ISO/TR 14121-2 – how risk is assessed in practice

The process of assessing machinery conformity with the essential requirements calls for a robust risk assessment carried out in line with applicable standards. Machinery safety is the cornerstone of industrial equipment design and operation—before placing a machine on the EU market, every manufacturer must identify hazards and reduce risk to an acceptable level. Standards such as ISO 12100 (Safety of machinery — General principles for design, risk assessment and risk reduction) and the ISO/TR 14121-2 guide (practical methods for risk assessment) provide a structured framework. In turn, sector-specific standards such as EN ISO 13849-1 and EN 62061 focus on the safety of control systems and use specific risk estimation methods to determine the required levels of safety assurance (Performance Level, SIL).

In this article, we will look at the main risk analysis methods used in machinery conformity assessment: risk matrices, risk graphs, point-based methods, and qualitative and quantitative approaches. We will compare their underlying assumptions, highlight the pros and cons of each method, and illustrate practical applications (using examples inspired by standards documentation, but appropriately adapted). Finally, we will provide guidance on how to combine different approaches and select a method suited to the type of hazards, the design stage, and the type of machine.

Remember: the purpose of risk analysis is not only to meet the formal requirements for CE marking, but above all to ensure that the machine is safe throughout its entire life cycle—from design, through use, to maintenance and decommissioning. That is why it is worth choosing risk analysis methods that effectively identify all hazards and assess risk in a systematic way that the whole team can understand.

ISO/TR 14121-2: Fundamentals of the risk assessment process

Before we move on to specific methods, let’s briefly recap the risk assessment stages according to EN ISO 12100:2012.

1. Define the scope and limits of the machine: Understand the machine’s function, intended use, system boundaries, and users. Determine the conditions under which the machine will operate (e.g., environment, loads, staff training).
2. Hazard identification: List all potential sources of hazards across all phases of the machine’s life (installation, normal operation, cleaning, maintenance, faults, dismantling). Hazards may be mechanical, electrical, thermal, chemical, radiation-related, ergonomic, etc. It is important to involve both designers and future operators—practical staff experience helps uncover less obvious risks.
3. Risk analysis and estimation: For each identified hazard, we analyse possible accident scenarios: the causes of the event, the likelihood of occurrence, and the effects (consequences) for operators or equipment. We then estimate the risk level—this is where the tools discussed later come into play (matrices, graphs, point scales, etc.). The aim is to assign each hazard a risk “weight” based on the assessed frequency and severity of potential harm.
4. Evaluate risk acceptability: Compare the estimated risk against the acceptability criteria adopted within the company or project. For example, is the risk low enough to be tolerated, or does it require reduction? Many organisations adopt the principle that risk resulting in death or permanent disability is unacceptable regardless of probability—unless special protective measures are implemented.
5. Risk reduction: For risks deemed too high, implement risk reduction measures in line with the so-called three-step hierarchy from ISO 12100: (a) eliminate hazards by design (inherently safe design measures), (b) safeguarding and protective measures (guards, safety devices), (c) information for use, organisational measures, and personal protective equipment (instructions, training, PPE). After applying these measures, the risk analysis cycle is repeated iteratively, assessing residual risk—until an acceptable level is achieved.

In the next section, we will focus on the risk estimation stage (point 3 above), presenting the most common methods. It is worth emphasising that ISO 12100 does not mandate a single technique—it allows both qualitative (descriptive) and quantitative (numerical) approaches, as long as the outcome supports a decision on whether risk reduction is needed. According to ISO/TR 14121-2, there are many equivalent tools, and the choice depends on the specifics of the machine and the assessors’ preferences.

Risk Matrix (Risk Matrix)

A risk matrix is one of the simplest and most widely used tools for visual risk assessment. It is a table (matrix) in which the columns typically represent categories of likelihood of an event occurring, and the rows represent categories of severity of harm (consequences). By finding the intersection of the row and column that match the assessment of a given hazard, you read the assigned risk level (e.g., low, medium, high, or by color: green, yellow, red).

