Residual risk in the machine.
TL;DR
  • Residual risk is what remains after design changes and protective measures, not a label for hazards the manufacturer did not solve.
  • A manual warning makes sense only after checking access, geometry, energy, guards, interlocks, operating modes and real tasks.
  • ISO 12100 and EU Machinery Regulation 2023/1230 set the order: design first, safeguards second, information last.
  • Manufacturers must not shift unresolved risks to users; users remain responsible for procedures, training and supervision.
  • For connected machinery, remote access, accounts, updates and configuration must also be assessed when they can affect safety.

There is a zone an operator can reach with a hand. There is a moving part that can catch that hand. There is a task someone will actually perform: clearing a jam, cleaning, setting up, checking after a stop.

Then the risk assessment table gets a neat entry: residual risk — information in the instructions — keep hands out.

On paper, it looks tidy. Hazard described. Risk named. Manual updated. But in machine safety, that kind of entry often does not close the subject. It covers it up.

Because residual risk is not the bag for everything nobody solved in the design. It is not a way to move responsibility from the manufacturer to the user. It is the risk left after real engineering work: after checking whether the hazard can be removed by inherently safe design, after selecting protective measures, and after verifying whether those measures actually reduce human exposure.

Only then can anyone honestly say: something still remains here, and the user must know about it.

In practice, that line gets blurred. The manufacturer says: “We described it in the instructions.” The integrator says: “The user has to train people.” The user hears: “That is your work organisation now.” But ISO 12100 and Machinery Regulation (EU) 2023/1230 put that responsibility in a specific order: first design, then protective measures, finally information.

The same issue now comes back hard with connected machinery. Remote access, service accounts, controller configuration, updates and data are not just an IT matter for the user if they can affect machine safety. It is not enough to write: “The user shall secure the network.” The manufacturer has to supply a machine that considers those risks from the start.

So the real question is not whether a warning appeared in the manual.

The real question is: what did the manufacturer do before putting that warning there?

Residual risk is not a blank field in a table

In ISO 12100, one figure is worth pausing over. Not just the definition. Not just the famous three-step method. The key is the diagram showing risk reduction from the designer’s point of view.

That diagram is uncomfortable in the best possible way. It separates the designer’s contribution from the user’s contribution. On the designer’s side are inherently safe design, safeguards, complementary protective measures and information for use. On the user’s side are work organisation, procedures, supervision, permit systems, additional technical measures, PPE and training.

That means residual risk really does sit at the interface between manufacturer and user. But not in the sense that everyone can throw in whatever is convenient. The manufacturer cannot push into that zone a hazard that should have been solved by design. The user cannot pretend that instructions and training do not matter when the manufacturer has properly described risks that could not be eliminated on the machine side.

This is exactly why the phrase residual risk can be dangerous. It sounds technical. It gives a document a serious tone. And it can hide the absence of a design decision.

Someone sees an in-running nip point. Someone knows the operator will clear jams. Someone knows cleaning requires a hand near a moving element. And still the table says: residual risk — keep hands out.

That entry does not prove the risk is residual. It proves only that someone called it residual.

To use the term honestly, you have to show the route taken. What was done in the construction? Could the geometry, distance, energy, speed, access or adjustment method be changed? What safeguards, interlocking guard, guard locking, operating modes or safety function options were considered? Why does part of the risk genuinely have to be communicated to the user?

Only that answer moves the subject from “we put it in the manual” to risk assessment aligned with ISO 12100.

ISO 12100 is clear: measures applied at the design stage are preferred over measures left to the user, because they usually work better. ISO/TR 14121-2 reinforces the same point: information for the user must support correct and safe use of the machine and warn about risks that remain after reduction by design and safeguards. Procedures, training and LOTO have their place. They do not exist to rescue a design the manufacturer never worked through.

Otherwise, we are not talking about residual risk. We are talking about risk left to the user.

Three times residual risk becomes a convenient alibi

Residual risk at moving parts: the “do not reach in” myth

Take a simple case.

