How to assess risk according to ISO 12100 – analysis of the risk formula and methods

In 2023, the number of fatal workplace accidents in EU countries amounted to 3,298, representing approx. 0.1% of all reported accidents. Compared with 2013, this figure fell by approx. 110 (from 3,408), although a slight increase was recorded versus 2022 (+12 cases). Overall, there is an average of 1.63 fatality per year per 100,000 employees—despite progress in occupational safety, fatal accidents still occur, particularly in connection with the operation of machinery and equipment, which calls for ongoing preventive measures.

How to assess risk according to ISO 12100: Risk assessment is a key element in ensuring the safety of machinery and workstations. According to the International Organization for Standardization, the baseline standard in this area is ISO 12100:2010 (“Safety of machinery – General principles for design – Risk assessment and risk reduction”), which defines fundamental concepts and the process for hazard identification and risk estimation. In turn, ISO/TR 14121-2 is a Technical Report that provides practical guidance and examples of methods for assessing machinery risk in accordance with ISO 12100. In this paper, we “break down” the risk formula from ISO 12100—discussing each of its components—and examine how the individual methods presented in ISO/TR 14121-2 take these factors into account (or simplify them). We also present key differences between the approaches of the two documents, illustrated with statistical data and practical takeaways.

How to assess risk according to ISO 12100: The ISO 12100 risk formula (risk components)

ISO 12100 defines risk as the combination of the probability of harm occurring and the severity (seriousness) of that harm. In other words, the risk associated with a given hazard depends, on the one hand, on the severity of the potential injury or damage and, on the other, on the likelihood that such harm will occur. This general definition can be made more specific by breaking down the “probability of harm occurring” into more concrete factors. According to ISO 12100, this probability comprises four components: frequency and duration of exposure (F), probability of occurrence of a hazardous event (P1), possibility of avoiding or limiting harm (A), and, where applicable, a specific duration of exposure (T) if it is not already captured by frequency. In practice, duration is often combined with exposure frequency and treated together as a single factor. Below, we describe each of these risk elements in line with the standard and the accompanying literature:

• Severity of harm (S, severity) – the anticipated seriousness of the consequences of an accident or hazardous event. It is determined by considering the worst reasonably foreseeable impact on health: from minor (reversible) injuries to severe, irreversible bodily harm or death. Severity categories may be defined descriptively (e.g., S1 – minor injury, S2 – severe, permanent injury or death). The higher the potential severity of the consequences, the higher the risk— even with a low probability, a serious accident may require preventive measures.
• Frequency and duration of exposure (F, frequency of exposure) – how often and for how long a person is exposed to a given hazard. More frequent and longer presence in the hazardous zone increases the likelihood that an accident will occur. For example, F1 may indicate rare or short-term exposure, while F2 indicates frequent or continuous/long-term exposure. In risk assessments, a scale is often used, for example from “very rarely” to “continuously” – often with a quantitative threshold (e.g., several times per hour, daily, monthly, annually, etc.). Where needed, T (exposure duration) is also taken into account – for example, a long continuous stay in the hazard zone is riskier than a brief incidental event, even at the same frequency.
• Probability of a hazardous event (P1, probability of occurrence) – estimates how likely it is that a specific hazardous event leading to harm will occur, taking into account the machine’s operating conditions. This includes, among other things, the reliability of the machine and its components, the likelihood of damage or a failure leading to a hazardous situation, as well as the possibility of human error causing the event. It is often expressed qualitatively, for example as very likely, possible, unlikely, negligible, etc. For example, on a five-level scale: 1 – negligible (practically does not occur), 3 – possible, 5 – very high probability. The more often emergency or hazardous situations may occur (e.g., frequent faults, lack of safeguards, high operator error rates), the higher the P1 factor.
• Possibility of avoiding or limiting harm (A, also referred to as P or Q) – indicates the extent to which the exposed person has a chance to avoid an accident or minimise its consequences once a hazardous event has already occurred. In other words: if the hazard materialises, can the worker avoid injury (e.g., jump back, stop the machine, take cover), or can protective measures limit the consequences (e.g., a safety light curtain stops the machine before serious harm occurs). The A category is sometimes defined in a binary way, e.g., A1 (P1) – avoidable (under favourable conditions, the operator has a chance to react, escape, or the harm will be minor), A2 (P2) – almost impossible to avoid (the event is sudden, unavoidable, or there is no physical possibility of escape). If the possibility of avoidance is zero (e.g., in an explosion, sudden entanglement by a high-speed machine), the risk is much higher than in a situation where the operator can detect the hazard and withdraw.

