Key Takeaways
- ISO 12100:2010 is the foundation methodology that ISO 10218-1/2:2025 and the EU Machinery Regulation 2023/1230 both build on.
- The process is an iterative loop: determine limits, identify hazards, estimate risk, evaluate risk, reduce risk, then re-estimate residual risk.
- Risk reduction follows a strict 3-step hierarchy: inherently safe design first, safeguarding second, information for use last.
- A 5×5 severity-by-probability matrix turns each hazard into a Low, Medium, High or Critical rating with a defined action.
- Humanoid robots need extra hazard categories such as bipedal balance loss, fall zones and battery thermal runaway.
- Residual risk acceptance needs a named owner, a dated signature and a revision history for audit traceability.
An ISO 12100 risk assessment template is a structured document that walks you through the standard’s risk assessment loop and produces the hazard register every robot safety standard expects you to hold first. The loop itself: define the limits of the machinery, identify hazards, estimate and evaluate the risk for each one, reduce it through a 3-step hierarchy, then re-estimate until the residual risk is acceptable. The stakes are real. A NIOSH analysis identified 41 robot-related workplace fatalities in the US between 1992 and 2017, and 78% of those cases involved a robot striking the worker (NIOSH, 2023). In this guide, part of my robot safety documentation series, I walk through the methodology and the exact template structure I use for humanoid and industrial robot deployments.
Table of Contents
What Is ISO 12100 and Why Does Every Robot Standard Build on It?
ISO 12100:2010, “Safety of machinery, General principles for design, Risk assessment and risk reduction,” is the type-A standard at the top of the machine safety hierarchy (ISO, 2010). Type-A means it defines the general methodology. Every type-C robot standard, including ISO 10218-1:2025 and ISO 10218-2:2025, assumes you’ve already run this process.
That dependency matters more since February 2025. The revised ISO 10218 parts were published that month, the first major revision since 2011, and they folded most requirements of ISO/TS 15066:2016 on collaborative robot applications directly into Part 2 (A3 via Robotics Tomorrow, 2025). I’ve covered what changed in detail in my ISO 10218:2025 explainer. The short version: the new requirements only make sense once a 12100-style risk assessment exists to hang them on.
The same logic applies in Europe. Regulation (EU) 2023/1230, which applies from 20 January 2027, requires manufacturers to document a risk assessment in the technical file before placing machinery on the market (EUR-Lex, 2023). ISO 12100 is the recognized way to satisfy that requirement.
One housekeeping note: a revision of ISO 12100 is currently under development as ISO/DIS 12100.2 (ISO, 2026). The 2010 edition remains the current published version, so build your template on it now and plan a review when the revision lands.
How Does the ISO 12100 Iterative Process Work?
ISO 12100 prescribes a loop, not a checklist. You determine the limits of the machinery, identify hazards, estimate the risk for each hazard, evaluate whether that risk is acceptable, and reduce it if it isn’t. Then you go back and re-estimate, because every protective measure can introduce new hazards of its own.
Here’s how I break the loop down for a robot deployment:
Step 1: Determine the limits of the machinery
Define what the robot system is and is not. Use limits (intended tasks, payloads, operating modes), space limits (work zone, travel paths, maintenance access), time limits (duty cycles, battery life, component wear) and foreseeable misuse. For a humanoid, foreseeable misuse includes an operator walking into the path of a moving robot or leaning on it.
Step 2: Identify hazards
Walk through every life phase: transport, installation, commissioning, operation, maintenance, troubleshooting and decommissioning. List mechanical, electrical, thermal, ergonomic and control system hazards for each phase. This is where a pre-populated hazard register saves days of work.
Step 3: Estimate and evaluate risk
For every hazard, score severity of harm and probability of occurrence, then decide whether the resulting risk is tolerable. The 5×5 matrix in the next section is the tool I use here.
