- Email: [email protected]
Application of functional analysis techniques to supervisory systems
Reliability Engineering and System Safety 64 (1999) 209–224
Application of functional analysis techniques to supervisory systems Manuel Lambert, Bernard Riera, Gre´gory Martel Universite´ de Valenciennes et du Hainaut-Cambre´sis, LAMIH, BP 311 Le Mont Houy 59304 Valenciennes, France Received 20 July 1996; revised 27 April 1998; accepted 7 May 1998
Abstract The aim of this paper is to apply firstly two interesting functional analysis techniques for the design of supervisory systems for complex processes, and secondly to discuss the strength and the weaknesses of each of them. Two functional analysis techniques have been applied, SADT (Structured Analysis and Design Technique) and FAST (Functional Analysis System Technique) on a process, an example of a Water Supply Process Control (WSPC) system. These techniques allow a functional description of industrial processes. The paper briefly discusses the functions of a supervisory system and some advantages of the application of functional analysis for the design of a ‘human’ centered supervisory system. Then the basic principles of the two techniques applied on the WSPC system are presented. Finally, the different results obtained from the two techniques are discussed. 䉷 1999 Elsevier Science Ltd. All rights reserved. Keywords: Functional analysis; SADT; FAST; Supervisory systems; Water supply process control system
1. Introduction Today, the supervision of production systems is more and more complex to perform, not only because of the number of variables always more numerous to monitor but also because of the numerous interrelations existing between them, very difficult to interpret when the process is highly automated. The challenge of the future years is based on the design of support systems which let an active part to the supervisory operators by supplying tools and information allowing them to understand the running of production equipment. Indeed, the traditional supervisory systems present many already known problems. First, whereas sometimes the operator is saturated by an information overload, some other times an information underload does not permit them to update their mental model of the supervised process. Moreover, the supervisory operator has a tendency to wait for the alarm to act, instead of trying to foresee or anticipate abnormal states of the system. So, to avoid these perverse effects and to make operator’s work more active, the design of future supervisory systems has to be human centered in order to optimize Man– Machine interactions. It seems in fact important to supply the means to this operator to perform his own evaluation of the process state. To reach this objective, Functional Analysis (FA) seems to be a promising research method. In fact, allowing the running of the production equipment to be understood,
these techniques permit designers to determine the good information to display through the supervisory interfaces dedicated to each kind of supervisory task (monitoring, diagnosis, action, etc.). In addition, FA techniques could be a good help to design support systems such as alarm filtering systems. By means of a significant example, the objective of this paper is to show interests of the use of techniques such as SADT (Structured Analysis and Design Technique) and FAST (Functional Analysis System Technique) for the design of supervisory systems. The next section briefly describes the characteristics of a current supervisory system and the problems linked to its design. Next, the interests of using FA in the design steps are developed. In Section 3, after presenting concepts of SADT and FAST, these techniques are applied to a water supply process control (WSPC) system. The last section presents a discussion about the advantages and inconveniences of each FA technique.
2. Functional analysis for the design of supervisory systems 2.1. Functionality of a supervisory system Supervision consists of commanding a process and supervising its working [1]. To achieve this goal, the supervisory system of a process must collect, supervise and record important sources of data linked to the process, to detect the possible loss of functions and alert the Human Operator (HO).
0951-8320/99/$ - see front matter 䉷 1999 Elsevier Science Ltd. All rights reserved. PII: S0 95 1 -8 3 20 ( 98 ) 00 0 64 - 7
R S
210
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
When aiming at the optimization of the criteria linked to production security and economy objectives, the HO must supervise the process states and act in such a way as to maintain it as near as possible to its nominal working point. According to Rouse [2], the supervisory operator’s tasks are: the control, the follow-up tasks in normal working, the transition tasks linked to the running changes, the default detection tasks, the diagnosis and the resumption tasks of defaults. According to Moray [3], a supervisory operator monitors a process when he supervises the displayed information without executing any action which may change the system state. So, the purpose of monitoring tasks is only to update his knowledge about the system state and to detect occurrence of defaults. One can notice that monitoring tasks requires a global vision of the process to allow efficient supervision, whereas the diagnosis tasks require a hierarchical vision of the process. The main objective of a supervisory system is to give the means to the HO to control and to command a highly automated process. The performance of the Man–Machine System (MMS) is linked to the optimization of three criteria (see Fig. 1):
•
•
•
• •
The production criterion: the first objective of the production facilities is to transform products by adding value. This objective must be managed in order to guarantee the reliability and the availability of the process. The security criterion: it is the most important criterion because the HO must guarantee, first of all, the security of human beings and machines. The economic criterion: the production must be the most economical.
So, the supervision of industrial processes includes a set of tasks aimed at controlling a process and supervising its operation. The control consists of acting on the process by means of ‘orders’, as shown Fig. 1. Accordingly, control involves a top-down flow of information which acts on the lower levels. On the contrary, the supervision is a bottom-up flow of information called ‘information feed-backs’ of which sources are the signals sent by the process (see Fig. 1). In fact, the supervisory system works in two different contexts: off-line and on-line. •
Off-line, the supervisory system allows, in deferred time, some reports to be produced and thus the production performances to be analyzed. In this case, some actions can then be undertaken in order to improve the safety of working (reliability, maintainability, availability and security) of the production equipment. In addition, the archived data linked to the loss of functions are very interesting because they permit, for instance, the preventive maintenance policy to be defined. The supervisory system is therefore useful in all plants because it is an important source of information. Indeed, as well as the maintenance, the automation team, and a lot of actors of the company are interested in this collected information which is centralized in the control room.
On-line, the supervisory system allows, on the one hand, access to the measurable information relative to the process and, on the other hand, the ability to signal the operator in the occurrence of important events.
At different levels of a process, the nature of tasks is different. Indeed, at the levels near to the operative part (see Fig. 1), data used by machines are numerical (operative or software tasks, for instance). On the contrary, far from the process, at the high levels, data should be more symbolical as it is being used by HO. Indeed, this one is at the top of the process and achieves cognitive tasks thanks to the information coming from the process and communicated via the Man–Machine Interfaces (MMI). Whatever the applications at the different levels (command, supervision, etc.), the use of different models of the process is necessary. For instance, for the control/command system design, the models are functions of the nature of the automation (discrete event systems, feedback control). A supervised system (see Fig. 1) is composed of the following parts:
• • •
The MMI, displaying information thanks to the information synthesis system. The supervisory tools, supplying services thanks to the automatic supervisory system and the decision support systems. The control/command part, interface between the MMI, the supervisory tools and the process. The process is also called production system or operative part, performing the physical work on the input product flow.
