1. Overview

1.1. Product Safety vs. Workplace Safety

The persistent confusion surrounding risk assessment documentation—specifically, the debate over whether national operational health and safety (H&S) assessments, such as Method Statements, could possibly substitute for the rigorous design risk assessments (Design RA) required by European Union (EU) law—stems from a critical misunderstanding of the EU’s regulatory structure. This framework is constructed upon two distinct, yet complementary, pillars of legal duty: the Product Safety framework and the Workplace Safety framework.1

The Product Safety framework, anchored by the Machinery Directive (2006/42/EC), imposes obligations on the manufacturer to ensure the inherent safety and design integrity of the machinery before it is placed on the market. This duty is non-negotiable and requires a detailed, documented Design RA conforming to harmonised standards like EN ISO 12100. Compliance is a prerequisite for achieving the mandatory CE Marking.

Conversely, the Workplace Safety framework, derived from directives such as the Use of Work Equipment Directive (2009/104/EC) and implemented through national legislation (like Spain’s Prevención de Riesgos Laborales or PRL), imposes distinct obligations on the employer or user. The employer must assess the risks arising from hazards at work and establish safe systems of work for the machinery’s operation. This creates a fundamental bifurcation of legal duties: the manufacturer is responsible for the inherent safety of the machine itself, while the employer is responsible for the safe environment and system of work in which that machine is deployed.

1.2. Failure and the interchangeability of the two methods

Attempts to interchange a manufacturer’s legally mandated Design RA with an employer’s operational risk assessment (Operational RA) or Method Statement are fundamentally flawed and lead directly to legal non-conformity. The Design RA is a technical, engineering document that proves the machinery meets the Essential Health and Safety Requirements (EHSRs) and justifies the CE Marking, thereby granting legal market access. The Operational RA or Method Statement, however, is a procedural document designed solely to manage residual risks—those hazards that could not be eliminated by design and remain once the machinery is put into use.

2. Manufacturer Responsibility and Product Safety (The Design Assessment)

2.1. The Mandate of the EU Machinery Directive (2006/42/EC)

The EU Machinery Directive establishes the legal requirement that governs machinery design and manufacture across the European Economic Area. Article 1 of the Directive mandates that every manufacturer or authorised representative must carry out a risk assessment to determine the specific health and safety requirements applicable to the machinery. This assessment is compulsory and must be completed before the machinery is legally placed on the market or put into service.

This requirement is not procedural but foundational. The resulting documented assessment is a crucial component of the manufacturer’s Technical File. The ability to affix the CE mark—a legal necessity for all products sold within the EU—demonstrates that the minimum requirements of all applicable directives, including the Machinery Directive, have been met. Without a documented, compliant Design RA, the Technical File is incomplete, the CE Marking is unlawfully affixed, and the product is considered non-compliant.

2.2. The Definitive Standard: EN ISO 12100:2010 (Safety of Machinery)

EN ISO 12100 (Safety of machinery — General principles for design — Risk assessment and risk reduction) serves as the primary harmonised standard for meeting the EHSRs of the Machinery Directive. Adherence to EN ISO 12100 provides manufacturers with a “presumption of conformity” with the Directive’s requirements, offering a clear legal path to compliance.

Methodology and the Iterative Design Process

The core requirement of EN ISO 12100 is that the risk assessment must be carried out during the design process. This timing is critical, as making design changes later during manufacturing is often time-consuming and cost-intensive. The standard outlines a logical, iterative procedure for machinery hazard analysis:

  1. Determination of the limits of the machinery (e.g., maximum load, speed, intended function).
  2. Hazard identification (e.g., mechanical, electrical, thermal hazards).
  3. Risk estimation (determining likelihood and severity).
  4. Risk evaluation (deciding if the risk is acceptable).
  5. Application of protective measures, followed by a reassessment of the reduced risk until an acceptable level is achieved.

Distinction between Hazard and Risk (The Fundamental Technical Gap)

A key conceptual gap often exploited by those attempting to substitute assessments lies in the precise definitions used by EN ISO 12100.

  • Hazard (ISO 12100 definition): A potential source of harm, considered an inherent characteristic or property of the machinery (e.g., a crushing point, high acceleration/deceleration, or hot surface).
  • Risk (ISO 12100 definition): The combination of the likelihood and the severity of injury or damage to health resulting from that hazard.

The Design RA is therefore an engineering analysis of the machine’s intrinsic properties, addressing safety throughout its entire lifespan—from transport and installation to operation and dismantling. It also accounts for reasonably foreseeable misuse.