It is worth noting that ISO 12100 does not prescribe any specific scales or numerical values for the parameters above—it only requires that the risk assessment takes into account at least the four aspects listed above (S, F, P1, A) and, on that basis, estimates the level of risk. The standard gives designers flexibility in choosing methods so they can be tailored to the specifics of the machine, provided the assessment is systematic and considers all relevant factors. Risk R can therefore be expressed as a function: R = f(S, F, P1, A). In straightforward cases, this is often modelled qualitatively (e.g., descriptively or in tables), and in some methods also as a score (numerically) by assigning ranks/numbers to individual factors and then adding or multiplying them (as discussed later).

As an aside, it is worth noting that ISO 12100:2010 consolidated earlier standards (EN ISO 12100-1, 12100-2 and ISO 14121-1) without any significant substantive changes to the risk assessment approach. This means that the risk factors described above and the hazard analysis process essentially remained the same—they were simply presented more clearly in a single harmonized standard. However, ISO 12100 itself does not provide a ready-made recipe for how to calculate or classify risk in detail—hence the need for additional guidance illustrating various risk estimation methods that meet the standard’s requirements. This is exactly the kind of guidance provided in ISO/TR 14121-2:2007/2012, which offers a set of tools and examples for machine risk assessors to choose from.

Risk assessment methods in ISO/TR 14121-2

ISO/TR 14121-2 is a technical report that presents a range of methods and tools for estimating machine-related risk, in line with the ISO 12100 approach. It describes, among others, a scoring method (additive/multiplicative), a risk matrix, a risk chart (graph), and hybrid methods that combine features of several approaches. The methods are discussed below, indicating how they take into account (or simplify) the risk factors described earlier.

Point-based method (additive or multiplicative)

One of the methods presented is the point-based approach, in which specific numerical values are assigned to all risk elements and then added or multiplied to obtain a resulting risk index. For example, you can define point scales for S (e.g., 1 to 4 depending on severity), for F (frequency of exposure), for P1 (probability of occurrence), etc., and then calculate R = S + F + P1 + A (addition) or R = S * F * P1 * A (multiplication).

In practice, a mixed formula is often used—for example, adding some factors while multiplying others—to properly reflect their relative importance. For instance, Japanese guidelines (cited by ISO/TR 14121-2) suggested adding S + (F + P1), i.e., severity plus the combined rating of exposure and the probability of occurrence. This method makes it possible to include all key elements in the calculation and provides a quantitative result that can be compared across different hazards.

Advantages: It helps structure the assessment—each criterion is considered separately, which reduces the risk of overlooking any aspect. A numerical result makes it possible to compare risks across different machines or scenarios on a consistent scale.

Challenges: Setting the weights and point scales can be subjective—for example, whether “frequent” occurrence should be 3 points or 4, or how to rescale multiplication so the values remain meaningful—and may require calibration. The numeric result alone can also be hard to interpret unless acceptability thresholds are defined (e.g., what does 15 points mean—does it indicate “high risk” requiring action, or a medium level?). That is why a rating table or legend is often created to translate the total score into qualitative risk categories (e.g., 0–3 pts = low risk, 4–7 = medium, >8 = high—this is only an example). The aggregation method also affects the outcome: multiplication means that a very low value for one factor can significantly reduce the score (which may be desirable—for instance, a negligible probability of an event will reduce the risk almost to zero even with high severity), whereas addition ensures that each factor adds something to the risk (e.g., with a sum, even a minimal chance of an event with catastrophic consequences yields some non-zero result). The choice between a sum and a product should therefore reflect the assessment philosophy—whether we consider a very rare event with a tragic outcome to still represent a risk that requires control (addition gives a non-zero result), or whether it can be practically disregarded (a product gives a near-zero result). ISO/TR 14121-2 presents both approaches as optional tools.

