Introduction
At a Glance
Machinery risk assessment is the formal process of identifying machine hazards, estimating the risk they pose, and applying control measures to reduce that risk to acceptable levels.
Three distinct parties own different pieces of the assessment: the OEM assesses hazards in the machine’s design; a system integrator (if you hire one) assesses hazards at the interfaces where machines meet; and you, the end user, assess hazards specific to your facility and how you’ll operate the equipment. Without clear ownership at each stage, safety gaps emerge. The hierarchy of controls—elimination, substitution, engineering, administrative, and PPE—is the practical framework that drives all risk-reduction decisions.
You’re specifying a new integrated line with a case packer from one OEM, a palletizer from another, and your existing conveyor infrastructure. Before you sign off on the design, someone needs to confirm the whole line is safe. But who? The case-packer OEM assessed their machine during design, and the palletizer OEM assessed theirs. But who assessed what would happen at the handoff between them, or how the conveyor placement might create new risks?
That’s the machinery risk assessment question, and the answer is that all three parties assess different parts of it.
Risk Assessment Happens Before Deployment, Unlike Job Safety Analysis
Machinery risk assessment and job safety analysis are not the same thing, even though they both address safety. The distinction is critical because it defines who does the work and when.
A machinery risk assessment is a design-stage activity. The OEM (or the designer building the machine) asks: What hazards could this machine create? The goal is to prevent hazards from existing in the first place (through design changes, guards, and control-system safety functions) before the machine is ever shipped. It’s forward-looking and preventive.
A job safety analysis (JSA), also called job hazard analysis, is different. It’s operational and reactive. After the machine is installed, you and your workers look at how the machine is actually used and ask: Given our facility and our operators, what’s the safest way to do this job? A JSA identifies step-by-step hazards based on real operational reality and determines procedures to manage them. Both are necessary, but they happen at different times and answer different questions.
The OEM’s risk assessment during design prevents the worst problems from ever reaching your facility. Your JSA after the machine arrives ensures that remaining hazards are addressed through procedures and training. Both are part of a complete machinery safety program.
Hazard, Harm, Risk: Three Words, Three Meanings
Understanding this vocabulary is the single most useful unlock for reading risk-assessment standards and documentation. The standards, primarily ANSI B11.0 (the US standard) and ISO 12100 (the international standard), use these three terms with precise, distinct meanings.
A potential source of harm. On a packaging machine, this might be a rotating shaft, a hot heating element, a pinch point where parts move together, compressed air at high pressure, or electrical current. The hazard is the potential for injury, not yet a problem.
The actual injury or damage that could result. For a rotating shaft, harm might be a crushing injury or amputation. For a hot surface, a burn. For a pinch point, laceration or crush. Harm is the specific consequence that might happen if someone contacts the hazard.
The combination of (1) the probability that harm will occur and (2) the severity of that harm if it does occur. A rotating shaft fully enclosed with no worker contact poses low risk. The hazard exists, but probability is near zero. An unguarded rotating shaft a worker could easily touch poses high risk. The hazard exists, probability is high, and severity is high.
An example… On a case packer, a rotating cam is a hazard. Amputation is the potential harm. The risk depends on how often a worker’s hand might contact the cam (frequency of exposure) and how severe the injury would be (severity). Risk is what the standards ask you to estimate and reduce.
The Hierarchy of Controls: Five Levels, Ranked by Effectiveness
Both ANSI B11.0 and ISO 12100 define a framework for reducing risk, ranked from most to least effective. This is the hierarchy of controls, and it’s the practical decision tree that drives every risk-reduction choice.
-
1
Elimination by design — The most effective is to redesign the machine so the hazard doesn’t exist. Instead of a rotating shaft at that location, use a solid rod. Replace a heated clamp with a room-temperature mechanical press. If the hazard doesn’t exist, the risk is zero.
-
2
Substitution — Replace the hazard with a less harmful equivalent. If you must have a heated element, use a lower temperature that won’t cause severe burns. Reduce pressure to the minimum needed. It’s less effective than elimination but more effective than guarding.
-
3
Engineering controls and guarding — Install fixed guards, interlocks, light curtains, emergency stops, or trapped-key switches. A fixed guard prevents access entirely. An interlock stops the machine when a guard opens. A light curtain detects presence and stops the machine. Engineering controls are reliable because they work independently of human behavior.
-
4
Administrative controls and information — Provide warnings, labels, lockout/tagout procedures, operator training, and documented procedures. These control how workers interact with hazards that remain after design measures are in place.