Step 4: Reduce risk with the 3-step hierarchy
ISO 12100 is strict about order. First, inherently safe design: remove the hazard or reduce its energy, for example by limiting joint speed or force at the design level. Second, safeguarding and complementary protective measures: fences, light curtains, speed and separation monitoring, monitored standstill. Third, and only last, information for use: warnings, signage, training and the operator manual. Jumping straight to a warning label when a guard was feasible is the most common audit finding I see.
Step 5: Re-estimate residual risk
After each measure, score the hazard again. If the residual risk is still too high, loop back. If it’s acceptable, document it, assign an owner and sign it off.
How Do You Estimate Risk with a 5×5 Matrix?
ISO 12100 requires risk estimation from two elements, severity of harm and probability of occurrence, but it doesn’t mandate a specific scoring tool. A 5×5 matrix is the most widely used implementation, and it’s what I build into my templates. You score severity from 1 (negligible) to 5 (catastrophic) and probability from 1 (rare) to 5 (almost certain), then multiply.
The product maps to four bands, each with a defined action:
| Severity \ Probability | 1 Rare | 2 Unlikely | 3 Possible | 4 Likely | 5 Almost certain |
|---|---|---|---|---|---|
| 5 Catastrophic | M 5 | H 10 | H 15 | C 20 | C 25 |
| 4 Major | L 4 | M 8 | H 12 | C 16 | C 20 |
| 3 Moderate | L 3 | M 6 | M 9 | H 12 | H 15 |
| 2 Minor | L 2 | L 4 | M 6 | M 8 | H 10 |
| 1 Negligible | L 1 | L 2 | L 3 | L 4 | M 5 |
The action bands are: Low (1-4): monitor, no immediate action but review at the next scheduled assessment. Medium (5-9): reduce, plan and implement risk reduction within a defined timeframe. High (10-15): act, implement measures before continued operation. Critical (16-25): stop, halt the activity until the risk is reduced.
Two practical rules keep the matrix honest. Score severity for the worst credible outcome, not the average one. And score probability with all existing safeguards assumed absent the first time through, so the inherent risk is visible in the record.
If you’d rather not build this from a blank page, my Robot Safety Documentation Toolkit includes an editable ISO 12100 risk assessment template in Word format with this 5×5 matrix and a pre-populated register of 40 robot hazards ready to adapt to your deployment.
Which Hazards Are Unique to Humanoid Robots?
Most published robot hazard checklists were written for caged industrial arms, and the fatality data reflects that era: 83% of the robot-related deaths NIOSH analyzed involved stationary robots (NIOSH, 2023). A humanoid that walks, balances and shares floor space with people has a different hazard profile, which is exactly why I assess manufacturing readiness for humanoids so carefully.
My humanoid hazard register uses 12 categories. Here they are with an example hazard and the typical risk reduction for each:
| Category | Example Hazard | Typical Risk Reduction |
|---|---|---|
| Mechanical contact | Crushing between arm and fixture | Speed and force limiting, minimum clearances |
| Fall and stability | Robot topples during power loss | Controlled crouch on fault, fall-zone clearance |
| Bipedal balance loss | Slip on wet floor mid-stride | Surface limits in use spec, gait fault detection |
| Battery and thermal | Lithium battery thermal runaway | Charging zone controls, cell monitoring, fire response plan |
| Electrical | Contact with live parts during service | Lockout/tagout procedure, insulated access points |
| Navigation and perception | Failure to detect a kneeling worker | Sensor redundancy, restricted travel paths |
| Collaborative contact | Impact during shared-task handover | Speed and separation monitoring, monitored standstill |
| Manipulation and payload | Dropped tote onto foot | Grip force monitoring, payload limits, exclusion zone |
| Software and control | Unexpected motion after software update | Update validation procedure, re-commissioning checks |
| Cybersecurity | Unauthorized remote command access | Network segmentation, access controls per ISO 10218:2025 |
| Environment | Operation on ramps or uneven floors | Defined operating envelope, floor condition checks |
| Decommissioning | Stored energy release during teardown | Discharge procedure, battery removal and disposal plan |
Note that stability for dynamically balanced machines is an active standards gap. ISO/WD 25785-1, covering robots with actively controlled stability that could become unstable without power, is still a working draft (ISO, 2026). Until it publishes, your ISO 12100 risk assessment is the document that has to carry that weight.
