ISO 12100 Risk Assessment for Robot Cells — Free Guide

Why this matters more than anything else

We are dealing with machines that have the capacity to kill you. An industrial robot arm does not know you are there. It will not stop because you are in its way. It will crush you, throw you, or trap you — and it will do so with forces far beyond what a human body can withstand.

That is not written to alarm you. It is written because it is true, and because not enough importance is placed on risk assessment in practice. We have seen cells where the safety was added as an afterthought — a fence bolted on at the end, a light curtain positioned because it was convenient, an e-stop placed where the panel builder found space. That is not safety design. That is assumption.

The ISO 12100 risk assessment is the document that forces you to think properly — before you build anything, before you order anything, before you commit to any design. It is the foundation everything else sits on.

Critical point

The most common mistake is designing the cell first and adding safety afterwards. The correct approach is the opposite — risk assess the machine with no guarding at all, identify every hazard, then design the cell to systematically eliminate or reduce those hazards. Safety is not an addition. It is the design.

What is ISO 12100?

ISO 12100 is the international standard for Safety of Machinery — General Principles for Design. It provides the framework for identifying hazards, estimating risk, and applying risk reduction measures in a structured and documented way.

For robot cells specifically, ISO 12100 is supported by a family of related standards that you will reference throughout your risk assessment:

ISO 12100General risk assessment principles

ISO 10218-1/2Industrial robot safety

ISO 13849-1/2Safety-related control systems (PLd/PLe)

ISO 13855Safety device positioning

ISO 13857Safe distances

ISO 14120Guards — general requirements

EN 60204-1Electrical safety of machinery

ISO/TS 15066Collaborative robot safety

You do not need to read all of these in full before you start. You need to understand ISO 12100 as your framework, and reference the others as they become relevant to specific hazards and safeguards.

The three-step method

ISO 12100 defines a hierarchy of risk reduction that must be followed in order. You cannot skip steps or jump straight to a safeguard if a design change would have eliminated the hazard entirely.

Inherently safe design

Eliminate or reduce hazards by design. Reduce robot speed, reduce payload, remove pinch points through geometry. This is always the preferred solution.

Safeguarding

Where hazards cannot be eliminated by design, apply safeguards — guards, interlocks, safety scanners, light curtains, e-stops. This is where most of the robot cell safety work sits.

Information for use

Where residual risk remains after design and safeguarding, provide information — training, SOPs, warning signs, PPE requirements. This is the last line of defence, not the first.

The highest risk hazard always takes priority. If you have identified a crushing hazard with a high risk score and a trip hazard with a low risk score, your design effort goes to eliminating the crushing hazard first. The hierarchy of the standard and the scoring of your risk estimation determine your priorities.

How to complete the risk assessment

Step 1 — Define the limits of the machine

Before you identify a single hazard, define what the machine is, what it does, who uses it, and under what conditions. This includes:

Intended use — what the robot cell is designed to do
Reasonably foreseeable misuse — what operators might do that you haven't designed for
Operating modes — automatic, teach, maintenance, jam clearing
Who will use it — operators, maintenance engineers, visitors
The full lifecycle — installation, operation, maintenance, decommissioning

Step 2 — Identify the hazards with no guarding in place

This is the most important step and the one most often done incorrectly. You must assess the machine as if there is no guarding at all. No fences, no light curtains, no e-stops. Just the robot, the tooling, and a person in the same space.

For a typical robot cell the hazards will include:

Crushing — the primary hazard. A robot arm moving at speed will crush anything in its path with forces that will cause serious injury or death
Impact — collision with the robot arm, end effector or carried load during movement
Entanglement — loose clothing, hair or limbs caught in moving parts
Ejection — parts dropped or thrown by the end effector if grip is lost
Unexpected restart — robot resuming movement during jam clearing or maintenance
Electrical hazards — during maintenance or electrical fault conditions
Ergonomic hazards — manual handling of pallets, repetitive tasks, awkward postures
Slips and trips — debris, cables, spills in the cell area

Important

Don't just list the obvious hazards. Walk through every task an operator, maintenance engineer or visitor might perform in or around the cell — including tasks that aren't part of normal operation. Jam clearing, teaching positions, refilling consumables, cleaning — all of these create exposure to hazards that automated cycle mode does not.

Step 3 — Estimate the risk for each hazard

For each hazard, ISO 12100 requires you to estimate the risk based on three factors:

Factor	Rating	Description
Severity (S)	S1 — Minor S2 — Serious S3 — Fatal	The worst credible outcome if the hazard results in harm. For robot cells, crushing and impact hazards will typically be S3.
Frequency (F)	F1 — Rare F2 — Occasional F3 — Frequent	How often a person is exposed to the hazard. An operator approaching the cell every cycle is F3. A maintenance engineer accessing annually is F1.
Avoidance (A)	A1 — Possible A2 — Rarely possible A3 — Impossible	Whether a person could realistically avoid harm if exposed to the hazard. A fast-moving robot arm in an enclosed space is A3 — you cannot outrun it.