A machine has a moving element. The operator can reach near it when clearing a jam, cleaning, manually feeding a part or setting up. The risk assessment identifies an entanglement or crushing hazard. In the protective measures column, the entry says: “warning in the instructions.” In the instructions, the sentence says: “Do not put hands into the machine working area.”

Sounds familiar?

At first glance, the file looks complete. Hazard: present. Risk: present. Warning: present. But machine safety is not about making sure every empty cell in a spreadsheet has some text in it. The question is different: what happened before that warning?

Did anyone try to remove the nip point by changing the geometry? Was the force, speed or energy of movement limited? Could the setting task be moved outside the danger zone? Was a reduced-risk setting mode considered? Was an interlocking guard, guard locking, hold-to-run control or enabling device selected? Did anyone check how the operator will really clear the jam, not how the operator is supposed to behave in a perfect manual?

If the answer is: “No, but we wrote that hands must not be inserted,” then we are not yet talking about residual risk. We are talking about risk that has been labelled residual because that was the easiest way out.

This is where Figure 2 in ISO 12100 is so useful. It does not let us blur the boundary. It shows the designer’s contribution separately from the user’s contribution. On the designer’s side: inherently safe design, technical protective measures, complementary protective measures and information for use. On the user’s side: organisation, procedures, supervision, permit systems, additional technical measures, PPE and training.

So yes, residual risk is a boundary topic. It touches both sides. But that does not make it a shared bag for everything nobody handled earlier.

Shared does not mean undefined. Shared does not mean: “The manufacturer writes a warning and the user somehow deals with it.” Shared means: the manufacturer shows what was done on the machine side, what could not be eliminated, and what information is passed to the user. The user then organises work according to that information.

Residual risk in safe access: a platform is not decoration

The second example is even more interesting because many teams do not immediately connect it with machine risk assessment.

Imagine a machine where a filter must be replaced every week. A sensor must be cleaned at every format change. A lubrication point is two metres above the floor. A component must periodically be removed from inside the machine. The manufacturer writes in the instructions: “Carry out the work in accordance with health and safety rules and use suitable means of access.”

Fine. But what means of access?

A ladder borrowed from the shop floor? A mobile platform brought by maintenance? Climbing on the machine frame? Standing on a structural profile because “that is how we always do it”? Or is the operator expected to hold the guard with one hand, loosen the part with the other, and use the third hand — which nobody has — to control the tool?

This is where theory hits the floor.

If the manufacturer foresees a regular operating, servicing, cleaning or adjustment task, the manufacturer has to ask: how does a person get there safely, where does that person stand, and how is the work done without improvisation?

Not every task at height around a machine means the manufacturer must build a huge platform system. But the opposite shortcut is just as wrong: pretending that access to a frequent service point is solely the user’s problem.

ISO 12100 indicates that routine operation, setting and maintenance tasks should be performed from floor level where possible. If that is not possible, safe access has to be considered: service platforms, stairs, walkways, guardrails or other solutions. This is where ISO 14122, dealing with permanent means of access to machinery, becomes very practical.

And then the questions get sharp.

If a technical measure exists that allows frequent replacement, adjustment or maintenance to be carried out safely, why do we immediately assume the user should solve it organisationally? Why was a fixed service platform not considered in the design? Why does the instruction manual require a weekly task in a hard-to-reach place, while the machine design gives the person no safe workplace? Why does the manufacturer describe the task but not design the conditions for doing it?

These are not academic questions. They come up during acceptance, audits and real production work.

If the user must regularly perform a task, access to that point is not an accessory. It is part of machine safety, or at least part of the installation requirements the manufacturer should state clearly. Otherwise, the same convenient shortcut appears again: residual risk — the user shall use suitable means of access.

Often, that sentence does not describe residual risk. It describes a missing design decision.

Residual risk in remote access and machine cybersecurity

The third example looks newer, but the mechanism is the same.

The machine has remote access. It has a controller, HMI, industrial computer, service accounts, update capability, data transfer and sometimes a connection to a higher-level system. The manufacturer says: “The user must secure the network.” IT receives the problem after commissioning. Maintenance wants service to connect quickly. Production wants the machine to run. Everyone has a reason.

But ask one simple question: can a breach of this layer affect machine safety?