Risk matrix

Risk matrix is a widely used tool, also described in ISO/TR 14121-2. The matrix is a two-dimensional table, with severity of harm (S) plotted on one axis and the overall probability of harm occurring (P) on the other. Each cell of the table—combinations of an S level and a P level—is assigned to a risk category (e.g., low, medium, high), often color-coded (green, yellow, red) for clarity. For example, a four-level severity scale (from minor injury to fatal) and a five-level probability scale (from very rare to frequent) create a 4×5 matrix, as in the example below taken from practice (colors indicate the risk level—green: acceptable, red: high).

In the hypothetical (4×5) matrix above, you can see, for example, that the combination of medium probability (C) and a fatal outcome (4) results in a High risk rating. This type of matrix is used primarily for risk visualization—it lets you quickly identify which hazards fall into the red zone (unacceptable, requiring action) and which fall into the green zone (acceptable).

Advantages of the matrix: It is simple and easy to read—it resembles a “traffic light” system (green–yellow–red) that is understandable even to non-technical people. This makes it easier to communicate risk to management or employees—you can immediately see where the most serious hazards are. The matrix also enables quick prioritization: you can identify which risks are low (and possibly tolerable) and which are high and require immediate reduction.

Limitations and simplifications: A risk matrix inevitably simplifies the analysis, because it compresses all factors F, P1, A into a single “probability” axis. Estimating that probability becomes a composite of subjective judgments about frequency, the likelihood of the event, and the possibility of avoidance. Different assessors may therefore interpret, for example, what “unlikely” means in different ways—so results are not always fully repeatable. Standardising categories within the company (e.g., precise definitions of what B: unlikely means—e.g., “<1 event per 10 years”) can reduce discretion, but some subjectivity always remains. Another drawback is limited resolution: the matrix groups risk into fairly broad bands. Two different hazards may receive the same rating (e.g., medium risk), even though one is at the lower boundary of that category and the other at the upper boundary. The matrix does not show these differences—for more detailed analyses or for ranking many risks, this method can be too general.

Despite the limitations above, matrices are very popular—also outside the machinery industry (e.g., in OSH in general, projects, finance)—because of their simplicity. ISO/TR 14121-2 recommends using them with caution, ensuring that the categories are clearly defined and refining them where more detail is needed. It is worth noting that ISO 12100 does not object to the use of matrices, provided that, in line with the standard, before classifying risk in a matrix we consider all four factors (S, F, P1, A). In other words, although a matrix explicitly works with only two dimensions (S and overall P), a qualitative analysis should come before filling in the matrix—so that, for example, we can assess whether a low P level results from low exposure or perhaps from a high possibility of escape, etc.

Risk graph

A risk graph is a graphical method that presents the risk assessment process as a decision tree or logic diagram. It is used, among other things, in standards related to the safety of control systems (e.g. EN ISO 13849-1, IEC 62061) to determine the required level of protection (PL or SIL) based on a risk estimate. The graph works by answering questions in sequence about risk factors—typically Severity (S), Frequency/exposure (F), Possibility of avoidance (A/P)—often as binary choices (e.g. S1 or S2? F1 or F2? P1 or P2?), which guides the user along the branches of the tree to the final result.

For example, a simplified chart (inspired by ISO 13849-1) works like this: if S is minor (S1), go left; if serious (S2), go right. Next comes the question of F: rare/short (F1) or frequent/long (F2). Then P (Avoidance): is avoidance P1 (possible) or P2 (not possible)? Finally, depending on the path taken (the combination of S, F, P), a certain risk level is assigned or the required protection level is indicated directly (e.g., PLr a, b, c… for control systems).

Advantages: Risk graphs provide a structured, repeatable procedure—by asking the same questions in the same order, we reduce subjectivity (e.g., two engineers answering “yes/no” to identical questions will usually arrive at the same result). This method is also fast for experienced users and focuses on the key factors without over-fragmenting the scale. It works very well in specific applications, for example when assessing risk related to safety functions (as in ISO 13849-1)—where hazards are typical and the goal is to select the appropriate level of technical protective measure.