2.3. The Hierarchy of Risk Reduction

The most significant distinction between the Design RA and the Operational RA lies in the Hierarchy of Risk Reduction mandated by EN ISO 12100. The manufacturer’s legal duty is to apply protective measures in a fixed, three-step order:

  1. Inherent Safety by Design: Hazards must be eliminated or risks reduced through design with the implementation of permanent protective measures (e.g., replacing pinch points with guarded mechanisms).
  2. Safeguarding and Complementary Protective Measures: If elimination is impossible, risks must be reduced using technical guards, interlocks, safety systems (e.g., E-stops, light curtains), and protective devices. These measures have a slightly higher risk of being bypassed and/or circumvented and they must be implemented once the inherently safe design measures (step 1) are in place.
  3. Information for Users: Only once inherent design and technical safeguarding have been exhausted are warnings, instructions, and training requirements provided.

The manufacturer’s obligation is to exhaust Steps 1 and 2. An Operational RA or Method Statement focuses almost entirely on the application of Step 3—procedural controls, training, and documentation of safe operating practices. If a design flaw exists (a failure in Step 1 or 2, or does not provide enough information to develop Step 3), the manufacturer has breached their primary legal duty. No amount of operational documentation or rigorous training procedures detailed in a Method Statement can retroactively satisfy the manufacturer’s obligation to engineer the risk out of the machine.

3. Employer Responsibility and Workplace Safety (The Operational Assessment)

3.1. The Use of Work Equipment Directive (UWED) and its Role

The second regulatory pillar governs the user phase. The UWED, implemented nationally, imposes responsibilities on the employer to ensure a safe workplace. This means employers must provide a working environment free from serious hazards, ensure employees use safe equipment, maintain that equipment, and, crucially, establish operating procedures.

The employer’s Operational Risk Assessment (Operational RA) evaluates risks arising from hazards at work. This assessment is contingent on the specific setting, the surrounding environmental conditions, the workers involved, and the precise tasks being performed.

3.2. National Implementation Models: The Example of Spain’s Prevención de Riesgos Laborales (PRL)

National systems, such as Spain’s Ley de Prevención de Riesgos Laborales (PRL), exemplify how the UWED is applied. The PRL framework requires detailed workplace hazard prevention that extends far beyond the machine’s technical specifications.

A PRL assessment focuses heavily on organizational and environmental factors that affect the worker’s safety interface with the machine. For instance, the assessment must address ergonomics, such as the manual handling of loads.

This scope highlights the fundamental contrast: while the manufacturer’s Design RA (EN 12100) concentrates on the intrinsic mechanical integrity, functional safety and electrical safety required to prevent immediate injury from machine failure (e.g., crushing or entanglement), the PRL assessment focuses on the long-term, cumulative health risks and site-specific operational hazards associated with using the equipment in a commercial environment.

3.3. Task-Specific Control: Risk Assessment Method Statements (RAMS)

In high-risk sectors, such as construction and, relevantly, the entertainment industry, the Operational Risk Assessment is formalised through Risk Assessment Method Statements (RAMS). A Method Statement is a detailed safety document that outlines the step-by-step method workers must employ to carry out a specific high-risk job safely.

Relationship to Operational RA

A Method Statement functions as the practical execution plan for the Operational RA. It identifies potential hazards related to the task and outlines the specific safety precautions and control measures required by the employer and the workers. These documents are complementary: the risk assessment must always be conducted first to identify the hazards, and the Method Statement then expands upon the control measures, detailing how, when, and why they should be implemented.

The Critical Requirement to Incorporate Technical Data

Although Method Statements are often not a strict legal obligation themselves, they fulfil the legal requirement for the employer to provide information, instruction, and training. However, the reliability of the RAMS is entirely predicated on the quality of the manufacturer’s documentation. Employers have a duty to comply with safety legislation, and this includes following the manufacturer’s guidance and instructions. The Operational RA/RAMS must be constructed upon the residual risks and defined operating limits provided in the manufacturer’s Technical File (the output of the EN 12100 process).

If the manufacturer provides a deficient or non-existent Design RA/Technical File, the employer cannot accurately assess the foundational hazards or define safe operating limits (e.g., maximum speed, instruction manual). This missing data prevents the employer from fully satisfying their own H&S duty to assess operational risks, creating a critical vulnerability in the safety system.

4. Why Operational Assessments Cannot Substitute Design Assessments

The disparity between the Design RA and the Operational RA is not just semantic; it reflects differences in scope, timing, technical focus, and legal authority.

