- Email: [email protected]
Processing of alarms by means of an expert system
Reliability Engineering and System Safety 22 (1988) 401-409
Processing of Alarms by Means of an Expert System P. L e g a u d l~lectricit6 de France, Direction de la Production et du Transport, Service de la Production Thermique, 3 Rue de Messine, 75384 Paris Cedex 08, France
A BSTRA CT After describing the existing alarm system, this paper presents a system for real time alarm processing using the expert system approach. The findings, both at design and performance levels, are described, as well as the immediate perspectives.
INTRODUCTION Like any other industrial process, the running of a nuclear power plant may be considered to be an interactive relationship between the installation and the operator. For the operator to have a proper understanding of the functioning of the process, the latter must, in return, supply him with clear and comprehensible information, and this should be the case for the alarm system. 1 A L A R M SYSTEM Should an incident occur, the alarm system is the first device to alert the operator to the presence of abnormal conditions. Alarms are generally designed to report operating faults of particular items of equipment, and single alarms thus normally provide the operator with meaningful information. However, in the course of an incident, owing to the physical or material relationships present in the installation, a number of different alarms may be set off. The processing capacity of the operator may then be exceeded and the avalanche of information become unusable, if not deleterious. 401
Reliability Engineering and System Safety 0951-8320/88/$03.50 © 1988 Elsevier Applied Science Publishers Ltd, England. Printed in Great Britain
402
P. Legaud
Nevertheless, whatever the situation, all alarms present at a given time are capable of explanation. The algorithm for their explanation is frequently complex and difficult to establish in advance, which prevents conventional data processing systems from being used in such cases as the designer is unable to predict all the possible situations. In view of the unsuitability of conventional processing systems and the appearance of expert systems, the Research and Development Division and the Nuclear and Fossil Generation Division of E D F have decided to investigate the expert system approach in order to establish its potential, z- 7 OBJECTIVES A N D M E T H O D Objectives The objectives of the processing system which have been designed are diagnosis of any fault causing alarms to be set offand use of the diagnosis to determine which of the existing instructions or alarm leaflets should be selected. These objectives are based on the axiom, mentioned above, that all alarms are explainable by identification of the state of the installation. In concrete terms, identification of the state makes it possible to effect intelligent sorting of the causes of the alarms and to alert the operator to the initial cause or causes of the incident. Method Validation or elimination of the causes of alarms is based on (a) investigation of all possible causes of the alarms, and (2) reconstitution of the state of the installation (see Fig. 1). Determination of possible causes of alarms Any alarm may have a number of causes depending on the processing logic and the functional links of the installation. It is therefore possible, on the basis of such logic and functional links, to draw up the alarm appearance cause propagation tree. Thus, if an alarm occurs, all the potential causes can be established. State reconstitution The information output by the data processing system supplies indications concerning the state of the equipment, the values of certain parameters, and
Processing o f alarms by means o[" an expert system
Equipment state data
I
403
Alarms
Determination of possible causes
Reconstitution of state of installation
Elimination/ validation of causes of alarms
l
Diagnosis Fig. 1.
the operation of automatic functions. Combining these data makes it possible to obtain a good idea of the state of the installation. In our system, the search for possible causes of alarms and reconstitution of the state is based upon an expert system approach and, in particular, full understanding of the operation of the installation and on qualitative simulation of the operating process. This full understanding is obtained by local operating representation of equipment using production rules, the overall operating situation being obtained by combining local operating data.
DESIGN We have chosen two expert system tools for building EXTRA. s The first is used during the design phase. It is written in S2.BOOJUM language 9 (inference engine based on predicate calculus using forward chaining). It automatically generates rules bases from the topological and functional description of the facility. These rules bases will be used during on-line processing. They constitute the second knowledge-base. This second knowledge-based system is written in LRC 1° (inference engine based on proposition calculus using forward chaining) and performs the on-line processing, strictly speaking. This kind of compilation has the merit of combining the rapid execution
404
P. Legaud
time of the LRC language, for the processing operation, and the power of the S2.BOOJUM language for designing very large knowledge bases. Application to a nuclear power plant The objective of this application was to test the above-defined processing method under representative conditions and to determine whether the system can be extended to a whole plant. Knowledge base This knowledge base incorporates three subsets that will be briefly described. This description will be completed by a simple example.