Limitations: The chart (especially with binary categories) is fairly coarse-grained. For example, using only two S levels (minor vs. severe) ignores “medium” scenarios—sometimes that is sufficient (when the key distinction is mainly whether death is possible or not), but sometimes it can be overly simplistic. The same applies to F1/F2 and P1/P2: these are the minimum number of categories; in reality there are often more shades of grey. Charts are also typically specialised—a scheme created for one standard/industry may not fit another. In addition, a risk chart does not explicitly take the P1 factor (probability of occurrence) into account as a separate step—one often assumes a typical scenario with a typical probability for a given application. In other words, the chart emphasises frequency of exposure and possibility of avoidance, treating the occurrence of the event itself as essentially built into the real-world context (e.g., in ISO 13849 it is conservatively assumed that the event can always occur if a person is exposed—hence there is no separate branch asking “is the failure likely?”). This simplifies the analysis (fewer questions), but it implies a certain conservatism: the risk may come out high even if the machine is very reliable, because we do not ask about that. In practice, if we have data indicating a very low probability of the event (e.g., a failure once per million hours), the risk chart will not make use of that fact—you would instead need to use scoring methods to account for the P1 factor numerically.

ISO/TR 14121-2 presents risk graphs as one of the available methods, providing examples from related standards. When using this method, you should be aware of its assumptions and simplifications—it works very well for verifying safety requirements (e.g., how high a PL/SIL a guard must have) and for preliminary risk classification, but for an overall machine risk assessment it may be supplemented with other analyses, for example if the machine’s failure rate is atypical.

Hybrid (combined) methods

Hybrid methods are an attempt to combine the advantages of the scoring and graphical approaches. An example of such an approach is given in ISO/TR 14121-2 and is also referenced from IEC 62061 (on the safety of control systems). Broadly speaking, a hybrid method may, for example, add up selected factors to obtain a “probability class”, and then relate it to severity in the manner of a matrix or chart. This is the case, for instance, in IEC 62061: Fr (frequency), Pr (probability of occurrence), Av (avoidance) are assessed in sequence—each is assigned values from 1–5—and then summed into a risk class CL (sometimes this sum is referred to as the class of likelihood). Next, on a two-dimensional grid (similar to a matrix), the resulting CL level is cross-referenced with the severity category S to assign the required SIL protection level. In this way, the hybrid method combines quantitative estimation of the components (as in the scoring approach) with a clear qualitative outcome (as in a matrix/chart).

The advantage of this approach is a more fine-grained assessment of probability (the Fr, Pr, and Av components are considered separately), while still presenting the final result in a simple, category-based form. This method is used, for example, in ISO 13849, where answers to the S, F, P (avoidance) questions lead to the required Performance Level (PLr) for the safety-related control system—this can be interpreted as a five-level scale of residual risk that must be achieved through appropriate measures. Importantly, in that standard the risk levels are directly linked to the required reliability of the protective measures (PL a – e). It is an interesting concept: high risk → we must apply a highly reliable safeguarding system (PL e); low risk → a less complex measure is sufficient (PL a).

Hybrid methods are often used in risk assessment for machine control systems, but the underlying concept can be applied more broadly—they make it possible to quantitatively assess risk reduction achieved by specific measures. For example, if the initial risk required PL d (corresponding to a certain level of event probability) and we implement a safeguard that meets only PL c, we know the risk will drop by a defined number of “levels”—however, it still will not be reduced to zero, so additional actions may be needed. This brings us to another important aspect: risk evaluation and differences in how acceptability criteria are approached.

How to assess risk under ISO 12100: Comparing approaches and key takeaways

ISO 12100 vs ISO/TR 14121-2 – the role of a standard versus guidelines. The key difference between ISO 12100 and ISO/TR 14121-2 lies in their nature: ISO 12100 is a requirements standard (normative) – it defines what must be done (carry out a hazard analysis, estimate risk taking into account S, F, P1, A, etc., and then reduce the risk), whereas ISO/TR 14121-2 is a technical report with guidelines – it shows how it can be done through examples. ISO 12100 itself allows considerable flexibility, while TR 14121-2 provides tools that help meet the standard. There is no contradiction here – rather an addition. In practice, many organisations develop their own risk assessment procedures based on these guidelines, tailored to the specifics of their machinery and their acceptable level of risk.

