ATEX-HOF Methodology: Innovation Driven by Human and Organizational Factors (HOF) in Explosive Atmosphere Risk Assessment

: ATEX (explosive atmosphere) risk assessment is required when any equipment or system could generate a potentially explosive atmosphere. Despite the fact that many operations on plants and equipment containing dangerous substances are performed by operators, inﬂuences of human and organizational factors (HOF) are mostly neglected in the ATEX risk assessment. The integrated methodology described here is proposed to address two challenges: (1) identiﬁcation of the HOF inﬂuence on the ATEX risk assessment, and (2) quantiﬁcation of the HOF inﬂuence. The proposed methodology enriches the traditional ATEX risk assessment procedure, which consists of four steps: (1) area classiﬁcation, (2) ignition source identiﬁcation, (3) damage analysis, and (4) ATEX risk evaluation. The advantages of the ATEX-HOF methodology are demonstrated through the application to a paint mixing station in an automotive manufacturing plant. The ATEX risk assessment methodologies are mainly semi-quantitative. The ATEX-HOF methodology provides a quantitative analysis for the area classiﬁcation and ignition source identiﬁcation, and a semi-quantitative approach for the damage analysis. As a result, the ATEX-HOF risk evaluation becomes more accurate. An event tree-based probabilistic assessment has been introduced, considering both the technical barrier failure (Pr tbf ) and the human intervention in terms of human error probability (HEP). The case study allowed for demonstrating how taking HOFs into account is particularly important in companies where the safety culture is lower and consequently, the usual hypothesis of the correctness of operator intervention (in maintenance, normal operations, and emergency) could bring to non-conservative results.


Introduction
In Europe, the risk of explosive atmosphere has to be evaluated and managed according to the explosive atmosphere (ATEX) directive [1], whenever an equipment or system could generate a potentially explosive atmosphere due to the release of flammable gas or vapors or combustible dust during normal operations or in case of predictable failure.
The risk assessment methodology is used for risk-based decision making in process plants as the hazard identification techniques, such as HazOp and fault tree analysis [2][3][4], or even the decision analysis [5][6][7], are not used for the purpose of ATEX because they are too complex and detailed. For this reason, different ATEX risk assessment methodologies were developed to fulfil the directive requirements. Among others, Markowski [8] proposed the ExLOPA (Explosion Layer of Protection Analysis) methodology, which is based on the original approach of CCPS (Center for Chemical Process Safety) [9] for LOPA (level of protection analysis). Within the European Union (EU) Project RASE (Explosive Atmosphere: Risk Assessment of Unit Operations and Equipment) (2000) "Explosive Atmosphere: Risk Assessment of Unit Operations and Equipment", a methodology for the risk assessment of unit operations and equipment to be used in potentially explosive atmospheres was proposed. Cavaliere and Scardamaglia [10] and Cavaliere [11] developed a methodology for the ATEX risk assessment that fulfils the requirements of both ATEX Directive 94/9/EC and the related standards. The proposed approach builds on the methodology proposed by Cavaliere, made of four steps: (1) zone classification, (2) ignition source identification, (3) damage analysis, and (4) ATEX risk assessment.
The area classification depends on the probability of the formation of a potentially explosive atmosphere in a given area and on the available barriers to flammable substance persistence in the work environment. Thus, the different pieces of equipment from which a release could occur are considered, e.g., leakage from pipe or fittings connection, together with the operations that could generate a gas or dust emission in the work environment, e.g., emptying bags into hoppers.
Then, the ventilation is considered in terms of effectiveness and availability. For both the aspects, the effects of the operations, that the plant operators could perform on them as inspection, maintenance, etc., are not explicitly taken into account. This means that any manual operation is considered as correctly carried on.
The possible shortcomings deriving from the human and organizational factors overlooked in the ATEX analysis have been identified during the FP7 Marie Curie ITN InnHF project (Innovation Through Human Factors in risk analysis and management), during which several surveys were submitted to different companies to identify the industrial praxis related to the human factor analysis, the perceived shortcomings related to their omission, and the need for integrated methodologies able to analyze them jointly with the technical aspects. From the surveys, it emerged how the strong influence of the maintenance activities on the operations that could affect the safety of the plants and equipment, including ATEX, could not be correctly represented by the traditional risk assessment methodologies, resulting in an unrealistic risk estimation and related decision making. The problem has not been addressed in other studies before. This paper will thus present a methodology to explicitly consider the HOF within the ATEX risk assessment. Different techniques are available in the literature to quantitatively assess the human error probabilities. Previous studies from the same authors [12,13] compared the task-dominant approach to the HOF-THERP (the technique for human error rate prediction [14]), and the cognition-dominant approach-CREAM (cognitive reliability and error analysis method [15]), associated to the fuzzy tool for the quantification. The results showed that CREAM with the fuzzy application meets the need for a simple, rapid, but effective tool. In this study, a dedicated tool was developed to apply FUZZY CREAM, based on the cognitive reliability and error analysis method (CREAM) [16]. The method, initially qualitative, was designed for different types of industries. Then, Konstandinidou et al. [16] introduced FUZZY CREAM as a complementary methodology to quantitatively assess human error probability (HEP), further applied as an example in Marseguerra et al. [17] and Monferini et al. [18].
The paper is thus organized as follows: Section 2 is devoted to the description of the integrated methodology developed. The application to the risk assessment of a paint mixing station in an automotive manufacturing plant and the related results are detailed in Section 3. Methodological conclusions are then discussed in Section 4.