What Does a Complete Hazard Register Entry Look Like?
Every entry in an ISO 12100 risk assessment template must let an auditor reconstruct your reasoning years later. Each row needs: a unique hazard ID, life phase, hazard category and description, persons exposed, initial severity and probability scores, and the resulting rating. It also records the chosen risk reduction measures mapped to the 3-step hierarchy, residual scores, the residual rating, an owner and a status.
Here’s a worked example for the highest-stakes humanoid hazard:
HAZ-014. Phase: operation. Category: bipedal balance loss. Hazard: robot loses balance during locomotion and falls onto an operator working nearby. Exposed: operators, maintenance staff. Initial estimate: severity 4 (major injury), probability 4 (likely with shared floor space), score 16, rating Critical, action stop. Risk reduction: step 1, gait planner limits walking speed near personnel; step 2, fall-zone clearance of one robot height plus reach is enforced around travel paths, and monitored standstill triggers when a person enters the zone; step 3, floor markings and operator training on approach rules. Residual estimate: severity 4, probability 2, score 8, rating Medium, action reduce and monitor. Owner: cell safety engineer. Status: accepted, review at next process change.
Notice what the entry does not do. Severity stays at 4, because a falling humanoid can still cause major injury if every safeguard fails at once. Only probability drops, from 4 to 2, because the fall-zone clearance and monitored standstill make exposure far less likely. Auditors are rightly suspicious of assessments where severity conveniently falls after a procedural control.
The terminology matters too. ANSI/A3 R15.06-2025, the US adoption of the revised ISO 10218, replaced “safety-rated monitored stop” with “monitored standstill” (The Robot Report, 2025). Use the current term so your register matches the standards an auditor will check it against.
Who Signs Off Residual Risk and How Do You Document It?
Residual risk acceptance is a decision, and decisions need named owners. Every Medium or higher residual rating in my template carries three fields: the name and role of the person accepting the risk, the date of acceptance, and the justification referencing the measures applied. “Engineering” is not an owner. “J. Meier, Cell Safety Engineer, 2026-06-11” is.
I recommend a two-tier sign-off. The assessing engineer signs each register entry. A responsible manager, typically the EHS lead or plant manager, signs the assessment as a whole, confirming the team, the scope and the method. That second signature is what stands up in an incident investigation.
The document also needs a revision history table: version, date, author, summary of changes, approver. Risk assessments are living documents. A new end effector, a software update, a changed travel path or a near miss all trigger a review, and the revision history proves to an auditor that the reviews actually happened. Given that the National Safety Council puts the average cost of a work-related death at $1,460,000 (NSC Injury Facts, 2023), the few hours a disciplined review cycle costs are cheap insurance.
The ISO 12100 risk assessment template in my Robot Safety Documentation Toolkit ships with the sign-off block, revision history table and the 40-hazard pre-populated register built in, so the audit trail exists from day one.
How Does the Risk Assessment Connect to the EU Technical File?
Under Regulation (EU) 2023/1230, the risk assessment is not an internal nicety. It’s a required part of the technical documentation a manufacturer must hold before affixing the CE marking, and the regulation applies in full from 20 January 2027, replacing the Machinery Directive 2006/42/EC (EUR-Lex, 2023).
In practice, the connection runs in both directions. The essential health and safety requirements of the regulation tell you which hazards you must address, and your ISO 12100 register documents how each one was identified, estimated and reduced. If you integrate a robot into a cell, you may take on manufacturer obligations yourself, a trap I cover in my EU Machinery Regulation 2023/1230 checklist.
My advice: structure the register so each entry can be traced to the relevant essential requirement. When a market surveillance authority or notified body asks how you addressed a specific requirement, you point to the hazard IDs that cover it. That cross-reference column takes ten minutes to add and saves days during conformity assessment.