Now, we are going to detail the main functions fulfilled by these different systems. 2.1.1. Automatic supervisory system According to our point of view, an automatic supervisory system is a traditional supervisory system (see Fig. 1), that is to say, a system which provides a hierarchical list of alarms generated by a simple comparison with regard to thresholds. The criteria of classification can be relative, for instance, to the instant of detection or to the degree of dangerousness. 2.1.2. Information synthesis system According to our point of view, the information synthesis system (see Fig. 1) manages the presentation of information via any support (synoptic, console, panel, etc.) to the HO. This information can come from two different sources: • •
First, the information can be measures coming from the process; Second, high level information can be given to the operator. In this case, the original nature of the measures has been modified. In other words, to get this information himself, without a support system, the operator should have developed a knowledge-based behavior according to the Rasmussen classification [5].
R S
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
211
Fig. 1. Architecture of a supervised process adapted from Sheridan [4].
R S
212
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
2.1.3. Operator support systems Among the possible systems bringing useful and substantial help to all the human decisional levels, we find the filtering alarm systems and the support to the anticipation (detection level), support to the diagnosis of the causes of loss of functions (problem resolution level) and the support to the resumption of defect (action level). For poor automated processes, such as air traffic control, a task manager (see Fig. 1) which allows a dynamic task allocation between the HO and the decision support system can be useful to optimize human–machine performance and human workload [6]. This dynamic task allocation is achieved by the evolution of a certain number of efficiency criteria. In our case, a task manager is not possible because the studied processes are highly automated, and the level of automation cannot be modified. Currently, one can notice a tendency to propose support systems. Usually decision support systems are based on artificial intelligence techniques. It looks paradoxical to graft additional systems to the supervisory system in order to help the HO. In fact, it will be more judicious to supply the HO with data and information, that he really needs to achieve his work. We think that support systems do not have to be seen as a system replacing the decisional thought process of the HO but as a toolbox which facilitates his work. 2.1.4. Production systems The production system or operative part corresponds to the physical structure which performs the work (see Fig. 1). Giving added value to a product, these systems are composed of sensors which enable the operative part to be observed and actuators to command it. It is possible to classify production systems with regard to the nature of the production process, continuous or manufacturing. •
•
Continuous processes (chemical plant for instance): these systems involve processing of continuous flows of material or energy. However, the total process is often a discrete sequence of continuous sub-processes [7]. Usually, one distinguishes fast continuous processes versus slow continuous processes. This distinction is interesting because the fast evolution of the process forbids any manual corrective actions in case of incident. Manufacturing processes (car plant, for instance): these systems involve processing of identifiable objects or elements. The detectable unit is the object. During the process, more often, discontinuous operations are carried out.
2.1.5. Control–command system The control–command system generates commands to actuators from information supplied by sensors (see Fig. 1). It is possible to differentiate two kinds of automatic control. The first one concerns programmable logic controller (PLC) which processes mainly Boolean
information. The second one concerns feedback control. This distinction between sequential logic and feedback loop is important for the supervisory operator. Indeed, it is the autonomy of the control–command system which defines the automation level of the human– machine system. Today, in several production plants, the control–command system is very autonomous and operators intervene principally when failures occur in the production system or the control–command system. 2.2. Problems linked to the design of a supervisory system With regard to the increasing complexity of production systems and the high level of automation, the supervisory system design becomes more and more delicate and should be human centered. Indeed, the human being can be viewed as an ‘information channel with limited capacities’ and constitutes, in term of information treatment, an inescapable bottleneck. So, for this reason, the design of all supervisory systems has to be centered on the operator. It is no use designing a supervisory system which provides all the information coming from the production system in an aleatoric way because the imposing mass of data will not permit the supervisory operator to treat them. So, the physiological and cognitive features specific to a man have to be completely integrated in the design stage. The cognitive human approach is based on the concepts of function and abstraction hierarchy developed in the foundations of most Functional Analysis (FA) techniques. Today, supervisory systems maintain some shortcomings due to some contradictory reasons. Indeed, sometimes the supervisory operator can be either saturated by an overcharge of information or perturbed by an underload of information which could involve a deterioration of his mental model of the supervised process. More generally, an inadequacy between the supplied information and the operator’s information requirement could entail loss of functions. A well managed process analysis could partially solve this problem. Indeed the rough information requirement, useful for the realization of supervisory tasks by the operator, is put in evidence during this crucial stage. The performance of the ‘man–supervisory system’ is, consequently, completely tributary. Attention must be brought to the quality of process models which must conjugate two imperatives: (1) to represent the process faithfully, and (2) to provide some usable information. Well, the FA techniques could, if they are judiciously used, fulfill these two requirements. In our case, the choice of some techniques such as SADT (Structured Analysis and Design Technique) and FAST (Functional Analysis System Technique) is strengthened by the relative simplicity of their development and their efficiency. 2.2.1. Proposition of the use of a new indicator for the design of a supervisory system In the design of a supervisory system a distinction between two kinds of display seems necessary. The first
R S
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
kind of display is dedicated to the monitoring of tasks. In fact, this generic term includes control tasks and tasks of follow-up in normal working of the installation, and the failure detection tasks. The latter are dedicated to the diagnosis tasks. Indeed, after the detection of an anomaly, the operator should find its original cause and its consequences for the process. The main objective is to get the minimal distortion between the functional and behavioral reality of the process and a symbolic transcription on the interface, the most easily understandable and operable by the supervisory operator. Initially the design of an information synthesis system consisted of reproducing a geographical disposition of some physical components and their interconnections to realize the static part of the imagery. This has led then to some ‘structural interfaces’ [8] (P and ID interfaces). This representation does not completely answer the cognitive approach used by the operator in order to achieve his different supervisory tasks. Through the use of FA techniques, the objective is the specification of an information requirement. According to our point of view, information requirement is the minimal set of information collected during a process which allows the operator to understand the working process and to evaluate its state.
213
For each kind of supervisory task, the information requirement must be determined by answering the three following questions (see Fig. 2): • • •
What: what information is necessary to the supervisory operator to achieve his tasks? When: when to display this information? How: how to present him this information?