Fuzzy Cognitive Reliability and Error Analysis Method (CREAM)
The fuzzy CREAM method [16] is used to evaluate the probability of human error on the base of the interactions between person-related, technology-related, and organization-related factors. Formally, a fuzzy set A defined in a universe of discourse X is expressed by its membership function A: X→ [0,1], where the degree of membership A(x) expresses the extent to which x fulfills the category described by A. The condition A(x) = 1 denotes all the elements that are fully compatible with A. The condition A(x) = 0 identifies all elements that definitely do not belong to A.
In fuzzy sets, the meaning of the set theory predicate '∈' (element of) is extended accepting a partial membership in a set. The basic operations can be defined as: where x∈X. A fuzzy model requires that the input variables undergo three major elaborations before an output is obtained: fuzzification, fuzzy inference, and defuzzification. Fuzzification is the process of decomposing system input variables into one or more fuzzy sets. Fuzzy inference consists in the development of a set of if-then-else rules, used to process the inputs and produce a fuzzy output. Each rule consists of a condition and an action where the condition is interpreted from the input fuzzy set and the output is determined on the output fuzzy set. Defuzzification is the process of weighting and averaging the outputs from all the individual fuzzy rules into one single output decision or signal. The output signal eventually exiting the system is a precise, defuzzified, crisp value.
In the FUZZY CREAM methods [16], the common performance conditions (CPCs) are used as input values to determine the control mode an operator can have in each working situation and consequently, to assess the probability of a possible error. The CPCs, listed in Table 1, consider the working condition, the organizational condition, and the worker's condition, e.g., in terms of adequacy of training and experience.
Each CPC is divided in three or four subsets. The subsets are described by triangular membership function, as in Figure 1. Each subset can have a different effect on the probability of error: improve, reduce, or not significant.  The FUZZY CREAM output is divided in different levels, representing the levels of control, or control modes, that an operator has in each working context: strategic, tactical, opportunistic, and scrambled control. Output variables are also described through triangular membership function, as shown in Figure 2. Human error probability ranges can be applied to the control mode obtained as output of the FUZZY CREAM, as described in the literature [16] and summarized in Table 2.