Topological and functional description of the facility This description consists of a facts base in S2.BOOJUM language; that is to say, it is made up of triplets (object, object, object), a triplet being itself an object. This facts base now incorporates 10000 such triplets. These triplets provide a very general description (applicable to any industrial process) of the plant topology and operation.
General processing principles These principles are also formulated as S2.BOOJUM facts and correspond to general operating and diagnosis principles. By combining with rules these principles to the facility description, a specific rules base for the studied plant is automatically generated. Nowadays there are 40 such principles. By applying these principles to the description of the plant, some 5000 LRC rules can be automatically generated. These rules are simple. On average they are made up of two premises and two conclusions.
Speci[ic rules base of the facility This rules base includes, first, rules automatically generated, as described above, and, second, directly handwritten rules (about 5%). The handwritten rules actually describe very specific operating conditions.
Example We will illustrate the different points mentioned above with a straightforward example. Let us take the following electric diagram:
Processing of alarms by means of an expert system
_ _
405
6.6 kV L H A busbar T
125VLBAbusbar
[
Contactor LLA001JA
380V LLA busbar
(a) Description LHA LBA LLA LLA001JA LHA LLA001JA LBA LLA001XU LLA001XU LLA001XU
NATURE NATURE NATURE NATURE SUPPLIES SUPPLIES CONTROLS CONCERNS MONITORS NATURE
BUSBAR BUSBAR BUSBAR CONTACTOR LLA001JA LLA LLA001JA LLA POWER LOSS ON-OFF INFORMATION
(b) Generic pr&ciple IF and and and
T is a busbar T is energized T with N supply lines N - 1 supply lines are loss (open breaker or loss of power supply to upstream busbar)
T H E N the Nth supply line is operating (closed breaker and upstream busbar energized) (c) Specific rule When the previously defined principle is applied to our figure, the following rule is obtained: RULE: LHA-LLA IF LLA P O W E R LOSS = NO THEN LLA001JA STATUS = CLOSED LHA P O W E R LOSS = NO
406
P. Legaud
IMPLEMENTATION Between September and December 1985, a development prototype was made to establish the feasibility of the approach. The encouraging results obtained led us to make a real time model coupled to a nuclear reactor simulator at the Bugey training center. This prototype, which is described below, was developed between January and August 1986.
Principle Processing is based on applying three sets of rules: (1) The first (state reconstitution) identifies the state of the installation from information supplied by it, and checks for coherence. 11 (2) The second set (fault propagation) generates potential faults corresponding to the alarms present. (3) The third set (validation/elimination of faults) uses the results obtained during activation of the first two to eliminate or validate the possible faults and to enable selection of appropriate existing documents containing instructions.
Applicability The EXTRA application handles the entire electrical power installation and the volumetric monitoring system, with its auxiliaries, of a 900 MWe PWR nuclear unit. This involves the processing of 225 alarms, the acquisition of 900 data items, the monitoring of 100 mechanical components and 550 electrical devices, and the possibility of evaluating some 1000 potential faults.
Data processing arrangement The prototype made was implemented on a monoprocessor minicomputer (a BULL SPS 7), the information received from the simulator being prepared and then submitted to the three sets of rules of the expert system, and the fault diagnosis being displayed to the operator on a semi-graphic video console. The language used is LRC, which was developed by EDF Research and Development Division. It is based on calculation of predicates and is of sufficient speed to make real time applications possible.
Performance In all, there are some 5000 production rules of the IF (condition) or T H E N (conclusion) type with an average of two conditions and two conclusions.
Processing of alarms by means of an expert system
407
A calculation cycle can be carried out every 12 s and includes: (1) Data acquisition and preparation (5 s) (2) Inference (5 s) (3) Display of diagnosis (2s) The amount of memory required does not exceed 256 kilobytes. FINDINGS These are of two orders.