The nature of cognitive behavior of the human operator is a function of the kind of task. For the monitoring tasks the human operator essentially achieves tasks of low levels (based on procedures and reflexes). However, for the diagnosis tasks human operators essentially achieve knowledge based behaviors. The fundamental difference between these two kinds of task has an effect on the structure and the data representation on the interfaces. For instance, the interfaces dedicated to the diagnosis can adopt a hierarchical organization and can present information in a symbolical way. A major difficulty in the design of a supervisory system is the inability to evaluate objectively the information requirement. Indeed, the information requirement is a concept which by nature depends on a lot of subjective parameters, such as the knowledge of a supervisory operator about the process, the way of reasoning and so on.
Fig. 2. Characterization of the information requirement.
R S
214
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
So, the construction of an objective indicator which would give a good image of the information requirement, seems very interesting. This indicator would be built from the typology (observable, commendable, measurable, etc.) and the number of the variables existing in the supervised process. More precisely this indicator, called ‘information power’, could be the division between the number of measured variables and the total number of measurable variables. Moreover, many interesting variants can be defined to supply information following different points of views. For instance, one can imagine a variety of information indicators applied to the interface dedicated to the diagnosis. Indeed the interfaces dedicated to the diagnosis have a hierarchical organization and so, a knowledge on the evolution of the information requirement between the different hierarchical levels is very interesting. For that, one can define a ratio between the number of new used variables at the studied level and the number of measured variables at the inferior level. So, through this indicator, one can evaluate objectively the progression of the information power and information density of the interface. 2.2.2. Information required for the supervisory system According to recommendations proposed by Vittet [9], a supervisory system has to give to the HO: • • • • •
A global view of the installation and its operation. The operator must access this pertinent information, without much reasoning. Information concerning the evolution of the process state. Information which permits results of operator’s actions to be controlled quickly . The means to drive away into the different levels of process abstraction. Good alarms; i.e. well defined, well commented and specific to the different running modes.
The analysis must give pertinent and important information for the operator as well as possible support systems. In other words, ‘what’ to display and ‘when’ to display it. The ‘how’ aspect is at the beginning ignored because it is less fundamental. The analysis of the production system and the control–command system is necessary to design the MMI. The authors think that a good process analysis has to enable a human centered supervisory system to be specified. The preliminary analysis stage of production and control–command systems has to enable the complexity to be overcome by different functions and running modes of the process being understood. Analysis methods have been developed and used by several scientific disciplines, such as Artificial Intelligence, automatic control and dependability sciences. These techniques are often developed for specific and narrow objectives and give a partial model of complex systems not suited to the design of supervisory systems. The analysis stage has to be a description of the
production and control–command systems. This description is a model which can be formal or not and depends on the analyst. Thus, a production system can be seen by an observer finely or abstractly. So, it is the analyst’s point of view which fixes the level of the analysis. Additionally, one can notice that the abstraction level of the analysis depends on the application [10]. So, a complete description of production and control– command systems requires the definition of: • •
•
A structural model showing the set of components of the plant and the links between them. This model indicates system parts that perform functions. A functional model which describes different functions. A function or mission of a component of a system is what this component performs as regards the goal of the system [11]. So this model is oriented by the goals achieved by the functions and allows the consequences of a loss of function to be estimated. A behavioral model which shows the way of performing functions.
Structural and behavioral descriptions (or models) refer to the notion of function. So, the functional analysis is at the center of the analysis and for this reason is fundamental. The main difficulty in designing a human centered supervisory system will be to define the level and the depth of the functional analysis. To illustrate the use of FA techniques in the design of a supervisory system, a study of the development of new generation displays has been carried out at the LAMIH of the University of Valenciennes in collaboration with the LAG (‘Laboratory of Automation of Grenoble’, France) and the LIA (‘Laboratory of Advanced Computing’) of Marcoule (France), a research department of the CEA (‘Atomic Energy Commission’). In fact, in this project, two major types of supervisory tasks have been considered, the monitoring and the diagnosis tasks which require specific information. So, with the help of FA techniques (Functional tree, SADT and MFM), views dedicated to each of these tasks have been designed [12,13], performed and evaluated. Starting from a numerical simulator of a nuclear fuel reprocessing system supplied by the CEA, the LAMIH has performed the supervisory interfaces of this process based on new concepts (Mass-Data-Display [14] for the monitoring and causal graph [15] for the diagnosis). These interfaces integrate an original alarm filtering system developed by the LAG [16], based on the analysis of the deviation of the measure and the model thanks to the knowledge of a dynamic model of the process and realized by using fuzzy reasonings. 2.2.3. Basic concepts of functional analysis for supervisory systems Today there is often confusion about FA which covers in fact two different aspects. First, coming from the Value Analysis, external FA methods allow the definition of
R S
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
215
Fig. 3. Utility of Functional Analysis.
functional requirements, a necessary stage in the design of a new product. A Value Analysis consists of describing the product in terms of functions to fulfill, in order to satisfy user’s requirement [17]. Second, internal or technical FA methods allow the running of the system to be understood by describing expected functions and its characteristics. So it gives good help during the first stage of understanding of the process running modes [18]. For the design of a supervisory system, technical FA is more interesting because the production system and its control–command part already exist and the HO’s tasks are roughly defined. Technical FA techniques can be classified according to their application fields. Techniques which can be used for process analysis are for instance: SADT (Structured Analysis and Design Technique), MFM (Multilevel Flow Modeling) [19], GTST–MPLD (Goal Tree Success Tree–Master Plan Logic Diagram) [20], Functional Tree and FAST (Functional Analysis System Technique). The application of adapted FA techniques is useful for different reasons (see Fig. 3): • •
In normal running, FA permits the process working to be described and the information necessary to monitor efficiently to be determined. In abnormal running, FA application permits the required information for the design of hierarchical diagnosis views to be determined, due to the abstraction hierarchy concept. Moreover, it is the primary stage for risk analysis studies such as FMEA (Failure Mode and Effects Analysis) or event trees [21]. Riera et al. [22] proposed a specific FMEA for the supervisory operator, called FMEA oriented IRHO (i.e. Information Requirement of Human Operator) to design alarms taking into account human factors. The choice of applications of the FA technique is a function of the objectives
of the study, the experience of the designer, the nature of the system, etc. 3. Application of functional analysis techniques 3.1. Basic concepts of the applied techniques The representation of a system can be made at different abstraction levels according to two main axes [19]: wholepart axis and means-end axis (see Fig. 4). The whole-part axis corresponds to a top-down hierarchical decomposition of the global system into several sub-systems less complex, themselves broken up until the basic level. This decomposition power is a feature of SADT. The means-end axis corresponds, for one decomposition level, to the requirements of achieving the goal. The SADT (Structured Analysis and Design Technique) model is based on a hierarchical and modular description of the system in terms of functions. A SADT model is composed of boxes linked together by arrows showing transformation of inputs in outputs by means of mechanisms or support data and this, under the supervisory of control activities.