Level/Descriptors
Human Error Probability Ranges Input and output variables are correlated through 46,656 rules, type "if then". An example is shown in Table 3. The rules are elaborated according to the fuzzy inference procedure, as described in Reference [16]. Table 3. Example of fuzzy inference rule.
"IF Adequacy of Organization is "very efficient", AND Working Conditions is "advantageous", AND Adequacy of Man-Machine Interface (MMI) and Operational Support is "supportive", AND Availability of Procedures/Plans is "appropriate", AND Number of Simultaneous Goals is "fewer than capacity", AND Available Time is "adequate", AND Time of Day (Circadian Rhythm) is" unadjusted Night-time", AND Adequacy of Training and Experience is "adequate with high experience", AND Crew Collaboration Quality is "very efficient" THEN output is Strategic control mode." The centroid method is used for the defuzzification of the results, converting the fuzzy set resulting from the aggregation into a numerical value to be used to classify a control mode and then obtaining a probability of human error. In particular, the centroid method determines the crisp value of output taking into consideration, in a weighted manner, all influences obtained from the rules activated by the particular state of the inputs at a certain moment. Figure 3 shows the proposed framework for the ATEX risk assessment. As discussed in the introduction section, the semi-quantitative risk assessment relies on four steps: area classification, ignition sources identification, consequence analysis, and risk evaluation. In case the risk should result, tolerable measures for monitoring and awareness are foreseen, while depending on the not tolerable risk level, some intervention indications, in terms of risk mitigation, are summarized in Table 4. The risk level can thus be assessed according to Equation (1):

Explosive Atmosphere (ATEX) Human and Organizational Factors (HOF) Risk Assessment
where, R HOF represents the risk level with the integration of HOF. P HOF represents the probability level of having an explosive atmosphere with the integration of HOF. C HOF represents the probability level of having an ignition source with the integration of HOF. D HOF represents the consequence of having an explosive atmosphere with the integration of HOF. On the basis of the level of risk estimated for each source, relevant decision making on the safety control can be conducted using as a reference the indications summarized in Table 4, as adapted from Cavaliere and Scardamaglia [10,11].
The evaluation of the parameters composing the risk are described in the following sections.

Zone Classification
Four categories are available to classify the area at risk, depending on the probability of occurrences of an explosive atmosphere. According to the relevant standards (IEC60079-10-1: 2015 [19] for gas and vapors and IEC60079-10-2: 2015 [20] for dusts), the areas can be classified as:

•
Zone 0 for the gases or Zone 20 for the dust: area where the explosive atmosphere is expected continuously or for long periods.  Risk mitigation measures must be implemented.

≤ R HOF < 18 Medium
Likely presence of explosion atmosphere and ignition sources can be present and effective.
In case of an explosion, consequences are moderate with marginal damage to personnel and process units. Explosion propagation is likely to be moderate.
Risk mitigation measures should be implemented in a short time interval.

≤ R HOF < 9 Low
The likelihood of the presence of an explosive atmosphere is extremely limited, as well as the presence of effective ignition sources. The exposure level is low, so with limited damage to persons and property.
The probability of propagation of the explosion is to be considered as extremely limited.
Risk mitigation measures should be implemented in a long time interval.

R HOF ≤ 1 Negligible
Likelihood of explosion atmosphere presence is very low, or ignition sources are not present, or they are not effective. There are not consequences to personnel or equipment. Explosion propagation is very unlikely to occur.
Operations should be kept monitored in order to control the risk in this level.
The zone classification is made based on the grade of the release and the effectiveness and availability of the ventilation.
The grade of the release represents the expected frequency at which the flammable gases or combustible dust can be released in the atmosphere. The grade of release is "continue" in case of continuous or long-lasting releases, it is of "primary grade" in case of periodical or occasional releases during normal operations, and it is of "secondary grade" if the release is not expected during normal activity or it is uncommon and for short times. With reference to the dust, it is important to notice that dust layers can also be a source of release.
Once the grade of the release has been assessed, the ventilation, in terms of effectiveness and availability, is considered [21]. The ventilation effectiveness represents the ventilation ability to dilute or remove the potentially explosive cloud in the environment. The ventilation effectiveness can be rated as: high, if the ventilation instantaneously reduces the concentration of the flammable gases or dust below the lower explosive limit, medium, if the ventilation can control the concentration of the potentially explosive atmosphere, and low, if the ventilation cannot control the concentration of the potentially explosive atmosphere.
The ventilation availability is classified as: good, if it is present in continuous, fair, if it is present during the normal activity-infrequent and short-term absence of ventilation is admitted, and poor, not classified otherwise, but with discontinuities not expected for long periods.
The zone classification can thus be carried on according to Table 5, retrieved from CEI (Comitato Elettrotecnico Italiano -Italian Electrotechnical Comity) 31-56 [22], where, depending on the grade of the release, the degree of ventilation, and its availability, the zone classification is obtained.
The above procedure must be applied to all the possible sources of release in the work environment.

