires you to evaluate whether the risk has been reduced to an acceptable level. It does not define what acceptable means for your organization. Apply the ALARP principle: drive risk as low as reasonably practicable considering state of the art, cost, and usability. Document why further reduction would be grossly disproportionate to the benefit, or implement additional measures. When you implement a safeguard, reassess the scenario: exposure often drops (F), the event may become less likely (P1), and avoidance may improve (A). Record these changes and the residual risk so operators and maintainers understand what remains.

How to assess risk according to ISO 12100 – analysis of the risk formula and methods: a practical step-by-step workflow

• Define the boundaries: intended use, reasonably foreseeable misuse, space and environment, users, life cycle phases.
• List tasks and modes: normal production, manual feeding, cleaning, tool change, fault‑finding, clearing, service, decommissioning.
• Identify hazards: mechanical, electrical, thermal, noise, vibration, radiation, materials, ergonomics, control system failures.
• Build hazardous scenarios: for each task, describe how exposure occurs, what event could happen, what harm follows.
• Rate S, F, P1, A for the initial risk; justify ratings with data or structured judgment.
• Select safeguards by hierarchy: inherently safe design, technical protective measures, information for use and training.
• Allocate performance/reliability to safety functions where relevant; verify against required level.
• Reassess residual risk with the same method; record remaining hazards and residual warnings.
• Decide acceptability versus criteria; apply ALARP reasoning and iterate until acceptable.
• Close the loop: validate in the field, collect incident/near‑miss data, and feed lessons back into the next design.

How to assess risk according to ISO 12100 – analysis of the risk formula and methods: common pitfalls and how to avoid them

• Skipping the task list: without explicit tasks you will miss exposure opportunities and underestimate F.
• Collapsing probability too early: if you jump straight to a single probability rating, you lose insight into which driver (F, P1, or A) you should attack.
• Overreliance on low P1: very reliable components do not help if people frequently enter dangerous zones. Reduce exposure and improve avoidance regardless.
• One‑time assessment: every safeguard can create new hazards (e.g., guard bypass, cleaning difficulties). Reassess after each design change.
• Undefined acceptance rules: without thresholds and governance, teams argue over colors and scores instead of making decisions.
• No traceability: if you cannot explain why a rating changed after a design modification, your technical file will not stand scrutiny. Keep assumptions and data.

You will not eliminate all machine risk, but you can make it transparent, comparable, and as low as reasonably practicable. Use ISO 12100 to structure the thinking and ISO/TR 14121-2 to choose tools that fit your decisions. Above all, tie ratings to tasks and real operator behavior so your safeguards match reality on the shop floor.