Risk arises from the human–machine relationship, not as an inherent property of the machine
In ISO 12100 practice, risk assessment is often reduced to listing the hazards present within a machine. That is an understandable starting point, but it quickly leads to simplifications that offer limited value from a design perspective. The standard does not treat risk as something a machine “has” on its own. Risk does not exist independently of use. It only materialises when a person interacts with the machine—performing specific tasks, under specific conditions.
This distinction is fundamental to how the analysis should be carried out. If risk is seen only as the sum of technical hazards, it becomes easy to miss the situations in which a hazard becomes relevant in practice. Hazardous elements may be present in the machine at all times; however, as long as a person cannot access them while carrying out a task, the risk remains theoretical.
ISO 12100 steers the designer toward analysing the relationship rather than the hardware alone. Instead of asking “what hazards exist in the machine?”, the standard pushes you to ask “at what points in operation is a person within the influence zone of those hazards—and why?”. This shift in emphasis changes the nature of the entire risk assessment. The analysis stops being static and starts reflecting how the machine is actually used.
This approach also helps explain why accidents rarely occur during ideal automatic operation. They most often happen when the machine is being used outside normal production—during support, intervention, or non-routine activities. In those moments, the human–machine relationship changes, and hazards that were previously effectively segregated become accessible.
Treating risk as an outcome of the relationship, rather than a feature of the machine itself, leads to more informed design decisions. Instead of trying to eliminate hazards “in general”, the designer focuses on limiting human exposure in defined use situations. That logic is central to ISO 12100 and sets the direction for further work: from defining the context of use, through identifying tasks and machine states, to selecting effective risk reduction measures.
Risk assessment: defining machine limits as a prerequisite for a meaningful assessment
Any risk assessment intended to support sound design decisions has to be grounded in the real context of how the machine will be used. This is the purpose of defining the limits of the machine. It is not a purely formal or administrative step; it is the point at which the designer sets out the boundaries within which risk will be evaluated and ensures the assessment relates to the actual way the machine will operate.
Without clearly defined limits, a risk assessment quickly becomes abstract. The machine stops being a specific piece of equipment operating in a defined environment and turns into a theoretical model where everything “should” happen as intended. ISO 12100 deliberately moves away from that mindset, recognising that machines are used in conditions that are often far from ideal.
The limits of the machine cover far more than its intended technological purpose. They define, among other things:
what tasks will be performed at the machine during normal operation,
what support and intervention activities are unavoidable,
who will have access to the machine and to what extent,
the environmental conditions in which it will operate,
what the full life cycle looks like, from installation through to dismantling.
A key point is to account for how people actually behave in the workplace, based on real operating practice rather than what is written in the instructions. Time pressure, routine, fatigue, and the need to restore production quickly are not “exceptions” in an industrial setting—they are normal. ISO 12100 recognises that these factors exist and expects them to be considered already when defining the machine’s limits.
If the machine’s limits are defined too narrowly, risk will be consistently underestimated. Infrequent tasks carried out under non-standard conditions can be left out of the assessment, even though these are often the activities associated with the highest level of hazard. On the other hand, defining limits too broadly leads to an imprecise analysis in which very different use situations are treated as if they were the same.
In the ISO 12100 approach, defining the machine’s limits is not an end in itself. It is a reference point for further identification of tasks, machine states, and hazardous situations. Only on that basis can you move into a risk assessment that reflects real working conditions, rather than design assumptions alone.
Linking the risk assessment to the machine’s technical documentation
In design practice, it is still common to treat the risk assessment as a stand-alone document that sits “alongside” the technical file. ISO 12100 implies a different approach: the risk assessment and the technical documentation are inseparably linked because they describe the same machine, just from different viewpoints.
The risk assessment identifies tasks, machine states, hazardous situations, and hazardous events. Technical documentation, in turn, describes how the machine has been designed, which solutions have been applied, and how it is intended to be used. If these two areas are not consistent, a gap appears that in practice results in unclear instructions, ineffective protective measures, or difficulties during audit and review.
A task-based approach to risk assessment makes it easier to directly align the results with the documentation. Every task identified in the risk assessment should be reflected in the operating and/or service information. If a task is considered critical from a risk perspective, its absence from the documentation is a clear indicator that the design process is not coherent.