Considering risk factors. ISO 12100 clearly states that every risk assessment must take into account two components: severity of harm (S) and the probability of its occurrence (P), with probability needing to include at least exposure, the chance of the hazardous event, and the possibility of avoidance. The methods described in ISO/TR 14121-2 differ mainly in how they incorporate these components. The scoring method explicitly breaks P down into factors and adds/multiplies them, so it most faithfully reflects the full formula (at the cost of more effort during the assessment). The risk matrix, in turn, combines the factors F, P1, A into one generalized P, which simplifies the assessment but can obscure which aspect has the greatest influence on the risk. For example, a matrix may give the same “medium risk” result for two situations: (a) a very rare event with catastrophic consequences and (b) a frequent event with minor consequences—even though the nature of these risks is different. Therefore, when using a matrix, it is recommended to always record separately the assumptions explaining why a given scenario has a particular P category (e.g., “low probability due to sporadic exposure,” etc.). The risk graph, in turn, does not explicitly include P1, but it forces a conservative assumption about failure likelihood—which can be safe, though it may sometimes overestimate the risk if the machine is in fact very reliable.

Level of detail vs. simplicity. This leads to a classic dilemma: more complex methods (scoring, hybrid) provide a more accurate, more quantitative view of risk and make it possible to distinguish nuances, but applying them requires more data and is harder to communicate. Simpler methods (matrix, risk graph) are easy to use and understand, but at the expense of detail—they can lead to a degree of averaging. ISO 12100 does not favor any of these methods; it allows all of them, provided they support a reliable assessment. In practice, a combination is often used: for example, risk is first assessed using a matrix to identify high-risk areas, and then a more detailed analysis (even semi-quantitative) is carried out for those critical hazards to design optimal safety measures.

Risk acceptance criteria. Both ISO 12100 and ISO/TR 14121-2 emphasise that a key step is to assess whether the risk has been reduced to an acceptable level (the so-called risk evaluation – risk evaluation – carried out after risk estimation). Interestingly, neither of these documents specifically defines what constitutes a “tolerable level”—this is left to organisations, and potentially to legal requirements or product-specific standards. In matrix examples, ISO/TR 14121-2 typically assumes that the lowest risk category (e.g., “Negligible”/“Zaniedbywalne” risk) is acceptable without additional action. In other words, a combination of the lowest factor values (e.g., a minor injury, virtually zero probability) indicates a situation where no further risk reduction is required. Higher levels (low, medium, high) may require a correspondingly increasing level of protective measures.

In practice, a certain gap has been identified: ISO/TR 14121-2 does not provide a strict method for calculating how the applied protective measures affect risk reduction. Put simply, we know that guards, safety interlocks, light curtains, etc. reduce risk (because they reduce the likelihood or the consequences), but on a matrix or point scale this is often assessed as a new qualitative assessment after safeguards are implemented, without a formal conversion factor. This can raise doubts: for example, if before fitting a guard the probability of an event was assessed as C (possible), then which category does it drop to after the guard is installed? This is where standards such as the aforementioned ISO 13849-1 are helpful: the initial risk is assigned a required reliability of the protective measure (PLr), and achieving that PL demonstrates that the risk has been reduced to an acceptable level. Under ISO/TR 14121-2, this has to be judged by expert assessment—for example, stating that “using a guard will probably reduce the frequency of exposure from frequent to rare, so we move from category E to C in the matrix.” This is a valid approach, but it requires experience.

Summary. The risk formula analysis in ISO 12100 shows just how many factors make up risk—not only the obvious severity of harm, but also less obvious elements such as how often a person is exposed to a hazard or whether an accident can be avoided. ISO/TR 14121-2, in turn, makes clear that there are many ways to estimate and categorize risk: from precise scoring methods to easy-to-use matrices. Each has its place—and they are often used in a complementary way. The key is not to lose sight of any important aspect: a simple method does not excuse you from thinking through the details (e.g., why you rate the probability as low), and a complex method must still lead to a clear decision (whether the risk is acceptable, or what else needs to be improved). Ultimately, the goal is always to reduce risk to an acceptable level—in line with the so-called ALARP principle (as low as reasonably practicable, i.e., reduce risk as far as practicable) and the requirements of directives such as the Machinery Directive 2006/42/EC. As long as accidents continue to happen in factories and on construction sites (and statistics show that in Poland alone, every year dozens of people die while operating machinery and thousands are injured), sound risk assessment and the implementation of appropriate protective measures will remain a fundamental duty of machine manufacturers and users. Thanks to standards such as ISO 12100 and guidance like ISO 14121-2, we now have proven tools to anticipate, assess, and reduce that risk before an unfortunate event occurs.