During development The items of equipment covered by the rules are numerous and their functional properties are frequently repetitive (circuit breakers, valves etc.). This results in writing a very large number of rules (5000 in the present case) of level 0, which apply the same processing principle many times. This led us to establish corresponding principles (approximately 40 in the present case) to formalize them and to write them in another expert system language capable of handling variables (predicate calculation). This expert system uses a topological and functional description of the installation and, by offline application of processing principles, generates the sets of rules of the real time alarm processing system. It is then much easier for an expert in the field to control the rules of principle, which are a formalized transposition of the practical reasoning by the operators in their faults diagnosis search. Furthermore, the functional description of the installation can be used for other applications of which the physical coherence can be ascertained.
During testing The testing session (approximately 100h) carried out on the simulator showed the system to be effective and flexible. Specific findings included: (i)
The capacity of the system to detect incoherence associated with instrument faults 11 (ii) The dependability of the system, which in all cases selected a suitable document and made the correct diagnosis even in situations not anticipated at design level (iii) The modularity of the system, which made it possible to extend its field of application during the testing simply by supplementing the functional description of the installation
408
P. Legaud
(iv) The capacity of the system to adapt to situations involving loss of data (v) The capability of the system to operate on an instantaneous state of the installation, even under changing conditions.
PERSPECTIVES The testing of EXTRA with a simulator showed the promise of the knowledge-based system approach in the field of diagnosis and processing of alarms in industrial processes. The assessment of EXTRA will now continue in an operational context. An initial stage of this program will be the application of EXTRA (aid in diagnosis, selection of operating instructions) to all the electrical power supplies of a 900 MWe pressurized water nuclear unit, implementation being planned for the end of 1988. For this implementation, the possibilities of the system will be extended: (a) A demonstration module, which is part of the LRC tools, will make it possible to explain the process by which the expert has established the diagnosis displayed. (b) The qualitative simulation upon which EXTRA is based will be usable as a tool for predicting the consequences of withdrawal of an item of equipment from service. (c) Connection of the expert system to a data base will make it possible to supply operators with information concerning equipment, measurement sensors and certain automatic devices (availability, unavailability, validity etc.), relating either to the actual state of the installation or to a simulated state. (d) Special attention will be paid to establishing operator dialogues to enable simple control of the screens and to present information in a manner in which it can be readily assimilated by the operators. If the prototype proves satisfactory, the four units of the Bugey nuclear plant will be equipped with the system.
REFERENCES 1. Power Plant Alarm Systems: Survey and Recommended ApproachJbr Evaluating Improvements, Note NP-4361, Research Project 2011, EPRI, Palo Alto, CA,
1985. 2. Gondran, M. Introduction aux Systkmes Experts, Eyrolles, Paris, 1985.
Processing of alarms by means of an expert system
409
3. Waterman, D. A. A Guide to Expert Systems, Addison-Wesley, Reading, MA, 1986. 4. Nelson, W. R. REACTOR: an expert system for diagnosis and treatment of nuclear reactor accidents, Proceedings AAAI, 82 (1982), pp. 296-301. 5. Ennis, R. L. et al. Continuous real-time expert system for computer operations, IBM Journal Research Development, No. 1, January 1986. 6. Suslenchi, P. and Vernet, D. EXTASE: Exemple de Traitement d'Alarmes par Systkme Expert, Laboratoires de Marcoussis, France, 1986. 7. Bonnet, A., Maton, J. P. and Truong-Noc, J. M. Systkmes Experts: Vers la Maftrise Technique, Inter-Editions, Paris, 1986. 8. Ancelin, J. and Legaud, P. Un syst6me expert pour le traitement des alarmes d'un r6acteur nucl6aire, Sixi6mes Journ6es Internationales: Les Syst6mes Experts et Leurs Applications (Proceedings), Avignon, 1986. 9. Dormoy, J. L. Notice du Langage et Guide aVUtilisation de S2.BOOJUM, Note EDF, DER HI/5551/02, Paris, 1986. 10. Hery, J. F. and Laleuf, J. C. Notice d'Utilisation et Analyse des Logiciels LRC, Note EDF, DER 6 HT 14/23/85, HI/5040-02, Paris, 1985. 11. Osborne, R. L., Gonzalez, A. J., Bellows, J. C. and Chess, J. D. On-line Diagnosis of Instrumentation through Artificial Intelligence, Westinghouse Electric Corporation, Power Generation Operations Division, Orlando, FL, 1985.