Fig. 4. The two axes of modeling by Lind [19].
R S
216
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
Fig. 5. Actigram and datagram representations.
The FAST (Function Analysis System Technique) method consists of representing the links between the technical functions. For that, the set of system functions is obtained from the most important function, by asking the following questions ‘how to realize this function’, ‘what for’ and ‘when’. The answers determine upstream and downstream functions. 3.1.1. SADT SADT [23–26], which was designed by Ross in the 1970s, was originally destined for software engineering but rapidly other areas of application were found, such as aeronautic, production management, etc. This method has got several advantages: •
Large field of applications such as automation, software developments, management systems and so on.
• •
Facility and universality of the basic concepts. Existence of a set of procedures, advises and guidelines.
SADT uses two kinds of dual representation, enabling the consistency of the model to be checked: •
•
Actigrams (see Fig. 5) which represent activities. These activities (defined by a verb) modify environment and communicate with the exterior through the interface, i.e. input, output, control and mechanism data. At the level of the graphical representation, boxes represent activities and data are represented by arrows. Datagrams (see Fig. 5) represent data. At the level of the graphical representation, data are modified by activities. In this case boxes represent data, and arrows show activities. For industrial process analysis, only actigrams
Fig. 6. Top-down, modular and hierarchical decomposition.
R S
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
217
Fig. 7. FAST formalism and logical operators.
are used because datagrams are more specific to data processing (software application). In actigrams, inputs are data, modified by activities to produce outputs. So, activity gives added value to input data. Control data are conditions which govern or adjust (engaging or inhibiting) activity. An important difference between input and control data exists; contrary to input, control data are never modified by activity. Control data involve a constraint on the activity and influence the transformation of input data. Mechanism data specify the resources which perform the activity. They usually express the question ‘how’ or ‘who’. Actigrams are linked together as indicated in Fig. 6. Serial, parallel and feedback descriptions are represented. If a set of data is input as well as control, it is represented as control. To break smoothly the complexity, SADT uses a topdown approach. A model is organized in a hierarchical way (see Fig. 6). At the first level, the system is ‘summed up’ as a single actigram box. After, the box is split up into several boxes giving more information. Boxes are decomposed into diagrams (i.e. a set of actigram boxes) and so on until the right level of decomposition has been reached.
of three basic questions: How, What…for and When. As for translating redundancy or parallelism, one can use logic operators such as ‘OR’ and ‘AND’ (see Fig. 7). So, along the horizontal axis of the FAST diagram (see Fig. 7), functions are determined thanks to: • •
The question ‘What…for’. It implies a response beginning with ‘In order to’ and isolates a higher function than the departure function. The question ‘How’. It calls for a response beginning with ‘By’ and isolates a function lower than that of the departure function.
Along the vertical axis (see Fig. 7), the functions are determined by the question ‘When’. This question is answered by a response beginning with ‘If, simultaneously’ and so, corresponds to a necessary condition. If, for instance, one takes a simple vacuum cleaner the main function is to aspire dust by creating an air flow to remove it from the local area, and this function can not be achieved without using a bag which permits keeping the dust isolated (see Fig. 8) 3.2. Models of the water supply process control system
3.1.2. FAST Imagined by Bithenay at the end of the 1960s, FAST [27– 31] belongs to the functional tree family and comes from Value Analysis, of which the objective is the new product design, but it can be used to study the existing system. Indeed, the FAST model allows the sequence of functions fulfilled by a system to be represented. FAST organization is hierarchical because when you go back up into the tree by the left from a given function you obtain functions of a higher level order. On the contrary, when you go down by its right, you obtain functions of a lower level order. The FAST formalism is simple: a simple box which contains a function expressed by a verb to infinitive with, if necessary, a complement (see Fig. 7). To build the FAST model, the departure point consists of determination of the main function of the system. Then, from this main function, the research and the determination of the other functions are possible thanks to the application
3.2.1. System overview Developed by Jalasghar [32], the WSPC system consists of a water source, a centrifugal self-priming continuous variable speed pump, a non-return valve, a small membrane vessel, a pipeline, and a tap used by the consumer. The main units of the system’s control part are a pressure sensor, an adjusting knob used by the consumer, a single
Fig. 8. FAST diagram of a vacuum cleaner.
R S
218
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
chip integer-operating microcomputer, a pulse-width modulating signal-generator (PWM-generator), and a frequency converter. The three later units form the control section are shown in Fig. 9. The objective of the WSPC system is to deliver a desirable water flow (indicated by the position of the tap) with a desirable pressure (indicated by the position of the adjusting knob). This is achieved by the speed of the pump as a response to the pressure drop caused by opening the tap and sensed by the pressure sensor. The adjustment itself is accomplished by changing the frequency of the pump’s (its engine’s) supply voltage. As soon as the tap is opened, the pressure will fall below the desirable pressure. A controller uses the open loop process parameters, the close loop specifications, the samples of the pressure values from the sensor, the value of the desirable pressure, and the frequency of the pump’s supply voltage for computing a new frequency. The PWM-generator uses the information about the new frequency in order to generate three-phase shifted PWM-signals with the frequency computed by the controller. The PWM-signals are then fed to the frequency converter which is the last unit in the control section. The converter
supplies the pump’s engine with a three-phased voltage having the required frequency. This is done by first converting the main voltage to a dc-voltage and then converting it back to ac; this time having the same frequency as the one computed by the controller and carried by the three PWMsignals. Fig. 9 shows the flow of the sensor and the actuator variables through the process control system. As illustrated, the dc-voltage and the dc-current in the frequency converter are supervised in order to protect the pump’s engine. The controller adjusts the frequency continuously by responding to every change in the pressure (caused by change of the outflow). This is a very important feature, because the pressure variations are reduced considerably and the pressure of the outflow is hence practically equal to the pre-set one. However, this feature of the controller becomes a problem in the case of small amounts of outflow, since the pump will only stop if the tap is completely closed. In order to maintain the profitability of the plant, and hence the efficiency of the pump above a minimum level (i.e., to prevent the pump from running continuously in the case of a dripping tap), an on/off controller is used for the small amounts of outflow. Within this flow region, the pump will start with a constant relatively high speed (hence a constant
Fig. 9. The WSPC system.