-
5
Personal Protective Equipment (PPE) — Require workers to wear gloves, hearing protection, or safety glasses. PPE is the least reliable method because it depends on correct use every time.
The hierarchy reflects a principle called “safety by design:” the most reliable risk reduction happens at the design stage (levels 1–3), not through operational controls applied afterward (levels 4–5). This is why the OEM is best positioned to apply the first three levels, as the OEM controls the design. The end user applies levels 4 and 5 after the machine arrives and training begins.
Who Owns the Assessment: The Three-Party Model and Lifecycle Stages
Machinery safety is not a single vendor’s job. It’s a shared process where OEMs, integrators, and end users each own a distinct piece. Understanding who is responsible for what at each stage prevents safety gaps.
The OEM at the Design Stage
The OEM conducts a comprehensive risk assessment during the machine’s design phase. This assessment identifies all hazards associated with the machine’s intended use, estimates the risks they pose, and applies risk-reduction measures (design changes, guards, interlocks, control-system safety functions) to achieve acceptable risk. The OEM documents all of this and provides it when the machine ships.
The OEM’s scope is the machine itself. It’s comprehensive but focused on that single unit, operating under the machine’s intended use conditions. When you receive the machine, you’re receiving a design that has already been through hazard identification and risk reduction.
The System Integrator at the Interface Stage
If you’re combining machines from multiple vendors and hire a system integrator, the integrator has a distinct risk-assessment responsibility. This responsibility is not a subset of either OEM’s work. Instead, it’s a separate assessment of hazards that emerge at the interfaces.
When a case packer from Vendor A feeds cases into a palletizer from Vendor B, each vendor has assessed their own machine. But what happens if the case packer jams and stops while the palletizer doesn’t know? What if the conveyor speed doesn’t match the palletizer’s cycle time? What if the handoff logic fails? These are integration-point hazards that neither OEM assessed, because neither controlled the interface.
The integrator’s scope is the line-level risks, such as control logic, handoff synchronization, emergency-stop propagation, and speed matching. The integrator designs control solutions to prevent integration-point failures.
You, the End User, at the Site and Throughout Life
When the machine (or integrated line) arrives at your plant, you need to assess risks specific to your use. Is this machine suitable for the products you’re running? Does the OEM’s assessment assume conditions that don’t match your operation? Where is the machine placed? Is it near a walkway where an operator might slip? Near other equipment that could interfere? Who will operate it, and what training do they need?
You also own periodic review. Over the machine’s life, as products change, volumes shift, operators turn over, and near-miss incidents occur, the risk landscape changes. You’re responsible for re-assessing periodically, typically every 3 to 5 years, or whenever the machine is substantially modified.
Your assessment is not secondary. On many projects, the end user’s assessment is the most critical one because you know your facility, your products, and your operational reality in ways the OEM never will. When you want to own your facility’s safety assessment completely, that’s the right call.
How Standards Estimate Risk: The Framework
Both ANSI B11.0 and ISO 12100 use qualitative methods to estimate risk. Note that they’re not mathematical formulas but are structured engineering judgment.
The simplest approach is a severity × probability matrix—a grid where columns represent severity levels (minor injury through death) and rows represent probability or frequency (rare, occasional, frequent, continuous). The intersection gives a risk level (low, medium, high, very high).
ISO 12100 uses a more structured approach called a risk graph, which combines three parameters:
-
S (Severity): Reversible injury (a cut) vs. irreversible injury (amputation, death)
-
F (Frequency/Duration of Exposure): Rare or short duration vs. frequent or long duration
-
P (Possibility of Avoidance): Can the operator realistically avoid the hazard vs. is it impossible to avoid?
By navigating the risk graph with these three parameters, you arrive at a Required Performance Level (PLr), ranging from PLr a (low risk) to PLr e (very high risk). This output drives control-system design requirements. A PLr e hazard requires a highly reliable control system while a PLr a hazard requires less stringent control.
Key Point
Both standards use qualitative judgment, not formulas. You estimate severity and probability based on experience, engineering judgment, and testing rather than mathematical calculation. This is where the OEM’s expertise comes in.
Risk Assessment Happens at Multiple Stages, Not Just Once
Risk assessment is not a one-time event. It happens across the machine’s lifecycle, with different ownership at each stage. The OEM assesses during design, the integrator (if you have one) assesses at interface points, and you assess at installation and periodically throughout operation. Each stage produces documentation anchoring the assumption that someone thought about each hazard and made intentional choices.
Learn More About Machinery Risk Assessment
With 60+ years of experience, Douglas specialists are ready to share knowledge and answer questions that lead you to improved packaging automation. Schedule a call today.