It is equally important to link the risk assessment to the design and electrical documentation. Design decisions relating to guards, control functions, modes of operation, or reset procedures are not arbitrary—they follow from the risk assessment. The technical documentation should make that logic traceable: from recognising the hazardous situation, through identifying the hazardous event, to the technical solution that has been implemented.
ISO 12100 assumes that documentation is not merely a “final deliverable”, but part of the risk reduction process. Its role is to support safe task execution, not simply to satisfy a formal requirement. For that reason, documentation produced without reference to tasks and risk assessment outcomes loses much of its practical value for users.
From a systems perspective, the technical documentation, instructions for use, and the risk assessment form a single, consistent set. Any change in the design, control system, or work organisation should trigger a review of the tasks and an update of the documentation. Only then does the risk reduction process remain continuous and effective across the machine’s lifecycle.
Risk assessment: the relationship between tasks and protective measures
One of the most common misunderstandings in risk assessment practice is selecting protective measures solely by reference to hazards. This can produce safeguarding that is correct “on paper” but fails in real use. ISO 12100 implies a different mindset: protective measures must be evaluated in the context of tasks, not only in the context of hazards.
A hazard may be present at all times, but it is the way the task is carried out that determines whether—and to what extent—a person is exposed. If a protective measure makes the task difficult to perform, it will, in practice, be more likely to be bypassed or disabled. ISO 12100 recognises that such behaviour is foreseeable and must be taken into account as part of the risk assessment.
For that reason, the selection of protective measures should be driven by clear answers to the following:
what tasks are carried out at the machine,
which of those tasks require access to hazard zones,
in which machine states those tasks are performed,
whether the designed safeguarding actually allows the task to be completed safely.
For example, a guard that effectively prevents access to a hazard zone during normal operation may at the same time significantly impede cleaning or adjustment. If cleaning is carried out routinely and requires removal of the guard, the risk does not disappear—it simply changes form. ISO 12100 indicates that, in such cases, alternative design solutions should be considered to reduce exposure during that specific task.
A task-based approach leads to a more differentiated selection of protective measures. Instead of relying on a single, “universal” solution, safeguarding is matched to individual tasks and machine states. As a result, protective measures are not only technically effective, but also workable and therefore more likely to be used as intended in day-to-day operation.
The role of information for use in a task context
ISO 12100 clearly states that information for use is one element of risk reduction, but it cannot replace design measures or technical protective measures. In practical terms, this means instructions, warnings, and procedures must relate to the real tasks people perform, not to hazards described in the abstract.
Information for use should answer the question how to carry out a specific task safely, rather than merely stating that a hazard exists. If documentation only describes hazards in general terms, users cannot readily convert that knowledge into safe, repeatable actions.
A task-based approach to information for use means that:
instructions are linked to specific actions,
procedures reflect the machine state in which the task is performed,
warnings refer to credible, real-world hazardous situations.
For example, information about the risk of unexpected movement is only meaningful if the user understands during which task—and at what point—that movement could occur. A generic warning will not prevent errors, whereas describing the correct sequence of actions when clearing a jam can materially reduce risk.
ISO 12100 assumes information for use is effective only when the user can apply it without additional interpretation. Documentation should therefore be developed in parallel with the task analysis, not treated as a separate, end-of-project activity. Only then does information for use become a genuine safety support measure rather than a formal add-on.
Risk assessment: how changes in automation affect the nature of risk
ISO 12100 does not explicitly define a “level of automation”. However, a review of the standard leads to a clear conclusion: changing the degree of automation changes the nature of risk, not just its magnitude.
As automation increases:
direct human exposure during normal operation is reduced,
intervention and supervision tasks become more significant,
this increases the risk of hazardous events arising from unexpected machine behaviour.
Automation often shifts the operator from an execution role to a supervision role. This does not remove risk; it concentrates it into fewer tasks with a higher potential for harm. Typical examples include tasks related to reset, fault-finding/diagnostics, or manual control following a failure.
ISO 12100 implies the need to revisit the risk assessment after any significant change in the level of automation. Tasks that were previously performed manually may be eliminated, but new tasks arise in their place—often carried out less frequently, but under conditions of elevated risk.
A designer who considers risk only in terms of hazards may conclude that automation is sufficient. A task-based view shows, however, that automation changes the risk profile, not only the overall magnitude of risk. For that reason, any change to the control system architecture should be assessed in terms of new tasks and new hazardous situations that may be introduced.