R S
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
large discharge flow), as soon as the pressure is decreased to the desirable one minus an extra ‘buffering’ pressure. The pump will then stop, as soon as the pressure has reached the desirable one plus the same buffering pressure. The membrane vessel acts as a water source during the pump’s stop period. The boundary flow value for which a shift to on/off control takes place, is determined by the chosen start/stop frequency and the desirable efficiency of the pump. Since there is no flow sensor present in the system, a flow estimator is utilized instead. The flow estimator uses the variable relationships in the process, the samples of pressure values from the sensor, and the frequency of the pump’s supply voltage to estimate the flow value. It is then decided whether to activate the frequency controller or to start the on/off controller by comparing this value with the boundary flow value. The frequency controller, the on/off controller and the flow estimator are all implemented in the microcomputer. 3.2.2. Application of the SADT technique Based on the description of the WSPC operation, a corresponding SADT model of actigram type has been built. An important point must be noticed: the point of view of the analysis is that of a person without concrete experience on the WSPC system, i.e. only through a bookish knowledge, whose objective is the use of the final models for the design
219
of supervisory displays (monitoring, diagnosis displays, etc.). In fact, application of FA techniques must permit in this case: • • • •
to to to to
determine the functions of the system; put in evidence the different modes of running; split up the system into sub-systems; determine pertinent variables.
So, this SADT model composed exclusively of actigrams, has three decomposition levels (see Figs 10–14). It starts with the main function ‘To deliver a desirable water flow with a desirable pressure’ (see Fig. 10). Then, this function is broken into sub-functions and this process is developed until the last decomposition level has been reached (level A23 of Fig. 14).
3.2.3. Application of the FAST technique From the description of the WSPC operation, a corresponding FAST model has been built (see Fig. 15). Unlike the SADT model, the FAST model does not have several diagrams: a single diagram permits the total translation of the process operations. However, it starts with the same main function as the SADT model, i.e. ‘To deliver a desirable water flow with a desirable pressure’. Then, the three basic questions have been applied to each new box. The stop point is reached whenever one cannot find responses to the basic questions of the FAST model.
Fig. 10. A0 level of the SADT model.
R S
220
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
4. Discussions on the application of both techniques 4.1. Difficulties in use Recall that the techniques such as SADT and FAST are semi-formal. By consequence, for the same subject, different correct models can be built without having to know with certitude which model is the good or, at least, the best. In fact, this kind of model allows lets users sufficient freedom in its construction and so the subjective factor introduces a supplementary dimension for its validation. That is why the validation step on the whole necessitates the confrontation of different points of views. Indeed, few rules often remain; only some recommendations can be applied: •
As to the SADT technique, users can follow rules or recommendations to the level of the coherency of the model, such as distinction between the different types of interfaces, numeration of boxes and diagrams, minimal and maximal numbers of boxes by diagram, etc. One intends, by coherency application of the heritage rule i.e. when data are placed at a N decomposition level, it is explicitly or implicitly present at the inferior levels. However, a complementary mean to check coherency of actigrams is a confrontation between actigrams and datagrams, which is not possible in our case.
•
As to the FAST technique, there are still fewer rules or recommendations. Indeed, there is only a recommendation about a simple mean to verify the coherency of the model. This mean consists of applying the opposite question to a given function which has permitted us to find it (for instance, the opposite response of ‘What for’ is ‘How’), in order to check the reciprocity. However, one should not forget that the redundancy or the parallelism of activities are foreseen through the use of logical operators which are respectively ‘OR’ and ‘AND’. Hence, these kinds of technique require a minimum of experience. Often, experienced analysts use personal rules, more adapted to their application area.
4.2. Comparison of both techniques A fundamental difference exists between the SADT and FAST techniques: on the one hand, the SADT technique permits a model to be obtained in which the two decomposition axes, means/end and whole/part, are relatively well separated. In contrast, the FAST technique mixes them. Besides, as opposed to the FAST technique, in SADT, the distinction between data and activities which are completely linked to the concept of function, is clear. Indeed, inside the
Fig. 11. A0 level of the SADT model.
R S
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
221
Fig. 12. A2 level of the SADT model.
SADT box, there is the function (verb to infinitive) and around this box, the associated data are specified of which the nature (input, output, control or mechanism) appears directly. However, despite the differences between these two techniques, the models built supply roughly the same quantity of information: most of the functions are both developed and only a function, such as the function linked
to the membrane vessel, appears only through the FAST model. So, the FAST model can be seen more adapted to define all the functions fulfilled by the system. On the other hand, for the description of data, SADT model is undoubtedly more exhaustive and precise than FAST model.
Fig. 13. A3 level of the SADT model.
R S
222
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
4.3. Interests of techniques for the design of a supervisory system The possible uses for the SADT model are the design of a monitoring display and a diagnosis display. For the design of a monitoring display, the A0 level of this model (see Fig. 10) supplies a global view of the system. Indeed, information relative to each function represented through this level should appear in a monitoring display. For instance, to monitor the working of the pump and its efficiency (see box A6, Fig. 11), the information having to be displayed is relative to the corresponding function. That is to say: • • •
The water source as input data, i.e. to display a Boolean information in the presence or not of water. The desirable ac-voltage with the desirable frequency as input data, i.e. to display the ac-voltage value and its frequency value. The desirable water flow with a desirable pressure delivered as output data, i.e. to display the water flow value and its pressure value.
•
The pump’s speed as output data, i.e. to display speed of the pump.
For the design of hierarchical diagnosis displays, each actigram of the SADT model constitutes a vision at a given abstraction level. So, each of these actigrams gives a less or more detailed vision. In function of the objectives defined by the designer for each display, a particular actigram can supply the required information. For instance, for the objective, ‘To be able to diagnose a loss of function relative to the supply of energy’, information to be displayed appears implicitly or explicitly through the interface data of the actigram of the A3 level (see Fig. 13). The FAST model (see Fig. 15) seems particularly adapted to the design of the automatic supervisory system by applying a FMEA oriented IRHO from this model. Indeed, if we take the function ‘to pump water’, with the FAST model, we notice that the primary external cause of a loss of function could be ‘the energy is not supplied’. The consequence of this loss of function is that the water is not delivered. Finally, this application of FA techniques on this WSPC
Fig. 14. A23 level of the SADT model.
R S
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
223
Fig. 15. FAST model of the WSPC.
system shows briefly the interests of these techniques in the design of supervisory systems.