If remote access allows parameters, operating modes, control logic, HMI configuration or data relevant to a safety function to be changed, this is not just a corporate firewall issue. If the machine reaches the user with default passwords, undocumented accounts, open remote access or an unclear update procedure, it is hard to claim that all cybersecurity risk belongs to the user.

The user, of course, has duties. The user must manage the network, accounts, access rights, backups, updates, segmentation and change procedures. But the manufacturer cannot supply a machine in a “you will secure it somehow” condition and call that residual risk.

That is especially true under Machinery Regulation (EU) 2023/1230, which moves cybersecurity closer to machine safety where corruption of hardware, software or data can lead to a hazardous situation.

The logic is the same as with mechanical hazards: first design, then technical measures, finally information for the user. Not the other way round.

So in all three cases — entanglement, safe access and cybersecurity — we come back to one hard question:

Did the manufacturer actually reduce the risk, or merely describe it to the user?

That question is inconvenient. Good. It should be. Residual risk is not there to close a table neatly. It is there to show what truly remains on the machine side, on the work organisation side and at the interface between the two.

If the manufacturer has done the work, the user must take the information seriously. The user must train people, maintain safeguards, organise work and prevent bypassing protective measures. But if the manufacturer has not done the work, the manual will not repair the design.

“Keep hands out,” “use a suitable platform” and “secure the network” may be important information. They may be part of the final safety package. They cannot pretend that the harder questions did not have to be asked first.

When is residual risk really residual?

After these examples, one point is obvious: not every risk left at a machine deserves to be called residual risk.

Because what does “left” actually mean?

Left after changing the design?

Left after an interlocking guard, guard locking, a reduced-risk setting mode or another safeguard?

Left after moving the lubrication point outside the danger zone?

Left after designing permanent safe access for maintenance?

Or left because nobody wanted to touch it and the easiest move was to add a warning?

Those are two completely different situations.

ISO 12100 separates this very clearly. There is residual risk after the measures applied by the designer, and residual risk after all measures have been applied, including those on the user’s side. Figure 2 shows that split well: first the designer’s contribution, then the user’s contribution, and between them the point where information from the manufacturer must be used by the user’s work organisation.

That is why residual risk must never be treated as a loose cell in a spreadsheet. It is not the place for: “The user shall take care.” It is the place for a concrete conclusion after engineering work has been done.

The simplest way to test it is this:

QuestionIf the answer is yesIf the answer is no
Has the hazard been described specifically: where it occurs, when it occurs, who is exposed and during which task?You can continue assessing whether this is residual risk.This is not yet risk assessment. It is only a general hazard statement.
Did the manufacturer check whether the hazard can be eliminated by inherently safe design?You are following the logic of ISO 12100.The warning in the instructions appears too early.
Were technical protective measures considered: guards, interlocks, guard locking, operating modes, hold-to-run control, enabling device, reduced energy, reduced speed or reduced force?You can justify why part of the risk still remains.The risk is probably not residual. It is unfinished.
Did the manufacturer show why a particular measure was not applied?The documentation shows an engineering decision.There is a gap. A gap does not become residual risk just because someone gave it that name.
Is the information for the user specific?The user knows what to do: when, how, with what equipment and under which conditions.“Take care” or “keep hands out” is not enough.
Does the user have real control over the measure?This may belong on the user side: training, LOTO, supervision, procedure, maintenance, PPE or work organisation.Do not pretend the user has taken over something the user cannot effectively control.
Can the user-side measure be maintained in real operation?You can talk about shared responsibility.If it requires constant policing of people and a technical measure was feasible, the problem moves back to the manufacturer.
After applying the protective measure, was it checked whether new risk was created?The risk assessment loop is closed.The process is not finished. ISO/TR 14121-2 reminds us to check whether risk really fell and whether new hazards appeared.

This table is not a formal algorithm. It is a common-sense filter. If, after going through it, all that remains is “the operator must be careful,” you are too early. You have not reached residual risk yet.

It is also worth separating responsibility clearly.