Processing of Alarms by Means of an Expert System P. L e g a u d l~lectricit6 de France, Direction de la Production et du Transport, Service de la Production Thermique, 3 Rue de Messine, 75384 Paris Cedex 08, France
A BSTRA CT After describing the existing alarm system, this paper presents a system for real time alarm processing using the expert system approach. The findings, both at design and performance levels, are described, as well as the immediate perspectives.
INTRODUCTION Like any other industrial process, the running of a nuclear power plant may be considered to be an interactive relationship between the installation and the operator. For the operator to have a proper understanding of the functioning of the process, the latter must, in return, supply him with clear and comprehensible information, and this should be the case for the alarm system. 1 A L A R M SYSTEM Should an incident occur, the alarm system is the first device to alert the operator to the presence of abnormal conditions. Alarms are generally designed to report operating faults of particular items of equipment, and single alarms thus normally provide the operator with meaningful information. However, in the course of an incident, owing to the physical or material relationships present in the installation, a number of different alarms may be set off. The processing capacity of the operator may then be exceeded and the avalanche of information become unusable, if not deleterious. 401
Reliability Engineering and System Safety 0951-8320/88/$03.50 © 1988 Elsevier Applied Science Publishers Ltd, England. Printed in Great Britain
402
P. Legaud
Nevertheless, whatever the situation, all alarms present at a given time are capable of explanation. The algorithm for their explanation is frequently complex and difficult to establish in advance, which prevents conventional data processing systems from being used in such cases as the designer is unable to predict all the possible situations. In view of the unsuitability of conventional processing systems and the appearance of expert systems, the Research and Development Division and the Nuclear and Fossil Generation Division of E D F have decided to investigate the expert system approach in order to establish its potential, z- 7 OBJECTIVES A N D M E T H O D Objectives The objectives of the processing system which have been designed are diagnosis of any fault causing alarms to be set offand use of the diagnosis to determine which of the existing instructions or alarm leaflets should be selected. These objectives are based on the axiom, mentioned above, that all alarms are explainable by identification of the state of the installation. In concrete terms, identification of the state makes it possible to effect intelligent sorting of the causes of the alarms and to alert the operator to the initial cause or causes of the incident. Method Validation or elimination of the causes of alarms is based on (a) investigation of all possible causes of the alarms, and (2) reconstitution of the state of the installation (see Fig. 1). Determination of possible causes of alarms Any alarm may have a number of causes depending on the processing logic and the functional links of the installation. It is therefore possible, on the basis of such logic and functional links, to draw up the alarm appearance cause propagation tree. Thus, if an alarm occurs, all the potential causes can be established. State reconstitution The information output by the data processing system supplies indications concerning the state of the equipment, the values of certain parameters, and
Processing o f alarms by means o[" an expert system
Equipment state data
I
403
Alarms
Determination of possible causes
Reconstitution of state of installation
Elimination/ validation of causes of alarms
l
Diagnosis Fig. 1.
the operation of automatic functions. Combining these data makes it possible to obtain a good idea of the state of the installation. In our system, the search for possible causes of alarms and reconstitution of the state is based upon an expert system approach and, in particular, full understanding of the operation of the installation and on qualitative simulation of the operating process. This full understanding is obtained by local operating representation of equipment using production rules, the overall operating situation being obtained by combining local operating data.
DESIGN We have chosen two expert system tools for building EXTRA. s The first is used during the design phase. It is written in S2.BOOJUM language 9 (inference engine based on predicate calculus using forward chaining). It automatically generates rules bases from the topological and functional description of the facility. These rules bases will be used during on-line processing. They constitute the second knowledge-base. This second knowledge-based system is written in LRC 1° (inference engine based on proposition calculus using forward chaining) and performs the on-line processing, strictly speaking. This kind of compilation has the merit of combining the rapid execution
404
P. Legaud
time of the LRC language, for the processing operation, and the power of the S2.BOOJUM language for designing very large knowledge bases. Application to a nuclear power plant The objective of this application was to test the above-defined processing method under representative conditions and to determine whether the system can be extended to a whole plant. Knowledge base This knowledge base incorporates three subsets that will be briefly described. This description will be completed by a simple example.