How do you build a risk matrix? First, define discrete scales for both dimensions. For consequences, you might use, for example: 1 – minor injury (non-serious harm), 2 – injury requiring medical attention, 3 – serious bodily injury or permanent disability, 4 – fatality. For event likelihood, an example scale is: A – very rare (e.g., “virtually unimaginable”), B – unlikely (once in many years), C – possible (a few times over the machine’s lifetime), D – likely (may occur once a year or more often), E – frequent (regularly, e.g., once a month or continuously). In practice, companies tailor these categories to their needs—the key is for the assessment team to agree on what each category means, which reduces subjectivity.

Next, you create the table by assigning risk levels to individual combinations. An example 4×5 matrix is shown below (colors indicate a typical risk level—green acceptable, yellow medium, red high):

Color and risk-level legend:

• 🟢 Low risk (acceptable) – no action is required, or basic protective measures are sufficient.
• 🟡 Medium risk (moderate) – consider further risk-reduction actions, implement additional protective measures, and monitoring.
• 🔴 High/Very high/Extremely high risk – unacceptable without additional safeguards; urgent and comprehensive risk-reduction actions are required.

Example of a practical application of a risk matrix:

Hazard:

An exposed cutting blade on an industrial saw.

Assessment:

• Severity: S4 – Fatality (catastrophic consequences).
• Likelihood: C – Possible (a few times over the machine’s lifetime).

Result on the matrix:

The intersection of row S4 and column C indicates 🔴 High risk.

Implication of the result:

• The risk is considered unacceptable without additional safeguards.
• The manufacturer must apply protective measures, e.g.:
  • A blade guard.
  • A safety switch.
  • An interlock system to prevent accidental start-up during cleaning.

Further actions:

• After implementing protective measures, the analysis should be repeated.
• The goal is to achieve at least a “Medium” level, and ideally “Low”.

An example risk matrix (English-language) with 4 consequence-severity categories (I–IV) and 5 likelihood categories (A–E). The resulting risk rating is highlighted by color: from low (L) through medium (M) and high (H) to extremely high (EH). In practice, matrices can have different sizes, e.g., 3×3, 5×5, etc., depending on the needs of the analysis.

Advantages of a risk matrix:

• Simplicity and clarity: The matrix is easy to understand and provides a graphical view of risk that mirrors the intuitive “traffic-light” concept (green – OK, red – stop). This makes it useful for communicating with management and non-technical stakeholders—it quickly shows where the greatest hazards are.
• Fast classification: It enables quick prioritization—for example, which risks are low (acceptable) and which require urgent action.

Disadvantages of a risk matrix:

• Subjective category selection: Defining what “unlikely” or “serious harm” actually means depends on the team’s judgment. Different people may rate it differently, which affects the outcome. Standardising categories within the organization is essential, but some degree of subjectivity remains.
• Limited precision: The matrix groups risk into broad bands. Two different hazards may receive the same result (e.g., “medium risk”), even though one is closer to the lower boundary and the other to the upper boundary. This can be too high-level an approach when a more detailed analysis is needed or when comparing many hazards.

Risk Graph

A risk graph is a graphical method, often presented as a decision tree or logic diagram. It involves a step-by-step assessment of several risk parameters, typically using binary answers (e.g., low/high, yes/no), which guides us along a path to the result. Each node in such a graph branches into a limited number of options (most often two), making the method clear, though less detailed.