The Effect of Human Factor on Zone Classification
As discussed in References [12,13,23], the zone classification procedure, according to the relevant standards, manual operations, e.g., for maintenance, housekeeping, etc., are assumed to be carried on in a safe and correct way. In the real working conditions, the possible operator errors or misbehaviors cannot be completely neglected and they can increase the probability of the occurrence of explosive atmospheres' formation (e.g., connecting areas with different classifications or directly generating potential explosive atmospheres, as rising combustible dust layers with inaccurate housekeeping). The event tree referenced, e.g., in Reference [2], is a bottom-up logical and graphical representation of the event sequences, where, from an initiator event, depending on the proper or improper occurrence of influencing events, all the possible consequences are derived. The event tree can also be used in a quantitative way [9], to evaluate the probability of the occurrence of the possible consequences, starting from the probability of the single events disclosed in the event tree. In Figure 4, the framework of the method is proposed.
The probability of the lack of presence or generation of explosive atmosphere in the area under analysis due to causes other than human and organizational factors constitutes the initiating event. The relevant operational activities that could result in an increase of the likelihood of ATEX formation are then considered. Thus, in the construction of the event tree, the following are considered: the effectiveness of the recovery activity, organizational (procedural activity), or technological (technical system). The effectiveness is evaluated in terms of probability of failure, for the technological system, or the error, for the procedural activity. The probability of operator error is evaluated through the FUZZY CREAM, according to the procedure described in the previous section. The correction factor will be calculated as the sum of the probabilities of all the sequences disclosed in the event tree that could bring about the generation of a flammable atmosphere, otherwise not present.
The calculation of the correction factor as for the last column in Figure 4 assumes that all the terms are independent. In case this assumption should not be confirmed, the calculations should take into account the dependencies, otherwise final probability should have been underestimated.
The probability correction factor calculated from the event tree is added to the initial ATEX probability and used for the zone classification.

Ignition Source Assessment
Ignition source assessment is the second step to go through when the zone classification is determined as a dangerous one. Relevant ignition sources are listed in the technical standard EN 1127-1 [24] and shown in Table 6. To assess the presence and effectiveness of ignition sources and their probability, the technical standard ISO EN 80079-36:2016 [25] has been used as a reference. The standard aims at providing the basic method and requirements for design, construction, testing, and marking of non-electrical equipment intended for use in potentially explosive atmospheres. It provides a scheme for the ignition source identification. Once the potential ignition sources are identified, the frequency of occurrence can be assessed (Table 7). An example of application of the Table 7 can be found in Section 3. Table 7. Scheme for the identification and assessment of ignition sources. The assessment of the effectiveness of the ignition sources can be conducted quantitatively, but more often, it has to be conducted in a qualitative way. For example, in order to have an effective hot surface, the maximum surface temperature under the most adverse operation condition should be taken into account. For some of the ignition sources, specific standards exist to support their assessment (e.g., CLC/TR 679-32-1: 2016 for static electricity). The probability of the presence of ignitions sources is then estimated coherently with the ranges adopted for zone classification (Table 8). In case an identified potential ignition source results to be effective, applied barriers should be considered. Also, in this case, an event tree is built. The initial event is represented by the initial probability of the ignition source (PrIG).
Alternative paths are then built by applying barriers and/or relevant operational activities. The probability of failures can be the result of the technical barrier failure (Pr,tbf) and/or of human errors or recovery (HEP). The probability calculation along the sequences of events allows to evaluate the likelihood of having an initial/additional effective ignition source.
In the end, the ATEX-HOF ignition source assessment for each emission source is carried on ( Table 9). The maximum value of the ignition likelihood among all identified potential ignition sources will be chosen for the risk assessment, in order to have a conservative evaluation, and will allow for determining the C HOF index to be used in risk estimation, according to reference Table 8. A worked example of that described above is shown in Section 3.