5. Conclusions Through this paper, the main functions and characteristics of supervisory systems for highly automated processes have been first presented through a general description. Then, a way to express more objectively the notion of the HO’s information requirement has been exposed by means of an indicator called ‘Information Power’. In fact, this indicator can be a useful tool for the design of supervisory interfaces, particularly for hierarchical supervisory interfaces. In the design of a supervisory system, the difficulty lies in the capacity to represent both the process faithfully and to provide for the designers usable information. In fact, a supervisory system must take into account the physiological and cognitive features of the supervisory operator because an inadequacy between the supplied information and the operator’s information requirement is dangerous. So, to be more efficient, the design of a supervisory system should be human centered. To reach this objective, FA techniques seem to be a promising way because the major advantage of these kinds of techniques is due to the concept of function and abstraction hierarchy which are familiar to the HO. These
techniques permit the complexity of a system to be overcome. In this paper, the application of two FA techniques, SADT and FAST on a real system, the WSPC system generates a source of useful information for the design of a supervisory system (monitoring and diagnosis displays, definition of alarms, etc.). So, research into the application of FA techniques for the design of a human centered supervisory system must be intensified in order to solve several difficulties and to improve their efficiency (tools to build the model, tools to check the validity of the model, etc.). References [1] Millot P. Supervision des proce´de´s automatise´s et ergonomie. Paris, France: Herme`s, 1988. [2] Rouse WB. Models of human problem solving: detection, diagnosis and compensation for systems failure. Automatica 1983; 19(6). [3] Moray N. In: Kaufman L, Thomas J, editors. Monitoring behavior and supervisory control. Handbook of perception and human performance, vol. 2. New York: K. Boff, 1986, chapter 40: 40–6. [4] Sheridan T. Forty-five years of man machine systems: history and trends. In: Proceedings of the Second IFAC Conference Analysis, Design and Evaluation of Man Machine Systems, Varese, Italy, 1985. [5] Rasmussen J. The role of hierarchical knowledge representation in decision making and system management. IEEE Transaction on Systems, Man and Cybernetics 1985; SMC-15(2).
R S
224
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
[6] Debernard S. Contribution a` la re´partition dynamique de taˆches entre ope´rateur et syste`me automatise´: application au controˆle du trafic ae´rien. Phd dissertation, Universite´ de Valenciennes et du HainautCambre´sis, Valenciennes, France, 1993. [7] Lejon JC. L’e´volution de la conduite sur S.N.C.C. Dunod, Point de repe`re, 1991. [8] Goodstein LP. An integrated display set for process operators. In: IFAC congress analysis, design and evaluation of man–machine systems, Germany, 1982. [9] Vittet J. Ele´ments pour une conception inte´gre´e des salles de controˆle. Phd dissertation, Universite´ Scientifique et Me´dicale de Grenoble, Grenoble, France, 1981. [10] Modarres M. A pragmatic approach to a function-centured ontology of complex physical systems. In an internal document, Center for Reliability Engineering, Departement of Materials and Nuclear Engineering, University of Maryland, USA, 1993. [11] Fadier E, Artigny B, Chollet M-G, Garoff-Mercier C, Poyet C, Drozdz-Verly C. L’e´tat de l’art dans le domaine de la fiabilite´ humaine. Institut de Suˆrete´ de Fonctionnement (ISdF), Octare`s, 1994. [12] Lambert M, Riera B, Martel G. Design of a new interface for the supervision of a nuclear fuel reprocessing system. In: Proceedings of Sixth European Conference on Cognitive Sciences Approaches to Process Control, Baveno, Italy, 1997: 195–9. [13] Lambert M, Riera B, Vilain B. Application of some functional analysis techniques on a nuclear fuel reprocessing system. In: Proceedings of Fifth International Workshop on Functional Modeling of Complex Technical Systems, Paris, France, 1997. [14] Beuthel C, Boussoffara B, Elzer P, Zinser K, Tiben A. Advantages of mass-data-display in process S & C. In: Proceedings of IFAC analysis, Design and Evaluation of Man–Machine Systems, MIT Cambridge, USA, 1995: 439–44. [15] Dziopa P. Repre´sentation multi-mode`le pour la supervision de proce´de´s industriels continus. Phd dissertation, Institut National Polytechnique de Grenoble, Grenoble, France, 1996. [16] Gentil S, Evsukoff A, Montmain J, Les syste`mes flous pour l’aide en ligne aux ope´rateurs. In: Proceedings of ‘6 e`me Congre`s Franc¸ais de Ge´nie des Proce´de´s’, Groupe Franc¸ais de Ge´nie des Proce´de´s, Re´cents progre`s en ge´nie des proce´de´s, Simulation des proce´de´s et automatique, Paris, France, 1997; 11(6): 121–6.
[17] Poncelet P. L’analyse fonctionnelle est trop ne´glige´e en France. In: Industries et techniques, France, 1993: 739. [18] Chatain JN. Diagnostic par syste`me expert. Paris, France: Herme`s, 1993. [19] Lind M. Representing goals and functions of complex systems—an introduction to Multilevel Flow Modeling. In: Technical report, Institute of Automatic Control Systems, Technical University of Denmark, Lyngby, Denmark, 1990. [20] Modarres M. Functional modeling of complex systems using a GTST–MPLD framework. In: Proceedings of the First International Workshop on Functional Modeling of Complex Technical Systems, Ispra, Italy, 1993. [21] Villemeur A. Suˆrete´ de fonctionnement des syste`mes industriels: fiabilite´, facteur humain, informatisation. Paris, France: Eyrolles, 1988. [22] Riera B, Vilain B, Millot P. A proposal to define and to treat alarms in a supervision room. In: Proceedings of the Sixth IFAC Congress of Analysis, Design and Evaluation of Man–Machine Systems. Cambridge, MA: MIT, 1995. [23] Ross D. Structured Analysis (SA): a langage for communicating ideas. IEEE Transactions on Software Engineering, 1977; 3-1. [24] IGL Technology. SADT: un langage pour communiquer/IGL Technology. Paris, France: Eyrolles, 1989. [25] Lissandre M. Maıˆtriser SADT. Paris, France: Albert Colin, 1990. [26] Pierreval H. Les me´thodes d’analyse et de conception des syste`mes de production. Technologie de pointe. Paris, France: Herme`s, 1990. [27] Delafollie G. Analyse de la valeur. Paris, France: Hachette Technique, 1991. [28] Zwingelstein G. Diagnostic des de´faillances—the´orie pratique pour les syste`mes industriels. Paris, France: Herme`s, 1995. [29] Zwingelstein G. La maintenance base´e sur la fiabilite´ —guide pratique d’application de la RCM. Paris, France: Herme`s, 1996. [30] Vogin R. Pre´sentation de l’Analyse Fonctionnelle: C’est quoi? et pourquoi l’utiliser?. In: ‘Publications CETIM’, Confe´rence sur l’analyse fonctionnelle au service de la qualite´, France, 1995. [31] Hickling EM, Harvey JG, Hollywell PD. The consistent and structured definition of process plant HCI-based tasks using the ‘PAGODA’ method. In: Proceedings of the Ergonomics Society’s Annual Conference, Birmingham, England, 1992: 275–83. [32] Jalasghar A. Applications of functional Modeling in Control Systems. In: Proceedings of the Third International Workshop on Functional Modeling of Complex Technical Systems, College Park, MD, USA, 1995.