Risk graphs are widely used in standards for control systems. For example, EN ISO 13849-1 (safety of machinery control systems) includes a graphical risk assessment scheme that helps determine the required PLr safety performance level for a safety function. Similarly, EN 62061 (covering functional safety of machinery) uses a comparable concept to determine the required SIL safety integrity level. In both cases, we assess the following factors in sequence:

1. S (Severity) – severity of potential harm: e.g., S1 = minor or reversible injury, S2 = serious (irreversible) injury or death.
2. F (Frequency/Exposure) – frequency and duration of exposure to the hazard: e.g., F1 = rare or short-term exposure, F2 = frequent or long-term exposure.
3. P (Possibility of Avoidance) – possibility of avoiding the hazard or limiting harm: e.g., P1 = avoidable under favorable circumstances (the operator has a chance to react), P2 = practically unavoidable (the event is sudden or inevitable).
4. (Optional) W/Pr (Probability of occurrence) – probability of a hazardous event occurring: this parameter is sometimes explicitly included, for example in IEC 62061 as an independent factor (denoted Pr), alongside exposure frequency and the possibility of avoidance. In practice, in the ISO 13849-1 method it is taken into account indirectly when assessing F and P.

Based on these assessments, by following the path on the graph, we arrive at the result—most often expressed as a risk level or a category of required safeguards. For ISO 13849-1, the outcome is the required Performance Level (PLr) from a to e (where a indicates the lowest required reliability level of the control system and e the highest). In ISO 14121-2, you may also encounter a graph that provides a risk index on a numerical scale, e.g., from 1 to 6—values 1–2 indicate low risk, while higher values point to the need for further risk reduction actions.

START
  │
  ├─ Severity of harm (S)
  │   ├─ S1: minor injury (reversible)
  │   │   └─ Frequency of exposure (F)
  │   │       ├─ F1: seldom to less often and/or short exposure time
  │   │       │   └─ Possibility of avoidance (P)
  │   │       │       ├─ P1: avoidance possible → PLr = a
  │   │       │       └─ P2: avoidance difficult → PLr = b
  │   │       └─ F2: frequent to continuous and/or long exposure time
  │   │           └─ Possibility of avoidance (P)
  │   │               ├─ P1: avoidance possible → PLr = b
  │   │               └─ P2: avoidance difficult → PLr = c
  │   └─ S2: serious injury (irreversible) or death
  │       └─ Frequency of exposure (F)
  │           ├─ F1: seldom to less often and/or short exposure time
  │           │   └─ Possibility of avoidance (P)
  │           │       ├─ P1: avoidance possible → PLr = c
  │           │       └─ P2: avoidance difficult → PLr = d
  │           └─ F2: frequent to continuous and/or long exposure time
  │               └─ Possibility of avoidance (P)
  │                   ├─ P1: avoidance possible → PLr = d
  │                   └─ P2: avoidance difficult → PLr = e

Example of using the risk graph: Consider the hazard that an industrial robot strikes a person if someone enters the robot’s working area without appropriate safeguards. Using the ISO 13849-1 method, we assess this scenario as follows: S = S2 (serious injury or death), F = F2 (frequent access—e.g., the operator enters the cell often, and the robot runs many hours per day), P = P2 (avoiding the hazard is unlikely—the robot moves quickly and will not allow time to escape). Following the risk graph in the standard, the combination (S2, F2, P2) leads to the required PLr = e—the highest level of protection. This means we must implement highly reliable safety measures (e.g., light curtains of the highest category or monitored door interlocks, redundancy in the control system, etc.) to reduce the risk of being struck by the robot to an acceptable level. By comparison, if the scenario were less critical—e.g., a low-force robot that people rarely access—the assessment (S1, F1, P1) could result in PLr = c or lower, meaning less demanding requirements for the complexity of the safeguards.

START → S2 → F2 → P2 → PLr = e

Advantages of the risk graph:

• A logical, structured analysis: The graph guides the user step by step through the key questions about the hazard. This ensures a systematic approach—you won’t overlook an important factor. The method is often prepared by experts (e.g., standards authors) with typical machinery in mind, which makes it good industry practice.
• Shared understanding of the categories: Because the values (e.g., S1/S2, F1/F2, P1/P2) are defined in the standard, the team can refer to them, which reduces interpretive disputes. As a result, different people using the same graph should reach similar conclusions for comparable hazards.
• Direct link to safety requirements: The outcome in the form of PLr or SIL immediately tells the designer what level of technical measures must be applied. This ties the risk analysis to design criteria (e.g., selecting the control system architecture and the required reliability level of components).