Damage Analysis
The Damage analysis relies on the area classification result (represented as the ID index which can be determined with Table 10 and other factors summarized in Table 10: personnel presence (PL), dust explosion index (KST), gas explosion index (KG), cloud volume (VZ), layer thickness (SS), confined dust cloud (CN), as detailed in References [4,5] and summarized in Table 11. The semi-quantitative parameter, D HOF , can be then calculated according to Equations (2)

Case Study
The case study refers to the central paint mixing station in an automotive manufacturing plant, located in Serbia. Primer, coat, paints, and solvents contain flammable substances that can potentially generate explosive gas atmospheres during normal operations. Ten groups of emission sources were identified which were separated in different rooms of the paint mixing station: storage room, solvent mixing room, and paint mixing room. Inside the paint mixing room, the basic paint mixing unit was selected as a case study to apply the ATEX-HOF methodology.
The basic paint mixing unit has a double tank for the preparation and pumping of high consumption paint. A 1 m 3 container with the product provided by the supplier of the product is positioned on the relative support close to the group. The flexible suction tube is connected, and the product is transferred to the preparation tank through transfer pumps. In the preparation tank, the product is diluted by adding dilution solvent, checking the quantity using a manual liter counter. The product is mixed using the electric shaker fitted on the cover. The product created in this way is transferred to the working tank through a membrane pump, therefore making the preparation tank ready for a new preparation cycle. The electric pump powers the distribution circuit, keeping the product in re-circulation. The pressure in the re-circulation circuit is controlled and maintained by means of a return regulator. A signal generated by the supervision system informs the operator that the minimum level has been reached.
The management group and the loading of products is completely manual. The operator is responsible for controlling these operations acting on the panel of selectors and the control flow meter. The station is staffed by three daily shifts. Each shift (8 h per day) mainly has one shift leader, two operators, and one daily maintainer. The paint mixing operation is a 365 day operation. The paint mixing is a one-by-one operation, two simultaneous mixing operations are prohibited.

Area Classification
Each item of the process equipment which contains flammable materials was considered as a potential emission source, as seen in Table 12. The type of the area classification inside the equipment can be referred to the grade of release and the ventilation conditions. It is generally conducted in a qualitative way. According to Table 4, the internal zones for each identified emission source were determined, resulting in all zones being 0.
Then, the external zone was evaluated and updated to take into account the effect of potential operational errors. Considering that the relevant operations (and/or operational barriers) are conducted by two people, one is the operator performing daily tasks during normal operation conditions (Scenario 1), and another is the maintainer, conducting the maintenance activities (Scenario 2). The Human Error Probabilities (HEP) were estimated by applying FUZZY CREAM (Table 13) according to the procedure described in Section 2.1. The HEP data have been introduced in the event tree generated to describe the real operational activity in the plant, and the zone classification for both internal, Pr IN , and external, Pr EXT , sides of the basic paint mixing unit were determined (Table 14).
As a result, the area classification from both internal and external sides of the basic paint mixing unit were determined. In the end, the envelop of external zones were drawn on the layout to highlight the critical area.

Ignition Source Assessment
Ignition source assessment is the second step to go through if the zone classification is determined as a dangerous zone. The 13 possible ignition sources have been evaluated according to the methodology in Section 2. For the effective ignition sources, barriers have been considered. In this basic paint mixing unit, there is one technical barrier applied: the ground system, with a failure probability of Ptbf = 3.83 × 10 −4 , as assessed by the plant technicians. Two operational barriers are present. According to the general working context and their working performances, the HEP were estimated by applying FUZZY CREAM, as seen in Table 13.
From the analysis, it emerged that the most critical ignition sources are "Flame", "Hot gases" and "Mechanical sparks", with an estimated probability of occurrence of 2.073 × 10 −3 , corresponding to a likelihood label of "occasionally". This value has been considered in the risk assessment. Figures A1  and A2 in the Appendix A summarize the whole ATEX-HOF ignition source assessment respectively, inside and outside the tank object of the case study. Figure 5 shows an example of the applied event trees for the analysis of human errors and barriers, with reference to flames and hot gases due to hot works.

Risk Assessment
Given the parameters evaluated in previous paragraphs, the ATEX-HOF risk evaluation results for the basic paint mixing unit are shown in Table 15 for the case of the success of the applied technical barrier and human intervention, and in Table 16 for the case of failures in the applied technical barrier and human intervention.  Note: P is the probability level of having an explosive atmosphere; C is the probability level of having an ignition source; and D is the consequence of having an explosive atmosphere.
As mentioned above, the risk level of the basic paint mixing unit resulted negligible for all the identified emission sources (internal and external sides) in case the following barriers are applied and/or relevant operational activities are performed correctly:

1.
Naked flame and hot gases as a product of combustion are forbidden in zone 0, and in zone 1 and zone 2 are eliminated.