R S
Application of functional analysis techniques to supervisory systems Manuel Lambert, Bernard Riera, Gre´gory Martel Universite´ de Valenciennes et du Hainaut-Cambre´sis, LAMIH, BP 311 Le Mont Houy 59304 Valenciennes, France Received 20 July 1996; revised 27 April 1998; accepted 7 May 1998
Abstract The aim of this paper is to apply firstly two interesting functional analysis techniques for the design of supervisory systems for complex processes, and secondly to discuss the strength and the weaknesses of each of them. Two functional analysis techniques have been applied, SADT (Structured Analysis and Design Technique) and FAST (Functional Analysis System Technique) on a process, an example of a Water Supply Process Control (WSPC) system. These techniques allow a functional description of industrial processes. The paper briefly discusses the functions of a supervisory system and some advantages of the application of functional analysis for the design of a ‘human’ centered supervisory system. Then the basic principles of the two techniques applied on the WSPC system are presented. Finally, the different results obtained from the two techniques are discussed. 䉷 1999 Elsevier Science Ltd. All rights reserved. Keywords: Functional analysis; SADT; FAST; Supervisory systems; Water supply process control system
1. Introduction Today, the supervision of production systems is more and more complex to perform, not only because of the number of variables always more numerous to monitor but also because of the numerous interrelations existing between them, very difficult to interpret when the process is highly automated. The challenge of the future years is based on the design of support systems which let an active part to the supervisory operators by supplying tools and information allowing them to understand the running of production equipment. Indeed, the traditional supervisory systems present many already known problems. First, whereas sometimes the operator is saturated by an information overload, some other times an information underload does not permit them to update their mental model of the supervised process. Moreover, the supervisory operator has a tendency to wait for the alarm to act, instead of trying to foresee or anticipate abnormal states of the system. So, to avoid these perverse effects and to make operator’s work more active, the design of future supervisory systems has to be human centered in order to optimize Man– Machine interactions. It seems in fact important to supply the means to this operator to perform his own evaluation of the process state. To reach this objective, Functional Analysis (FA) seems to be a promising research method. In fact, allowing the running of the production equipment to be understood,
these techniques permit designers to determine the good information to display through the supervisory interfaces dedicated to each kind of supervisory task (monitoring, diagnosis, action, etc.). In addition, FA techniques could be a good help to design support systems such as alarm filtering systems. By means of a significant example, the objective of this paper is to show interests of the use of techniques such as SADT (Structured Analysis and Design Technique) and FAST (Functional Analysis System Technique) for the design of supervisory systems. The next section briefly describes the characteristics of a current supervisory system and the problems linked to its design. Next, the interests of using FA in the design steps are developed. In Section 3, after presenting concepts of SADT and FAST, these techniques are applied to a water supply process control (WSPC) system. The last section presents a discussion about the advantages and inconveniences of each FA technique.
2. Functional analysis for the design of supervisory systems 2.1. Functionality of a supervisory system Supervision consists of commanding a process and supervising its working [1]. To achieve this goal, the supervisory system of a process must collect, supervise and record important sources of data linked to the process, to detect the possible loss of functions and alert the Human Operator (HO).
0951-8320/99/$ - see front matter 䉷 1999 Elsevier Science Ltd. All rights reserved. PII: S0 95 1 -8 3 20 ( 98 ) 00 0 64 - 7
R S
210
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
When aiming at the optimization of the criteria linked to production security and economy objectives, the HO must supervise the process states and act in such a way as to maintain it as near as possible to its nominal working point. According to Rouse [2], the supervisory operator’s tasks are: the control, the follow-up tasks in normal working, the transition tasks linked to the running changes, the default detection tasks, the diagnosis and the resumption tasks of defaults. According to Moray [3], a supervisory operator monitors a process when he supervises the displayed information without executing any action which may change the system state. So, the purpose of monitoring tasks is only to update his knowledge about the system state and to detect occurrence of defaults. One can notice that monitoring tasks requires a global vision of the process to allow efficient supervision, whereas the diagnosis tasks require a hierarchical vision of the process. The main objective of a supervisory system is to give the means to the HO to control and to command a highly automated process. The performance of the Man–Machine System (MMS) is linked to the optimization of three criteria (see Fig. 1):
•
•
•
• •
The production criterion: the first objective of the production facilities is to transform products by adding value. This objective must be managed in order to guarantee the reliability and the availability of the process. The security criterion: it is the most important criterion because the HO must guarantee, first of all, the security of human beings and machines. The economic criterion: the production must be the most economical.
So, the supervision of industrial processes includes a set of tasks aimed at controlling a process and supervising its operation. The control consists of acting on the process by means of ‘orders’, as shown Fig. 1. Accordingly, control involves a top-down flow of information which acts on the lower levels. On the contrary, the supervision is a bottom-up flow of information called ‘information feed-backs’ of which sources are the signals sent by the process (see Fig. 1). In fact, the supervisory system works in two different contexts: off-line and on-line. •
Off-line, the supervisory system allows, in deferred time, some reports to be produced and thus the production performances to be analyzed. In this case, some actions can then be undertaken in order to improve the safety of working (reliability, maintainability, availability and security) of the production equipment. In addition, the archived data linked to the loss of functions are very interesting because they permit, for instance, the preventive maintenance policy to be defined. The supervisory system is therefore useful in all plants because it is an important source of information. Indeed, as well as the maintenance, the automation team, and a lot of actors of the company are interested in this collected information which is centralized in the control room.
On-line, the supervisory system allows, on the one hand, access to the measurable information relative to the process and, on the other hand, the ability to signal the operator in the occurrence of important events.