4.1. Comparison of Scope and Timing

The Design RA, defined by EN 12100, is prospective and focuses on the elimination of hazards during the technical realisation of the machine. It is performed early in the machine’s lifecycle. Its scope encompasses the machine’s inherent design integrity, component selection, materials science, and systems analysis.

The Operational RA (RAMS/PRL) is contingent and occurs immediately prior to use or during scheduled tasks and maintenance. Its scope is limited to the specific task, the environment (e.g., site access, illumination), the skill of the operator, and the potential for temporary site obstructions. While the Operational RA includes hazard identification of workplace conditions, it cannot examine the fundamental engineering choices made years prior.

4.2. Analysis of Risk Metrics (Inherent Hazard vs. Behavioral Likelihood)

EN 12100 is designed to drive objective hazard elimination through engineering measures. When estimating residual risk, the manufacturer relies on quantifiable metrics such as component failure rates and safety system performance levels (e.g., Performance Level (PL) or Safety Integrity Level (SIL)). Placement and number of ESTOPs and other safety functions required to reduce the risk of the machinery.

The Operational RA, conversely, must incorporate factors that are often highly subjective or transient, such as operator competence, fatigue, environmental changes, or the specific organization of the work task.

The fundamental regulatory distinction here is that the operational calculation of likelihood (in the Operational RA) relies entirely on the Design RA’s effectiveness. If the Design RA failed to provide adequate functional safety redundancy (an engineering failure), the true likelihood of a catastrophic accident occurring during operation is far higher than the employer might assume when basing their RAMS solely on procedural compliance and training.

4.3. Essential Safety Requirements (EHSRs) vs. Procedural Checks

The required documentation for a Design RA under the Machinery Directive focuses on proving compliance with the detailed EHSRs found in Annex I. This involves technical calculations, strength reports, component certifications, and, critically, documentation detailing the functional safety architecture, including PL/SIL calculations for safety-related control systems.

Operational documentation, conversely, focuses on logistics: documenting training attendance, defining the sequence of work, establishing permits-to-work, and checking the daily readiness of safety features (e.g., “E-stop checked”) and also check that inspections and maintenance are performed according to manufacturer specifications.

The critical technical disconnect is that an operational checklist verifying “E-stop checked” does not confirm whether the underlying E-stop circuit meets the legally required Performance Level (PL) for the identified risk, or the number of ESTOPs required or the placement of those buttons. This PL/SIL data, which certifies the integrity and reliability of the safety function under fault conditions, resides exclusively within the Design RA Technical File. Without the Design RA, there is no technical proof that the safety mechanism itself is compliant. The Operation RA only checks that it was verified to be functional at the start of the shift.

Comparison of Machinery Design Risk Assessment (EN 12100) vs. Operational H&S Risk Assessment

Criterion EN ISO 12100 (Design RA) National H&S RA/Method Statement (Operational RA)
Responsible Party Manufacturer/Authorised Representative Employer/User
Governing Legislation EU Machinery Directive (CE Marking, Product Safety) UWED, National H&S Laws (e.g., PRL)
Timing in Lifecycle Design and Construction Phase (Pre-market, Modification) Use Phase (Pre-task, Periodic, Post-Modification)
Primary Objective Inherent Hazard Elimination and Risk Reduction through Engineering Establishing Safe Systems of Work and Procedural Controls
Methodology Focus Technical, Engineering, Systems Analysis, ESHRs, Failure Modes Organizational, Behavioral, Environmental, Specific Task Sequence
Consequence of Failure Product Non-Conformity, Market Withdrawal, Product Liability Workplace Accident, Breach of Employer Duty, HSE Enforcement

5. Consequences of Substituting EN 12100 Documentation

The legal consequences for a manufacturer who substitutes the mandatory EN 12100-compliant Design RA with an operational assessment are significant and far-reaching, transforming non-compliance into corporate and personal liability.

5.1. Market Surveillance, Fines, and Non-Conformity

Regulatory government agencies and market surveillance authorities actively monitor compliance with CE requirements. They possess the authority to demand the manufacturer’s Risk Assessment documentation and Technical File at any time, a process often supported by customs, particularly for imported machines.

If an authority discovers that the mandated Design RA is unavailable or fundamentally non-compliant (e.g., merely substituting a Method Statement), this constitutes an administrative offense. In jurisdictions like Germany, national legislation enforcing the Directive (such as the German Product Safety Act, ProdSG) authorises fines for failure to provide required documentation. Furthermore, non-compliance can result in market withdrawal or a ban on trade.