Risk is calculated as S × F × A. This gives you a numeric score that determines whether the risk is acceptable or requires further reduction. A high score demands action — the standard and your risk scoring determine the threshold, not your judgement.

Step 4 — Apply risk reduction measures

Working through the three-step hierarchy, apply risk reduction measures to each hazard. For a robot cell almost all of the safeguarding effort will be directed at eliminating the possibility of contact with the robot during operation. This is where your guarding design, safety scanner positioning, interlock logic, and e-stop strategy are determined — by the risk assessment, not by convention or convenience.

For each hazard, document:

The risk reduction measures applied
The revised S, F and A scores after measures are in place
Whether the residual risk is acceptable

Step 5 — Evaluate residual risk

After all risk reduction measures have been applied, residual risk will remain. This is normal — you cannot eliminate every risk entirely. What the standard requires is that residual risk has been reduced to an acceptable level, and that any remaining residual risk is clearly documented and communicated to users through information for use.

If your revised risk score is still above the acceptable threshold after applying safeguards, you must go back and redesign. The assessment is not complete until every hazard has been reduced to an acceptable level.

A real example

To illustrate how this works in practice, here is an extract from a risk assessment produced for an industrial robot palletising cell. The robot uses a vacuum gripper to retrieve products from a conveyor and place them onto a pallet. Physical guarding with interlocked access doors and a Pilz PNOZ safety relay monitor operator access.

Hazard	S	F	A	Initial Risk	Risk Reduction Measures	Residual Risk	Acceptable?
Crushing — robot arm impact during automatic cycle	3	2	3	18	Full perimeter guarding, interlocked access doors with guard locking, robot STO on door open, mandatory supervised restart	1/1/1	Yes
Impact — collision with end effector or carried load	3	2	3	18	Full perimeter guarding prevents access during motion. Load secured by vacuum with pressure monitoring and drop zone outside operator area	1/1/1	Yes
Crushing — contact during pallet change inside cell	3	2	2	12	Guard locking prevents door opening during cycle. Robot STO confirmed before door release. Supervised restart required after entry	1/1/1	Yes
Impact during teaching at reduced speed	3	1	2	6	T1 mode ≤250mm/s, three-position enabling device, trained personnel only, guarding bypassed via key switch with logged access	1/1/1	Yes
Unexpected restart during jam clearing	3	1	2	6	Lockout/tagout procedure for any access requiring robot power removal. STO confirmed, supervised restart, access logged	1/1/1	Yes
Dropped load — vacuum failure during cycle	2	2	2	8	Vacuum pressure monitoring with STO on loss of grip. Drop zone contained within guarded cell. No operator access during cycle	1/1/1	Yes
Electrical hazard during maintenance	3	1	1	3	Lockout/tagout, EN 60204-1 compliant wiring, isolation point clearly labelled at panel	1/1/1	Yes

Notice that the crushing and impact hazards carry initial risk scores of 18 — the maximum. This is correct for an industrial robot operating at full speed with no guarding in place. The entire safety design of the cell exists to bring those scores down to an acceptable level. Every safeguard — the perimeter guarding, the interlocked doors, the guard locking, the supervised restart — was determined by those scores, not by convention or by what was easiest to install.

Who should complete the risk assessment?

The risk assessment must be completed by a competent person — someone with sufficient knowledge of the machine, the process, and the relevant standards to make informed judgements about hazards and risk. For a robot cell that means someone with direct experience of industrial robot integration, not just the machine itself.

If you are completing this yourself, involve the people who will operate and maintain the cell from the start. They will identify hazards and access requirements that you won't see from the design stage alone. If you are not confident in your ability to complete a risk assessment to the required standard, get qualified help — this document underpins your CE / UKCA marking declaration and your legal liability as the machine manufacturer.

Document everything

The risk assessment is a living document. It must be reviewed and updated whenever the machine design changes, whenever a new hazard is identified, and whenever an incident or near miss occurs. It forms part of your Technical File and must be retained for the life of the machine.

Every hazard identified, every risk score calculated, every measure applied, and every residual risk accepted must be documented clearly enough that someone who was not involved in the process can understand the decisions that were made and why.

Want the template done for you?

A pre-formatted ISO 12100 risk assessment template for industrial robot cells — hazard identification tables, risk estimation matrix, safety function list and PLr determination — is coming soon.

View all resources

Next in the series

Safety Design & PLd →

→