AreaWhat the manufacturer should doWhat the user realistically takes over
Entanglement, crushing, contact with movementDesign, geometry, energy limitation, guards, interlocks, operating modes, safety functions and a clear description of risks that could not be eliminated.Training, supervision, maintaining guards and interlocks, jam-clearing procedures and preventing bypass of protective measures.
Cleaning, setting, maintenanceInclude these tasks in the risk assessment, limit access to danger zones, provide service modes, place adjustment points outside danger zones and provide safe access.Work organisation, personnel competence, LOTO, maintenance planning and checking the condition of protective measures.
Access at height, platforms, walkwaysAssess whether the task is frequent and foreseeable; design or define requirements for a permanent means of access where needed.Maintain access routes, keep order, allow only suitable personnel and apply the procedures and measures specified by the manufacturer.
Cybersecurity and remote accessProvide secure architecture, limit access, control accounts, describe interfaces, define update rules and protect safety-related data and software.Network segmentation, account management, change procedures, backups and supervision of service access.
Information in the instructionsProvide specific warnings, describe risk, define conditions for safe use, state required user-side measures, prohibitions and limits of use.Implement the information in practice: training, workstation instructions, supervision and enforcement.

This is the core of the matter.

Residual risk can be shared. But shared does not mean unclear.

Shared does not mean: “The manufacturer wrote it down, so the user is responsible.”

Shared does not mean: “Health and safety will create a procedure, so the design is fine.”

Shared means something far more demanding: the manufacturer must show what was done on the machine side, and the user must take over what genuinely depends on work organisation, supervision, maintenance and operating conditions.

In a good risk assessment, the residual risk entry is not the last resort. It is the end of honest reasoning:

There was a hazard. This much was done in the design. This much was done technically. This part cannot reasonably be removed without creating a bigger problem. These are the instructions and requirements passed to the user.

Only then does residual risk sound like a conclusion from risk assessment.

Not like a cover-up for decisions that were never made.

A table can organise residual risk, but it cannot replace real work

A responsibility split looks good only when it comes down from broad slogans to the level of a real task at a real machine.

It is easy to write: “The user shall ensure work organisation.” It is easy to write: “The user shall use suitable means of access.” It is easy to write: “The user shall secure the network.” It is harder to check whether the user received a machine that can actually be operated, cleaned, maintained and serviced safely.

Take a service platform.

On a drawing, everything may look correct. Steel structure, grating, guardrail, access stairs. Access provided? Provided. Topic closed? Not necessarily.

First ask: what work is that platform for?

If a worker goes there once a year to read an indicator or check a nameplate, that is one situation. If the same platform is used regularly to replace a motor, gearbox, cylinder, roller, head, filter or other wear part, we are no longer talking only about access. We are talking about a service workplace.

Then the generic sentence in the instructions is not enough.

Who goes up there — one person or two maintenance technicians?

What do they take with them — a toolbox, torque wrench, lifting slings, spare part?

What are they removing — a 20 kg cover, an 80 kg geared motor, a 150 kg gearbox, or a 500 kg motor?

Where do they put the component after unbolting it — on the platform, on a trolley, on a hoist?

Was a transfer gate, suspension point, hoist, removal path and working space for two people considered?

Does the platform load capacity cover only a person, or also tools, parts, local loads and forces created during dismantling?

These are shop-floor questions, not training-slide questions.

If the instructions say a 500 kg motor is replaced from a platform, the platform must match that work. Not the work of an “operator with a spanner,” but the real task: two people, tools, a removed component, manoeuvring space, fall protection, transfer of the part and safe lowering to floor level.

Otherwise, you have the appearance of a solution. The platform exists, but it does not solve the task. Access exists, but it does not provide safe maintenance. The instructions describe the activity, but the design does not provide the conditions to perform it.

Now ask the important question: is that residual risk?

If the manufacturer foresaw a regular service task but did not foresee a safe way to perform it, it is hard to call that an honestly described residual risk. It is more likely an unfinished maintenance concept. The user is responsible for work organisation, competent personnel, LOTO, supervision and keeping the platform in good condition. But the user should not discover after acceptance that replacing a heavy assembly requires improvisation.

Cybersecurity follows the same pattern.

