Most risk assessments do not fail because someone picked the wrong guard or light curtain. They fail earlier, when the limits of the machine were defined for an imaginary operator in imaginary conditions. That is why a detailed analysis can still miss the real hazard zone on the real shop floor. ISO 12100 starts here, not at the PLr calculation, not at the safety function, and not at the control system architecture. Get this step wrong and everything that follows can look precise while being fundamentally false.
This is the part many teams treat like a preface before the real work starts. Big mistake. The limits of the machine are not paperwork. They are the boundary of truth for the whole risk assessment. If those boundaries are wrong, the rest of the document may look polished, compliant, and completely disconnected from how the machine is actually used.
ISO 12100 starts with the limits of the machine
ISO 12100 is clear on the sequence. First, define the limits of the machine. Then identify hazards, estimate risk, evaluate risk, and select protective measures. That order is not administrative decoration. It is engineering logic.
Before you assess risk, you need honest answers to basic questions. Who will use the machine? Where will it be installed? In what environmental conditions will it run? For how long? During which phases of its life? What tasks will be performed during production, cleaning, changeover, fault finding, maintenance, and decommissioning? What is the intended use, and what is reasonably foreseeable misuse?
ISO 12100 groups this stage into use-related limits, spatial limits, time-related limits, and other limits, including environmental conditions. That means the assessment must cover real users, real access, real duty cycles, real wear, and real surroundings such as temperature, humidity, contamination, indoor or outdoor operation, and visibility conditions.
Put simply: the machine is not safe in general. It is safe only within the limits you defined. Outside those limits, the old assessment may no longer describe reality.
Bad assumptions poison good risk assessment
In a lot of files, the opening statements sound professional and mean almost nothing:
- operated by trained personnel
- used in an industrial hall
- used in accordance with the instructions
Those are not serious limits. They are paper pacifiers.
The real questions are harder and far less comfortable. Who actually interacts with the machine? Who enters during cleaning, setup, or jam removal? Who approaches the hazard zone even though nobody wrote them into the assumptions? What does the operator do when the process jams and production pressure is rising? What does the service technician do when the designed access path is slow and awkward?
The brutal truth is that many risk assessments do not describe the real machine. They describe a simplified machine for a model user in a model environment with model behaviour. Then reality shows up. The operator is shorter. The user is less experienced. The maintenance routine is different. Someone works in thick gloves. Someone stands on a pallet. Someone takes the shortest path because the shift is behind schedule. Suddenly the analysis is detailed, careful, and wrong.
limits of the machine are the boundary of a valid assessment
The most common misunderstanding is to treat the limits of the machine as a list of machine parameters. They are more than that. They define where the assessment remains valid.
If the machine was assumed to work indoors and ends up outside, the environmental picture changes. If only adult industrial workers were assumed and now visitors or children can get near it, the exposure profile changes. If the design quietly assumed one user population but the actual workforce differs in height, reach, strength, handedness, and experience, then the truth of the assessment has changed, not just the comfort level.
That is why phrases such as these are dangerous:
- same machine, just a different location
- same line, just a different crew
- same application, we only added remote access
- same machine, service just does it a little differently
Same machine? Often, no. If the user, location, task flow, access to the hazard zone, environmental conditions, or control system architecture changed, the foundation of the assessment changed with them.
Use-related limits: safe for whom, exactly?
The word operator hides more safety failures than people like to admit. ISO 12100 does not ask whether the machine is safe for some abstract operator. It asks you to consider the real groups of people who may interact with it during all life phases.
That can include the production operator, the setter, the maintenance personnel/service technician, the cleaner, the programmer, external contractors, trainees, young workers, and bystanders. If their presence is reasonably foreseeable, they belong in the assessment. If children can be nearby, that matters too. Ignoring those users does not simplify the analysis. It falsifies it.
The useful question is not, Is the machine safe for the operator? The useful questions are these: for which operator, with what height, what reach, what strength, what experience, what hazard awareness, under what pace of work, and during which task?
ISO 12100 explicitly points toward characteristics such as age, sex, body dimensions, physical capability, and left- or right-handed use. That is not a soft ergonomic side issue. It is core safety engineering. A button that needs too much force, a viewing angle that only works for a taller user, or an access opening that drives a smaller worker to enter the danger area in a different posture can turn a formally neat design into a practical trap.
Safety that works only for the taller, stronger, more experienced user is not good safety. It is safety accidentally matched to one group of people.
Spatial limits: the machine does not interact with a stick figure
Many assessments still describe space as if the human body were a point on a drawing. Real people do not move like that. They reach at an angle. They bend, twist, kneel, lean, and brace themselves. They wear gloves and safety footwear. They carry tools. They stand on platforms, steps, or whatever the shop floor offers when the task gets awkward.
This is where expensive design mistakes are born. Someone sees that a distance matches a table, a guard fits the drawing, or a light curtain is placed according to the formula, and assumes the case is closed. It is not. Tables do not work at the machine. People do.
Once posture and real access change, the safety picture changes with them. A guard can be adequate only for a taller user. A safe distance can stop being safe when reach and body position change. A light curtain can be perfectly selected on paper and still miss the real approach path used during setup. A service access route can work only when the person moves exactly as the designer imagined. That is not enough.