2.
The maintenance is performed under the safety requirements (e.g., hot work permit).

3.
The maintenance is performed following the required procedures.

4.
Equipment that can produce mechanical sparks is prohibited in hazardous areas.

5.
Periodic checking of the grounding system is included in operational procedures. 6.
Inside the paint mixing room, only ATEX certified tools are available and used. 7.
Operators inside the room are always wearing the antistatic clothes and shoes. 8.
The ATEX risk assessment has to be evaluated in case of any change, related to operators, maintainers, operations, or equipment. However, when the probability of failure of applied barriers and/or relevant operational activities is considered, the risk level of the basic paint mixing increases from the "negligible" to the "low" level. According to Table 11, risk mitigation measures should be implemented in a long time interval.

Effectiveness of ATEX-HOF
ATEX-HOF methodology deals with the HOF influence on the identified ATEX hazards. The event tree-based probabilistic assessment method has been introduced in order to quantify the HOF influence. The effectiveness of the method strongly depends on the initial level of safety management within the plant in which it is applied: (1) If the safety management is already consolidated in the plant, safety procedures exist and are followed, and the operators are trained and aware of the hazards, results from the ATEX-HOF methodology will be in line with those of the traditional methodology. (2) If the safety management in the plant is not consolidated, then the application of the ATEX-HOF methodology will give different results with respect to the traditional methodology and will help in improving the level of safety for the operators and the equipment.

Cost-Benefit Analysis
The ATEX-HOF methodology resulted to be effective as discussed above, but it requires some additional efforts: the additional time consumed for the risk assessment, people involved, process interruption, and more data requirement are considered. For each analysis, an additional 2-4 min is required. The additional source supports are the FUZZY CREAM tool and the event tree instrument, otherwise not used in ATEX risk assessment. Additional works include: (a) identification of applied technical barriers and human interventions, (b) estimation of failure probability of applied technical barriers and relevant human interventions, and (c) event tree analysis.

Feedback from the Stakeholders
Feedback was collected from the industry where the ATEX-HOF methodology was applied. A questionnaire survey was conducted. The responses are summarized here: (a) The ATEX-HOF methodology covered the process phases: design phase, normal operation, maintenance, and non-routine situation. (b) It is necessary to consider HOF within the ATEX risk assessment, and the ATEX-HOF methodology is helpful for the HOF influence analysis. (c) The results coming from the ATEX-HOF methodology clearly support decision making. (d) The application does not disturb the operations. However, (a) half of the responses concern a high-level of education needed, in order to apply the methodology and (b) half of the responses concern that conducting the quantitative analysis is a little time consuming.

Conclusions
The ATEX-HOF methodology provides a quantitative risk analysis approach to the potentially explosive atmosphere hazards, that includes the human and organizational factors (HOFs). Within each phase of the analysis, clear assessment goals were identified. An event tree-based probabilistic assessment has been introduced. Hence, the ATEX-HOF risk assessment becomes more complete than the traditional approach.
The application to case studies of industrial interest showed how taking HOFs into account is particularly important in companies where the usual hypothesis of the correctness of operator intervention (in maintenance, normal operations, and emergency) could bring to non-conservative results. In fact, the case study developed has shown how taking the human factors into account could bring higher risk to the assessment than the one calculated with the traditional methodology and the inherent assumption that operations are correctly carried on. The potential underestimation of the risk with the traditional risk assessment would negatively affect the decision-making process in terms of safety of the operators and the assets.
An underestimation could also occur in the case of dependencies among operational errors or between operational errors and technical failures. In case a dependency should be evidenced, and this is at the moment left to the experience of the risk analyst, this should be addressed in the calculation in order to avoid possible inaccuracies.
The applied operational (HOF) barriers included in the analysis can be used as a reference for the development of a more detailed set of operational procedures, that will allow the level of risk to be maintained in time.