Topological and functional description of the facility This description consists of a facts base in S2.BOOJUM language; that is to say, it is made up of triplets (object, object, object), a triplet being itself an object. This facts base now incorporates 10000 such triplets. These triplets provide a very general description (applicable to any industrial process) of the plant topology and operation.
General processing principles These principles are also formulated as S2.BOOJUM facts and correspond to general operating and diagnosis principles. By combining with rules these principles to the facility description, a specific rules base for the studied plant is automatically generated. Nowadays there are 40 such principles. By applying these principles to the description of the plant, some 5000 LRC rules can be automatically generated. These rules are simple. On average they are made up of two premises and two conclusions.
Speci[ic rules base of the facility This rules base includes, first, rules automatically generated, as described above, and, second, directly handwritten rules (about 5%). The handwritten rules actually describe very specific operating conditions.
Example We will illustrate the different points mentioned above with a straightforward example. Let us take the following electric diagram:
Processing of alarms by means of an expert system
_ _
405
6.6 kV L H A busbar T
125VLBAbusbar
[
Contactor LLA001JA
380V LLA busbar
(a) Description LHA LBA LLA LLA001JA LHA LLA001JA LBA LLA001XU LLA001XU LLA001XU
NATURE NATURE NATURE NATURE SUPPLIES SUPPLIES CONTROLS CONCERNS MONITORS NATURE
BUSBAR BUSBAR BUSBAR CONTACTOR LLA001JA LLA LLA001JA LLA POWER LOSS ON-OFF INFORMATION
(b) Generic pr&ciple IF and and and
T is a busbar T is energized T with N supply lines N - 1 supply lines are loss (open breaker or loss of power supply to upstream busbar)
T H E N the Nth supply line is operating (closed breaker and upstream busbar energized) (c) Specific rule When the previously defined principle is applied to our figure, the following rule is obtained: RULE: LHA-LLA IF LLA P O W E R LOSS = NO THEN LLA001JA STATUS = CLOSED LHA P O W E R LOSS = NO
406
P. Legaud
IMPLEMENTATION Between September and December 1985, a development prototype was made to establish the feasibility of the approach. The encouraging results obtained led us to make a real time model coupled to a nuclear reactor simulator at the Bugey training center. This prototype, which is described below, was developed between January and August 1986.
Principle Processing is based on applying three sets of rules: (1) The first (state reconstitution) identifies the state of the installation from information supplied by it, and checks for coherence. 11 (2) The second set (fault propagation) generates potential faults corresponding to the alarms present. (3) The third set (validation/elimination of faults) uses the results obtained during activation of the first two to eliminate or validate the possible faults and to enable selection of appropriate existing documents containing instructions.
Applicability The EXTRA application handles the entire electrical power installation and the volumetric monitoring system, with its auxiliaries, of a 900 MWe PWR nuclear unit. This involves the processing of 225 alarms, the acquisition of 900 data items, the monitoring of 100 mechanical components and 550 electrical devices, and the possibility of evaluating some 1000 potential faults.
Data processing arrangement The prototype made was implemented on a monoprocessor minicomputer (a BULL SPS 7), the information received from the simulator being prepared and then submitted to the three sets of rules of the expert system, and the fault diagnosis being displayed to the operator on a semi-graphic video console. The language used is LRC, which was developed by EDF Research and Development Division. It is based on calculation of predicates and is of sufficient speed to make real time applications possible.
Performance In all, there are some 5000 production rules of the IF (condition) or T H E N (conclusion) type with an average of two conditions and two conclusions.
Processing of alarms by means of an expert system
407
A calculation cycle can be carried out every 12 s and includes: (1) Data acquisition and preparation (5 s) (2) Inference (5 s) (3) Display of diagnosis (2s) The amount of memory required does not exceed 256 kilobytes. FINDINGS These are of two orders.