The machine arrives with a service account. Login: admin. Password: admin. Remote access works because “service has to connect somehow.” The documentation says the user should secure the network. IT receives the issue after start-up. Maintenance does not want to block access because the machine has to produce. Service wants quick response. Each side has an argument.

But the question is simple: did the manufacturer supply the machine in a secure default configuration?

This is not about making the manufacturer responsible for the user’s entire plant network. That would be detached from reality. The user must manage access rights, segmentation, backups, change procedures, accounts, updates and supervision of service connections.

But the manufacturer cannot hand over a machine with an obvious weakness and say: “That is your IT problem now.” If remote access, accounts, software, HMI configuration or data can affect machine behaviour, that layer belongs in the safety assessment. Just like a guard, interlock or service mode.

Admin/admin is not a detail. It is the digital equivalent of a platform that exists on paper but has no capacity for the real job. Something appears in the documentation. In reality, the user receives a problem to repair.

Good information for the user does not say only: “secure the network.” Good information says which accounts exist, which access roles are intended, what must be changed at first start-up, how remote service works, who may update software, which configuration elements are relevant to safety, how settings can be restored, and what network conditions the manufacturer assumed for safe machine operation.

Only then can we honestly discuss the user’s responsibility. Then the user knows what is being taken over. Then residual risk really sits at the interface between the machine and work organisation.

Without that, it is just problem transfer.

That is why the term residual risk must not be used lightly. It must not shut down uncomfortable questions. It must show what remains with the manufacturer, what passes to the user and what conditions both sides must meet so the machine stays safe during normal operation.

Because a machine does not end at the declaration of conformity.

It keeps working: during changeovers, cleaning, maintenance, faults, updates, service access and replacement of heavy assemblies.

If the design does not account for those situations, the instruction manual will not fix them.

Frequently Asked Questions

What is residual risk in a machine?

Residual risk is the risk that remains after the machine designer has applied risk reduction measures. In the ISO 12100 approach, the first objective is to achieve inherently safe design, then to select safeguarding and complementary protective measures, and only then to provide the user with information about the remaining hazards.

It is therefore not a “container” for problems left unresolved in the design. To speak of residual risk, it must be demonstrated which risk reduction actions were previously considered and applied.

Is the wording “do not insert hands” sufficient as a protective measure?

Usually not. A warning in the instructions alone does not replace a guard, interlock, guard locking, energy limitation, change in geometry, or safe setting mode if such measures are possible and adequate for the hazard.

Information for use makes sense only when the designer has demonstrated that the risk has first been reduced in accordance with the hierarchy of measures in ISO 12100, and that residual risk nevertheless remains and needs to be described.

Who is responsible for residual risk: the manufacturer or the user?

Responsibility is shared, but not arbitrary. The manufacturer is responsible for risk assessment, risk reduction at the design stage, and reliable information about the residual risk that could not be eliminated or sufficiently reduced by design measures.

The user is responsible for the safe organization of work, training, supervision, procedures, personal protective equipment, and following the instructions. However, this does not mean that the manufacturer may shift to the user a hazard that should be addressed by design or technical measures.

How can you tell that a risk has been classified as residual too early?

A warning sign is a situation in which the risk assessment identifies an accessible entrapment, crushing or shearing point, and the only measure is a warning such as “do not put hands in”. This does not yet prove that there is an actual residual risk.

The documentation should show whether design modification, reduction of energy or speed, moving the task outside the danger zone, guards, interlocks, guard locking, safety functions and reduced-risk operating modes were considered.

How to document residual risk in a machinery risk assessment?

Well-documented residual risk should not be a single entry in a table. It should show the path followed: the hazard, the task performed by a person, the life phase of the machine, the persons exposed, the risk assessment before reduction, and the protective measures applied.

  • describe which design and technical solutions were considered,
  • indicate which measures were applied and how they reduce exposure,
  • define what still remains after risk reduction,
  • transfer specific information to the instructions, markings, and procedures for use.

Make residual risk traceable and justified

Link each warning to the design choices and protective measures that came before it. Then it’s clear what remains after risk reduction.

Create your workspace Start with a single machine.