5.2. Liability in Accident Litigation

In the event of a serious accident involving machinery, the manufacturer’s liability insurance company will immediately request the Technical File. Legal precedents strongly indicate that if the manufacturer cannot produce a compliant Design RA, they are highly likely to be held liable for damages. This outcome stems from the legal assumption that if a proper risk assessment, following EN ISO 12100 guidelines, had been correctly executed, the underlying design cause of the accident would have been identified and eliminated during the engineering phase.

The manufacturer’s inability to demonstrate that they completed Steps 1 and 2 (also provided enough information for Step 3 to be implemented) of the Hierarchy of Risk Reduction (inherent design safety and technical safeguarding) shifts the burden of proof heavily against them, supporting a claim of product defect or failure to comply with EHSRs. Beyond corporate liability, responsible individuals within the manufacturing firm, such as technical directors or compliance managers, risk being held personally liable due to findings of gross negligence or intent in bypassing mandatory safety procedures.

5.3. Modification and Liability Shift

A significant factor in machinery liability, especially in dynamic industries like entertainment, involves modification. When machinery that has already been placed on the market is technically changed, the party performing that modification may assume the legal role and liability of the manufacturer for the resulting assembly.

This means if an end-user, such as a large production company or venue, substantially modifies a standard piece of machinery (e.g. a winch system) for a new purpose or installation, they effectively become the “new manufacturer.” They are thus obligated to perform a new Design Risk Assessment under EN 12100 for the modified system and affix a new CE mark if required. If this new manufacturer substitutes the required Design RA with only an internal operational Method Statement (Operational RA), they expose themselves to the full range of product safety liability consequences, including fines and personal accountability for design failure.

Consequences of Substituting EN 12100 Documentation and Liability Allocation

Party at Risk Legal Failure Primary Consequence Source/Legal Basis
Manufacturer Failure to produce mandatory Design RA documentation High Fines, Market Withdrawal, Non-Conformity ProdSG, Market Surveillance Authorities
Manufacturer Failure to eliminate hazards in design Product Liability for Damages (Presumed Negligence) Case Law based on Directive requirements
Manufacturer Personnel Conscious failure to certify safe design Personal Criminal/Civil Liability Gross Negligence/Intent
Employer/User Failure to utilise manufacturer’s guidance Inadequate Operational Risk Assessment (H&S Breach) UWED Implementation, National H&S Laws
Employer/User (Post-Modification) Failure to perform new Design RA for modification Assumes Manufacturer Liability for New Assembly Machinery Directive, Article 1

6. Stage Machinery Examples

The entertainment industry provides stark examples where the distinction between Design RA and Operational RA is life-critical, often involving high dynamic loads and operation over performers or the public. In these environments, the severity component of the risk calculation is maximised, magnifying the consequences of a substitution error.

6.1. Case Study 1: Automated Stage Flying Systems (Performer Flying)

Automated stage flying systems fall unequivocally under the Machinery Directive.

Design Focus (EN 12100 Design RA): The manufacturer’s Design RA must demonstrate technical compliance with functional safety requirements, calculating the required Safety Integrity Level (SIL) or Performance Level (PL) for the system’s safety-related control parts. The Design RA must prove, through engineering analysis, that inherent design features (e.g., dual braking systems, cable redundancy, strength calculations against mechanical hazards like acceleration/deceleration) prevent single faults from resulting in injury. For networked systems, the Design RA must also address cybersecurity measures to prevent unauthorised access or data corruption (CRA applies on September 2026).

Operational Focus (RAMS): The employer’s Method Statement is focused on task-specific procedures: daily functional testing, defining the specific maximum payload for the current performance, securing the working envelope, defining crew communication protocols, and ensuring the specific operator has the required role-specific training.

The Substitution Failure: Suppose an accident occurs because a limit switch failed, causing the system to drive beyond its safe limits. If the manufacturer attempts to use the operational Method Statement as proof of safety, this fails. The Operational RA only proves the operator followed procedure. The underlying technical failure—the limit switch failure—was a design failure if the component selection (e.g., failing to select a component meeting the required PL) was deficient. The manufacturer is held liable for failing their Design RA duty, regardless of the quality of the RAMS.

6.2. Case Study 2: Lifting Loads Over People’s Heads (Trussing and Scenery)

Lifting equipment is specifically regulated, given the high severity of potential consequences.