Frequently Asked Questions
Is an ISO 12100 risk assessment legally required?
The standard itself is voluntary, but the obligations it satisfies are not. The EU Machinery Regulation 2023/1230, applying from 20 January 2027, requires a documented risk assessment in the technical file, and following ISO 12100 is the recognized way to meet that requirement for robot systems (EUR-Lex, 2023).
How often should I update a robot risk assessment?
Review it whenever anything material changes: new tasks, new end effectors, software updates, layout changes, new personnel exposure or any incident or near miss. I also recommend a scheduled annual review even without changes. Record every review in the revision history, because an unchanged date is what auditors notice first.
Does ISO 12100 cover collaborative robot applications?
ISO 12100 provides the general methodology, while application-specific requirements live in type-C standards. Since February 2025, most requirements of ISO/TS 15066:2016 on collaborative applications are incorporated into ISO 10218-2:2025 (Robotics Tomorrow, 2025). You apply both: 12100 for the process, 10218-2 for the limits.
What is the difference between a hazard and a risk?
A hazard is a potential source of harm, such as a humanoid robot losing balance near an operator. Risk combines the severity of the possible harm with the probability of it occurring. The 5×5 matrix exists to turn each identified hazard into a comparable risk score that drives action.
Is ISO 12100 being revised?
Yes. A revision is under development as ISO/DIS 12100.2 (ISO, 2026). The current published edition remains ISO 12100:2010, so base your ISO 12100 risk assessment template on it today, then schedule a gap review of your register and method when the revised edition is published.
Where to go next: this procedure is one of six documents every humanoid deployment needs. I map all of them, in the order auditors expect, in the Robot Safety Documentation Guide 2026.
This article is for informational purposes only and does not constitute legal, regulatory or professional safety advice. Have your completed risk assessment reviewed by a competent person.
Sources
- ISO 12100:2010, Safety of machinery, General principles for design, Risk assessment and risk reduction: https://www.iso.org/standard/51528.html
- ISO/DIS 12100.2 (revision under development): https://www.iso.org/standard/88578.html
- ISO 10218-1:2025, Robotics, Safety requirements, Part 1: Industrial robots: https://www.iso.org/standard/73933.html
- ISO 10218-2:2025, Robotics, Safety requirements, Part 2: Industrial robot applications and robot cells: https://www.iso.org/standard/73934.html
- ISO/WD 25785-1, Safety requirements for dynamically stable industrial mobile robots: https://www.iso.org/standard/91469.html
- Regulation (EU) 2023/1230 on machinery, EUR-Lex: https://eur-lex.europa.eu/eli/reg/2023/1230/oj/eng
- NIOSH, Robotics in the Workplace: An Overview: https://www.cdc.gov/niosh/robotics/about/index.html
- Layne LA, Robot-related fatalities at work in the United States, 1992-2017, American Journal of Industrial Medicine, 2023: https://onlinelibrary.wiley.com/doi/10.1002/ajim.23470
- A3 via Robotics Tomorrow, Updated ISO 10218 now available, February 17, 2025: https://www.roboticstomorrow.com/news/2025/02/17/updated-iso-10218-major-advancements-in-industrial-robot-safety-standards-now-available/24182
- The Robot Report, Updated ANSI/A3 standards address industrial robot safety, September 12, 2025: https://www.therobotreport.com/updated-ansi-a3-standards-address-industrial-robot-safety/
- National Safety Council, Injury Facts, Work Injury Costs: https://injuryfacts.nsc.org/work/costs/work-injury-costs/
Ulrich Baldauf is the founder of There’s A Robot For That, covering humanoid robotics for manufacturing and industrial operations. He has tracked the humanoid robot sector since 2024, with a focus on safety standards (ISO 10218, EU Machinery Regulation 2023/1230) and what deployments mean for operations and EHS teams. Connect on LinkedIn: linkedin.com/in/ubaldauf