During development The items of equipment covered by the rules are numerous and their functional properties are frequently repetitive (circuit breakers, valves etc.). This results in writing a very large number of rules (5000 in the present case) of level 0, which apply the same processing principle many times. This led us to establish corresponding principles (approximately 40 in the present case) to formalize them and to write them in another expert system language capable of handling variables (predicate calculation). This expert system uses a topological and functional description of the installation and, by offline application of processing principles, generates the sets of rules of the real time alarm processing system. It is then much easier for an expert in the field to control the rules of principle, which are a formalized transposition of the practical reasoning by the operators in their faults diagnosis search. Furthermore, the functional description of the installation can be used for other applications of which the physical coherence can be ascertained.
During testing The testing session (approximately 100h) carried out on the simulator showed the system to be effective and flexible. Specific findings included: (i)
The capacity of the system to detect incoherence associated with instrument faults 11 (ii) The dependability of the system, which in all cases selected a suitable document and made the correct diagnosis even in situations not anticipated at design level (iii) The modularity of the system, which made it possible to extend its field of application during the testing simply by supplementing the functional description of the installation
408
P. Legaud
(iv) The capacity of the system to adapt to situations involving loss of data (v) The capability of the system to operate on an instantaneous state of the installation, even under changing conditions.
PERSPECTIVES The testing of EXTRA with a simulator showed the promise of the knowledge-based system approach in the field of diagnosis and processing of alarms in industrial processes. The assessment of EXTRA will now continue in an operational context. An initial stage of this program will be the application of EXTRA (aid in diagnosis, selection of operating instructions) to all the electrical power supplies of a 900 MWe pressurized water nuclear unit, implementation being planned for the end of 1988. For this implementation, the possibilities of the system will be extended: (a) A demonstration module, which is part of the LRC tools, will make it possible to explain the process by which the expert has established the diagnosis displayed. (b) The qualitative simulation upon which EXTRA is based will be usable as a tool for predicting the consequences of withdrawal of an item of equipment from service. (c) Connection of the expert system to a data base will make it possible to supply operators with information concerning equipment, measurement sensors and certain automatic devices (availability, unavailability, validity etc.), relating either to the actual state of the installation or to a simulated state. (d) Special attention will be paid to establishing operator dialogues to enable simple control of the screens and to present information in a manner in which it can be readily assimilated by the operators. If the prototype proves satisfactory, the four units of the Bugey nuclear plant will be equipped with the system.
REFERENCES 1. Power Plant Alarm Systems: Survey and Recommended ApproachJbr Evaluating Improvements, Note NP-4361, Research Project 2011, EPRI, Palo Alto, CA,
1985. 2. Gondran, M. Introduction aux Systkmes Experts, Eyrolles, Paris, 1985.
Processing of alarms by means of an expert system
409
3. Waterman, D. A. A Guide to Expert Systems, Addison-Wesley, Reading, MA, 1986. 4. Nelson, W. R. REACTOR: an expert system for diagnosis and treatment of nuclear reactor accidents, Proceedings AAAI, 82 (1982), pp. 296-301. 5. Ennis, R. L. et al. Continuous real-time expert system for computer operations, IBM Journal Research Development, No. 1, January 1986. 6. Suslenchi, P. and Vernet, D. EXTASE: Exemple de Traitement d'Alarmes par Systkme Expert, Laboratoires de Marcoussis, France, 1986. 7. Bonnet, A., Maton, J. P. and Truong-Noc, J. M. Systkmes Experts: Vers la Maftrise Technique, Inter-Editions, Paris, 1986. 8. Ancelin, J. and Legaud, P. Un syst6me expert pour le traitement des alarmes d'un r6acteur nucl6aire, Sixi6mes Journ6es Internationales: Les Syst6mes Experts et Leurs Applications (Proceedings), Avignon, 1986. 9. Dormoy, J. L. Notice du Langage et Guide aVUtilisation de S2.BOOJUM, Note EDF, DER HI/5551/02, Paris, 1986. 10. Hery, J. F. and Laleuf, J. C. Notice d'Utilisation et Analyse des Logiciels LRC, Note EDF, DER 6 HT 14/23/85, HI/5040-02, Paris, 1985. 11. Osborne, R. L., Gonzalez, A. J., Bellows, J. C. and Chess, J. D. On-line Diagnosis of Instrumentation through Artificial Intelligence, Westinghouse Electric Corporation, Power Generation Operations Division, Orlando, FL, 1985.