Disadvantages of the risk graph:

• Limited level of detail: This method typically uses only a few categories (e.g., two options for S, F, and P). That means a wide range of scenarios may be simplified into the same categories. The graph classifies risk in broad terms, producing, for example, a “high/medium/low” result or a required protection level, but it will not capture subtle differences between risks that fall into the same category.
• No explicit numerical value: While a matrix or a scoring method can provide a relative “score,” the graph usually ends with a label (e.g., PLr = d). It is harder to compare many different hazards with one another because the results are qualitative; they do not show “how much” one risk exceeds another—other than by taking a different path through the tree.
• Application-specific: Risk graphs are often tailored to specific standards or industries. The ISO 13849-1 graph primarily addresses risk related to control system failures. For assessing other types of risks (e.g., ergonomics, noise), it may not be directly useful. In practice, different graphs may be used depending on the type of hazards involved.

Scoring methods (numerical risk scoring)

Scoring methods, also referred to as risk scoring or numerical methods, involve assigning numerical values to risk categories and then calculating a risk index from them. In practice, this is an extension of the matrix concept: instead of relying only on descriptions or colors, each category (e.g., likelihood, severity, exposure) is assigned a specific number of points. Those points are then combined—often by multiplication or addition—to obtain a final value. This value makes it possible to rank hazards from highest to lowest risk and to set acceptability thresholds.

The most commonly used formula is the product of several factors, for example:

Risk Score=P×S×E

where:

• P (Probability) – a point-based rating of the likelihood that the hazard will occur (e.g., on a 1–5 scale, where 1 is almost never and 5 is very often)
• S (Severity) – a point-based rating of the severity of consequences (e.g., 1 – negligible harm, 5 – death or catastrophe)
• E (Exposure) – a point-based rating of exposure, i.e., the frequency or duration of exposure to the hazard (e.g., 1 – sporadic contact, 5 – continuous/daily contact)

Some variants of point-based methods use other factors—for example, Avoidance (A), which accounts for the operator’s ability to avoid the event, or Detectability (D), meaning the ability to detect the hazard before it causes harm. The overall idea remains the same: the final Risk Score is a number (e.g., in the range 1–100 or 1–1,000) that indicates higher risk as it increases.

For the method to be useful, you need to define score ranges that correspond to risk levels. For example, a plant might set: a score of 1–20 = low risk (acceptable), 21–50 = medium (requires monitoring and improvement if readily achievable), >50 = high (unacceptable, immediate action required). Such thresholds should follow from the company’s safety policy and a sound analysis (e.g., they may be calibrated based on previous risk assessments).

Example of applying a point-based method: Consider the hazard of burning a hand on a hot machine component (e.g., a heater block that warms up to 150°C, which the operator could accidentally touch). We use a simple P×S×E scoring model:

• Severity (S): The burn can be painful, but it is unlikely to be life-threatening—we rate it as 3 on a 1–5 scale (moderate injury, e.g., a serious burn requiring medical attention but without permanent consequences).
• Probability (P): Could contact with the hot component happen often? Assume the component is in a hard-to-reach location, so accidental contact is rare, but still possible, for example during maintenance—we assign 2 (on a 1–5 scale corresponding to “unlikely”).
• Exposure (E): How often is the operator near this component? If the machine runs daily and the operator must replace material near the heater every hour, exposure can be considered frequent—let’s use 4 (on a 1–5 scale, where 5 is constant exposure and 4 is frequent, e.g., many times per day).

We calculate Risk Score = 3 × 2 × 4 = 24. Now we interpret the result: assuming a threshold such as >20 for high risk, a value of 24 indicates that the risk is unacceptable or at least “significant”. The company should therefore take action—for example, add a thermal guard, insulate the heating element, or provide the operator with appropriate gloves and training. After implementing these measures, a repeat point-based assessment could drop (e.g., reduced exposure thanks to a guard—E from 4 to 1, giving a new Risk Score 3×2×1 = 6, i.e., low risk).