Type-B standards do not repair bad limits of the machine
ISO 13857, ISO 13855, ISO 13854, and ISO 14122 are essential tools. They do exactly what they were written to do. ISO 13857 gives safety distances to prevent reaching hazard zones with upper and lower limbs. ISO 13855 deals with positioning protective measures in relation to approach speed. ISO 13854 addresses minimum gaps to avoid crushing of body parts. ISO 14122 covers fixed means of access to machinery.
But none of those standards answers the first and most important question for you: who reaches from where, in what posture, wearing what, using what tool, during which task, and under what pressure?
If the human model at the start is wrong, the standards can be applied correctly and still produce a bad solution. That is not a failure of the standards. It is a failure to define the limits of the machine honestly. Compliance with a table is not the same thing as truth on the shop floor.
When limits of the machine change, the old assessment is no longer valid
We only moved the line. That sentence sounds harmless. From a safety perspective, it often is not.
Relocation can change environmental conditions, traffic routes, access points, visibility, floor condition, nearby activities, and the people who can reach the machine. A controlled production hall is one thing. A more open area with mixed traffic or public access is another. The mechanics may be identical, but the risk profile is not.
That is why the old risk assessment often does not travel intact to the new location. If the machine now operates for different people, in different conditions, with different access patterns, the previous assessment may no longer be valid. In some cases, relocation is not just a trigger for reassessment. It can also raise the harder question of whether the change moved into the territory of substantial modification.
Regulation (EU) 2023/1230 defines substantial modification as a physical or digital change, not foreseen by the manufacturer after the machine was put into service or placed on the market, that affects compliance with the relevant essential health and safety requirements. Not every relocation is a substantial modification. But treating every relocation as neutral logistics is just wishful thinking.
The legal framework has shifted from Directive 2006/42/EC to Regulation (EU) 2023/1230, but the engineering truth did not. A CE mark does not freeze a machine in time. If the real conditions changed, the assumptions must be checked again.
New crew, new habits, new risk
A machine can run for years without an accident and still have a weak assessment underneath it. Sometimes the real reason is simple: the same crew, with similar body dimensions, similar habits, and similar tolerance for awkward workarounds, kept the machine inside a narrow band of use.
Then the workforce changes. Suddenly the button is too high. The force needed to actuate a device is too great. The line of sight is wrong from the actual working position. The supposedly safe access path is no longer safe for the new reach pattern. Nothing on the machine changed, people say. Not quite. The human side of the machine changed, and that is enough to change risk.
This is why crew changes can matter almost as much as technical changes. Not because people are the problem, but because lazy assumptions about people were the problem from day one.
Reasonably foreseeable misuse means what people will really do
This is the point where many assessments start pretending they have never seen a factory. On paper, nobody bypasses a guard. Nobody leans past a light curtain. Nobody clears a jam with motion still present. Nobody overrides a protective device for a quick setup tweak. Real life is less polite.
ISO 12100 requires consideration of reasonably foreseeable misuse. That includes loss of concentration, reflex actions during abnormal operation, the easiest path to the task, pressure to keep production running, and the behaviour of specific groups of people. In other words, you do not ask only what the instructions say. You ask what people are likely to do when output is slipping, the guard gets in the way, the machine stops unexpectedly, or the task has to be completed fast.
If protective measures work only when the person behaves perfectly, the problem is not the person. The problem is the design, the assumptions, or both.
The same applies to defeat and bypass. If the guard slows setup, if the light curtain blocks adjustment, if the task is impossible without awkward reaching, do not act surprised when someone finds a workaround. That is not behaviour outside the standard. That is exactly the kind of behaviour the standard tells you to foresee.
Warnings are step three, not a garbage dump
Here is another hard truth: the instruction manual is not a landfill for early design mistakes.
ISO 12100 is explicit about the order of risk reduction. First, inherently safe design measures. Second, safeguarding and complementary protective measures. Third, information for use. That last step is where you communicate residual risk, procedures, training needs, warnings, and the use of personal protective equipment. It is not where you repair a bad foundation.
You cannot fix a wrong safety distance with a sticker. You cannot fix the wrong intended use with a paragraph. You cannot fix an omitted service task with a line that says prohibited. And a warning is not a safety function.
If risk remains too high after the selected protective measures, the honest response is not always another label or another briefing. Sometimes the right response is to go back to the beginning and redefine the limits of the machine. That may reveal the real issue: wrong users were assumed, the environment was described badly, service access was unrealistic, tasks were missed, or the machine is no longer being used within the conditions that made the original assessment true.
Start there, and return there
The biggest mistake in machinery safety is treating this topic as an opening formality. It is not. The limits of the machine are where a valid risk assessment starts, and they are often where a broken one must return.
Ask the blunt questions early. For whom must the machine be safe? Where will it really operate? In what conditions? With what tasks? With what access to the hazard zone? With what reasonably foreseeable misuse? For how long, and through which phases of life?
If that stage is shallow, you can do everything else by the book and still land on the wrong answer. You can have the right standards, the right calculations, the right protective measures, and a document that still misses reality. That is why badly defined limits of the machine can undermine an otherwise serious risk assessment. Not because they ruin one detail, but because they corrupt the reference point for the whole analysis.