Design Focus (EN 12100 Design RA): The first step in the Design RA is determining the machinery’s limits, such as the maximum working load and duty cycle. The Design RA must contain engineering justification for the structural components (hoist, lifting points) to ensure appropriate safety factors are maintained even under dynamic loads. This analysis guarantees the inherent technical capability of the equipment itself. For installations, the Design RA of the whole installation including the selection of all the parts will be subject to an assembly of machinery and an installation under EN 17206.

Operational Focus (RAMS): The employer’s Method Statement defines the system of work for the rigging operation: calculating the specific load, establishing exclusion zones beneath the load, defining the attachment process, and ensuring only certified personnel operate the controls. This Operational RA must explicitly operate within the limits defined by the manufacturer’s Design RA.

The Substitution Failure: If a lifting eye fails catastrophically due to insufficient material integrity or a welding defect, the operational Method Statement (Operational RA) is irrelevant. The Operational RA proves the rigger followed the procedure; it does not attest to the integrity of the design. The manufacturer is exposed to product liability because their Design RA failed to identify and eliminate the mechanical hazard in the design phase.

6.3. Case Study 3: Modification of Machinery for Tour/Show Needs (The Manufacturer/User Identity Crisis)

Many production companies customise equipment extensively. Consider a standard automated stage deck lift purchased from Manufacturer A. A touring production company (User B) adds custom rail guides, position sensors, and integrates it into a new, complex show control system.

The Liability Shift: By performing these technical changes, User B has created a modified machine or a new assembly. Under the Machinery Directive, User B assumes the liability of the manufacturer for the resulting assembly and must perform a new Design Risk Assessment (Design RA) under EN 12100 for the entire integrated system.

The Danger of Substitution: If User B attempts to satisfy this Design RA obligation by merely updating their operational Method Statement (Operational RA) for using the modified deck, they have committed the substitution error. If the modification (e.g., a sensor integration error or custom rail failure) causes an accident, User B is now directly subject to the fines and liabilities imposed on manufacturers for failing to produce a compliant technical file, potentially exposing their responsible personnel to personal liability for design failure.

7. Strategic Recommendations and Path Forward

The analysis conclusively demonstrates that the Design Risk Assessment (Design RA) required by EN ISO 12100 under the Machinery Directive and the Operational Risk Assessment (Operational RA) or Method Statement required by national H&S laws are non-interchangeable legal prerequisites that must co-exist to ensure full compliance.

7.1. Guidance for Machinery Manufacturers (Ensuring Airtight Technical Files)

Manufacturers must recognise that the Design RA is not merely administrative but is the primary engineering safeguard against product liability.

  • The Design RA must be executed according to the iterative structure of EN ISO 12100: defining limits, rigorous hazard identification (including foreseeable misuse), and risk evaluation.
  • Documentation must explicitly cover Steps 1 and 2 of the risk reduction hierarchy, detailing how inherent design measures and technical safeguarding (e.g., functional safety requirements, PL/SIL levels) were achieved.
  • Manufacturers must not confuse the required warnings and operational instructions (Step 3 of the hierarchy) with the mandatory technical justification contained within the Technical File (Steps 1 and 2).

7.2. Guidance for End-Users and Venues (Integrating Design RA Data into H&S Systems)

End-users, particularly those in high-consequence industries like entertainment, must treat the manufacturer’s Design RA as essential foundational data for their own compliance efforts.

  • Due Diligence: Demand the compliant EN 12100 Risk Assessment documentation (the portion of the Technical File that verifies conformity) as a non-negotiable condition of purchase for all regulated machinery.
  • Informed Operational RA: The Operational Risk Assessment (RAMS) must explicitly reference and utilise the manufacturer’s data on residual risks, defined safe operating limits, and mandatory protocols. This ensures that the system of work is aligned with the machine’s certified design limitations.
  • Managing Modifications: Any technical alteration to the machine that changes its design limits, function, or integrated safety systems must trigger a new Design RA, placing the liability of a new manufacturer onto the party performing the modification. Relying on a Method Statement alone in this situation is a high-risk liability strategy.

Conclusion

The Design Risk Assessment conducted under EN ISO 12100 is a mandatory product safety mechanism that verifies the machinery is engineered safely to enter the market. The Operational Risk Assessment, including Method Statements, is a workplace safety mechanism that ensures the machine is used safely in a specific environment by defining procedural controls. These two assessments address separate legal duties—the manufacturer’s product liability and the employer’s H&S duty. Treating them as interchangeable is a fundamental breach of product safety law that leaves manufacturers, users and venues exposed to liability in the event of an accident attributed to a design failure.