It is worth noting that the number 24 by itself has no unit and no absolute meaning—it only becomes meaningful against the established criteria (here: 24 exceeds the acceptance threshold) and in comparison with scores for other hazards. For example, if other hazards on this machine score around 5–10 and one scores 24, you know what to prioritize.

Advantages of the point-based method:

• Greater relative precision: Unlike the “rigid” categories in a matrix, Risk Score makes it possible to distinguish differences between risks. A score of 24 vs 18 vs 36 conveys more than simply “medium” vs “high.” This supports structured comparison of hazards and prioritization of actions
• Less subjectivity through numerical criteria: Choosing the individual ratings is still subjective, but using numbers enforces a degree of consistency. If we clearly define the scale (e.g., what 1 means and what 5 means for each factor) and stick to it, assessments become more objective within the organization. Decisions such as “is 24 an acceptable risk?” are also easier, because you can refer to agreed thresholds—the discussion is less emotional and more fact-based.
• Useful when there are many hazards: In complex projects where we identify dozens of potential hazards, a list sorted in descending order by Risk Score clearly shows what to address first. This makes risk management easier and helps allocate resources (time, money) to safety measures where they are needed most.

Disadvantages of the point-based method:

• Need for calibration and an appropriate scale: For the method to work, the scoring scales must be carefully designed. What’s more, the organization should tailor them to its specific context—for example, the scale for design risk will differ from the one used for machinery safety. The team also needs training so everyone interprets the values in a consistent way. This takes effort and discipline in applying the agreed rules.
• Illusion of accuracy: Although numbers suggest precision, we should remember they are still based on experts’ subjective judgment. In practice, the difference between a hazard scored at 15 versus 16 points may be questionable—this is not a physical measurement, but an estimate. There is a risk that reducing everything to “a single number” will obscure the bigger picture—people may focus too much on the number itself and forget the context. That’s why a point score should always be interpreted qualitatively and with a degree of critical thinking.
• Complexity with multiple factors: More elaborate methods (e.g., HRN – Hazard Rating Number) may take 4 or 5 factors into account and produce a very wide range of results. This can, in theory, provide a more detailed picture, but it becomes less transparent for the user. Adding further parameters (e.g., detectability, possibility of avoidance, etc.) increases the effort required to assess each hazard and can make it harder to communicate the results to non-specialists.

Practical application example

Hazard: Operator burns their hand on a hot machine component (heating block 150°C).

Hazard assessment:

• P (Probability): The component is difficult to access; contact is only possible occasionally (maintenance), rating: 2
• S (Severity): Moderate injury requiring medical attention, with no permanent consequences, rating: 3
• E (Exposure): The operator is often near the component (daily, hourly), rating: 4

Risk Score = P × S × E = 2 × 3 × 4 = 24

Interpretation of the result:

• Risk Score = 24, i.e., medium risk (🟡), requiring additional protective measures or monitoring.

Corrective actions:

• Install thermal insulation or a guard.
• Provide appropriate protective gloves.
• Train operators.

Risk reassessment after implementing the measures:
Exposure drops, for example, from 4 to 1 (rare contact):

New Risk Score = 2 × 3 × 1 = 6, i.e., low risk (🟢).

ISO/TR 14121-2: Qualitative vs. quantitative approaches in risk analysis

In machinery risk analysis, we can distinguish two general approaches: qualitative and quantitative. In practice, most of the methods described above fall somewhere between these extremes—but it’s worth understanding how they differ:

• Qualitative methods rely on descriptive categories and expert judgement. The outcome is typically a risk class (e.g., “low”, “moderate”, “high”) or a required decision (“acceptable” vs “unacceptable”). An example of a purely qualitative approach is the descriptive statement: “the risk of electric shock was assessed as high because the consequences are severe and exposure is frequent, even though the probability is moderate”. Risk matrices and risk graphs mostly fall into this group—we use verbal descriptors or letter symbols rather than specific numbers. Advantage: easy for everyone involved in the process to understand (everyone intuitively grasps what “high risk” means more readily than, say, “risk = 3.7×10^-5”!). In addition, a qualitative approach is the only feasible option when numerical data are unavailable—which is common with new machines or rare events. Disadvantage: qualitative results are harder to compare and can be subjective. Two experts may describe the same risk differently, whereas a number would force some averaging of their opinions.
• Quantitative methods aim to express risk as numerical values, often in absolute units (e.g., a probability of 1 in a million operations, an expected accident frequency of 0.001/year, an expected loss cost in PLN). A fully quantitative risk analysis tries to use data—failure statistics, industry accident rates, component reliability data—to calculate risk objectively. For example: “the probability of a sensor failure combined with the safety brake failing to actuate is 2.3 × 10^-8 per operating hour; considering 2000 h of operation per year, the risk of a fatal accident is ~4.6 × 10^-5 per year, i.e., below the $10^{-4}$/year criterion—so we consider the risk acceptable.” Such an approach appears, for example, in functional safety analysis (calculating PFH—Probability of a Dangerous Failure per Hour for control systems) or in process risk assessment using methods such as LOPA, where risk is expressed numerically. Advantages: it gives an impression of high precision and enables comparison against formal criteria (e.g., ALARP levels, or legal requirements if such exist). It also supports cost–benefit optimisation—you can estimate the statistical “cost” of a given risk and whether it is worth reducing further. Disadvantages: a full quantitative analysis is time-consuming and data-dependent, and the necessary data are not always available. For many machines, there are no reliable statistics on failure rates or accident frequency—then the numbers may be based on guesswork, which undermines the point of such calculations. Moreover, the apparent objectivity can be misleading: risk modelling often requires simplifying assumptions, and the final result may carry uncertainty of several orders of magnitude (even if it is displayed with many significant digits). Machinery standards overwhelmingly do not require a fully quantitative assessment—they allow it, but note that a verbal description of risk is usually easier to understand than working with numerical indicators.

In practice, machine risk assessments often use a semi-quantitative approach, such as a scoring method that assigns numbers to qualitative categories, without claiming these are “true” probabilities or costs. This provides greater resolution in the assessment than purely descriptive categories, while avoiding a false sense of accuracy. The choice of approach should reflect the project’s needs: if you must document compliance with standards (e.g., calculating PL or SIL for a control system), you need to use the methods specified in the standard (usually qualitative or scoring-based). If, however, a company focuses on internal, business-oriented risk estimation, it may opt for more quantitative analyses for the key hazards.

ISO/TR 14121-2: Combining methods and selecting the right approach

There is no single universal risk analysis method that is suitable for every case. Experienced safety engineers often combine different approaches to build a more complete picture and make better decisions. Below are a few pointers on when to use which method and how to combine them:

• Concept stage (early design): At the beginning, when the machine is still at the sketch or prototype stage, detailed numerical data is usually not available. This is where quick, qualitative methods work best—for example, a brainstorming session supported by a risk matrix for the identified hazards. The matrix helps you pinpoint the most critical areas right from the start. You can also use the ISO 12100 hazard checklist and, for each hazard, assign a rating such as “low/medium/high risk”. At this stage, it is more important not to miss any hazard than to estimate probability precisely—so descriptive methods are entirely sufficient. The results of this initial analysis can influence design decisions (e.g., changing the machine layout, building in a guard from the outset, reducing motion speed if the risk is high).
• Detailed design stage: Once we have more information about the machine—its technical parameters, cycle times, and planned safety measures—it is worth carrying out a more detailed analysis. This is where a scoring method can come into play. It is well suited to systematically analyzing dozens of specific hazards. It also makes it possible to compare different solution options: for example, if we are deciding between a fixed guard and a light curtain, we can estimate the Risk Score for scenarios using each measure—showing which one reduces risk more effectively. During detailed design, risk graphs for safety functions are also commonly used. For each identified function (e.g., emergency stop, drive shutdown when a guard door is opened, speed limitation in setup mode), we use the graph from ISO 13849-1 or IEC 62061 to determine the required PLr/SIL. This information then drives component selection (e.g., whether a category 2 safety relay with PL=c is sufficient, or whether a dual-channel controller with PL=e is needed). As a result, different methods are often used in parallel within a single project: an overall risk assessment using a matrix/scoring approach for the machine as a whole and dedicated risk graphs for specific hazards that require controlled safety-related control systems.
• Machines with complex, diverse hazards: If we are dealing with an extensive installation (e.g., an integrated production line, collaborative robots, machines with multiple subsystems), one method may not be enough. For example, a packaging line may simultaneously involve serious mechanical hazards (e.g., crushing by a robot gripper), electrical hazards (a high-voltage switchgear), ergonomic hazards (manual lifting of heavy loads), and software/cyber hazards (faulty control software). In such a situation, it is worth:
  • For mechanical/electrical hazards—using a matrix or scoring approach to assess risk and indicate the need for guards, interlocks, lockout, etc. For control-system-related hazards (e.g., a sensor failure leading to a collision)—using a risk graph from the standards to obtain PLr/SIL, which then translates into requirements for the control system architecture. For ergonomic risks—relying more on a qualitative assessment (e.g., using ergonomic standards or occupational health and safety guidelines, because it is difficult to quantify; a risk matrix can be used, but with an emphasis on consulting staff, workload surveys, etc.). For digital/IT risks—considering separate approaches (cybersecurity-type analysis, software FMEA), because classic safety matrices may not capture, for example, the risk of the system being hacked. If needed, such risks can be assessed separately by IT specialists, and their conclusions incorporated into the overall analysis.

The final outcome will be a complete picture of the risk. It is important to compile all assessments into a coherent report, for example as a tabular hazard list with columns such as: hazard description, assessment method (matrix/chart/scoring), assessment result, risk reduction measures, residual risk. This way, an auditor or the person verifying the machine’s compliance will see that no type of risk has been overlooked and that appropriate analysis techniques have been applied to each of them.

In summary, combining methods is best practice, because each method offers a slightly different perspective. A matrix or chart can show the overall picture and minimum requirements, while scoring or quantitative analysis can refine the details and support economic decisions (where it makes the most sense to invest in safety). It is important to maintain consistent documentation—clearly record which method was used to assess a given hazard and why that particular method was chosen. This way, a conformity assessment auditor (e.g., a notified body reviewing CE documentation) will see that the analysis was carried out competently and comprehensively, in line with the intent of the standards and good engineering practice.

Risk analysis is the core of the machine conformity assessment process, mandatory under the Machinery Directive/EU Machinery Regulation and harmonised standards. It enables designers to identify hazards, estimate the associated risk, and implement measures to reduce risk before an accident occurs.

There is no single “best” method—each has its strengths and weaknesses. That’s why a safety engineer’s skill lies in choosing the right tool for the job: sometimes a simple matrix is enough, while other times you need detailed scoring or a SIL analysis. Often, the best results come from a combination of methods, where one complements another. For example, we can start with qualitative hazard identification, then quantitatively (by scoring) assess the most important ones, and for control-system-related issues use normative charts—this way, no aspect is overlooked.

Finally, remember: the goal is not simply to fill in a table or a chart, but to genuinely improve safety. Risk assessment is iterative and creative. It encourages asking “what if…?” and looking for solutions that eliminate hazards at the source. The methods described here are tools that help structure this work. When using them, follow the principles of the standards (ISO 12100 and related) and good engineering practice, and involve multiple perspectives in the process (designers, operators, maintenance, occupational health and safety). A risk assessment carried out this way will be credible, complete, and effective, which translates into a safe CE-marked machine and peace of mind for both the manufacturer and the end user.