At different levels of a process, the nature of tasks is different. Indeed, at the levels near to the operative part (see Fig. 1), data used by machines are numerical (operative or software tasks, for instance). On the contrary, far from the process, at the high levels, data should be more symbolical as it is being used by HO. Indeed, this one is at the top of the process and achieves cognitive tasks thanks to the information coming from the process and communicated via the Man–Machine Interfaces (MMI). Whatever the applications at the different levels (command, supervision, etc.), the use of different models of the process is necessary. For instance, for the control/command system design, the models are functions of the nature of the automation (discrete event systems, feedback control). A supervised system (see Fig. 1) is composed of the following parts:
• • •
The MMI, displaying information thanks to the information synthesis system. The supervisory tools, supplying services thanks to the automatic supervisory system and the decision support systems. The control/command part, interface between the MMI, the supervisory tools and the process. The process is also called production system or operative part, performing the physical work on the input product flow.
Now, we are going to detail the main functions fulfilled by these different systems. 2.1.1. Automatic supervisory system According to our point of view, an automatic supervisory system is a traditional supervisory system (see Fig. 1), that is to say, a system which provides a hierarchical list of alarms generated by a simple comparison with regard to thresholds. The criteria of classification can be relative, for instance, to the instant of detection or to the degree of dangerousness. 2.1.2. Information synthesis system According to our point of view, the information synthesis system (see Fig. 1) manages the presentation of information via any support (synoptic, console, panel, etc.) to the HO. This information can come from two different sources: • •
First, the information can be measures coming from the process; Second, high level information can be given to the operator. In this case, the original nature of the measures has been modified. In other words, to get this information himself, without a support system, the operator should have developed a knowledge-based behavior according to the Rasmussen classification [5].
R S
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
211
Fig. 1. Architecture of a supervised process adapted from Sheridan [4].
R S
212
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
2.1.3. Operator support systems Among the possible systems bringing useful and substantial help to all the human decisional levels, we find the filtering alarm systems and the support to the anticipation (detection level), support to the diagnosis of the causes of loss of functions (problem resolution level) and the support to the resumption of defect (action level). For poor automated processes, such as air traffic control, a task manager (see Fig. 1) which allows a dynamic task allocation between the HO and the decision support system can be useful to optimize human–machine performance and human workload [6]. This dynamic task allocation is achieved by the evolution of a certain number of efficiency criteria. In our case, a task manager is not possible because the studied processes are highly automated, and the level of automation cannot be modified. Currently, one can notice a tendency to propose support systems. Usually decision support systems are based on artificial intelligence techniques. It looks paradoxical to graft additional systems to the supervisory system in order to help the HO. In fact, it will be more judicious to supply the HO with data and information, that he really needs to achieve his work. We think that support systems do not have to be seen as a system replacing the decisional thought process of the HO but as a toolbox which facilitates his work. 2.1.4. Production systems The production system or operative part corresponds to the physical structure which performs the work (see Fig. 1). Giving added value to a product, these systems are composed of sensors which enable the operative part to be observed and actuators to command it. It is possible to classify production systems with regard to the nature of the production process, continuous or manufacturing. •
•
Continuous processes (chemical plant for instance): these systems involve processing of continuous flows of material or energy. However, the total process is often a discrete sequence of continuous sub-processes [7]. Usually, one distinguishes fast continuous processes versus slow continuous processes. This distinction is interesting because the fast evolution of the process forbids any manual corrective actions in case of incident. Manufacturing processes (car plant, for instance): these systems involve processing of identifiable objects or elements. The detectable unit is the object. During the process, more often, discontinuous operations are carried out.
2.1.5. Control–command system The control–command system generates commands to actuators from information supplied by sensors (see Fig. 1). It is possible to differentiate two kinds of automatic control. The first one concerns programmable logic controller (PLC) which processes mainly Boolean
information. The second one concerns feedback control. This distinction between sequential logic and feedback loop is important for the supervisory operator. Indeed, it is the autonomy of the control–command system which defines the automation level of the human– machine system. Today, in several production plants, the control–command system is very autonomous and operators intervene principally when failures occur in the production system or the control–command system. 2.2. Problems linked to the design of a supervisory system With regard to the increasing complexity of production systems and the high level of automation, the supervisory system design becomes more and more delicate and should be human centered. Indeed, the human being can be viewed as an ‘information channel with limited capacities’ and constitutes, in term of information treatment, an inescapable bottleneck. So, for this reason, the design of all supervisory systems has to be centered on the operator. It is no use designing a supervisory system which provides all the information coming from the production system in an aleatoric way because the imposing mass of data will not permit the supervisory operator to treat them. So, the physiological and cognitive features specific to a man have to be completely integrated in the design stage. The cognitive human approach is based on the concepts of function and abstraction hierarchy developed in the foundations of most Functional Analysis (FA) techniques. Today, supervisory systems maintain some shortcomings due to some contradictory reasons. Indeed, sometimes the supervisory operator can be either saturated by an overcharge of information or perturbed by an underload of information which could involve a deterioration of his mental model of the supervised process. More generally, an inadequacy between the supplied information and the operator’s information requirement could entail loss of functions. A well managed process analysis could partially solve this problem. Indeed the rough information requirement, useful for the realization of supervisory tasks by the operator, is put in evidence during this crucial stage. The performance of the ‘man–supervisory system’ is, consequently, completely tributary. Attention must be brought to the quality of process models which must conjugate two imperatives: (1) to represent the process faithfully, and (2) to provide some usable information. Well, the FA techniques could, if they are judiciously used, fulfill these two requirements. In our case, the choice of some techniques such as SADT (Structured Analysis and Design Technique) and FAST (Functional Analysis System Technique) is strengthened by the relative simplicity of their development and their efficiency. 2.2.1. Proposition of the use of a new indicator for the design of a supervisory system In the design of a supervisory system a distinction between two kinds of display seems necessary. The first
R S
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
kind of display is dedicated to the monitoring of tasks. In fact, this generic term includes control tasks and tasks of follow-up in normal working of the installation, and the failure detection tasks. The latter are dedicated to the diagnosis tasks. Indeed, after the detection of an anomaly, the operator should find its original cause and its consequences for the process. The main objective is to get the minimal distortion between the functional and behavioral reality of the process and a symbolic transcription on the interface, the most easily understandable and operable by the supervisory operator. Initially the design of an information synthesis system consisted of reproducing a geographical disposition of some physical components and their interconnections to realize the static part of the imagery. This has led then to some ‘structural interfaces’ [8] (P and ID interfaces). This representation does not completely answer the cognitive approach used by the operator in order to achieve his different supervisory tasks. Through the use of FA techniques, the objective is the specification of an information requirement. According to our point of view, information requirement is the minimal set of information collected during a process which allows the operator to understand the working process and to evaluate its state.
213
For each kind of supervisory task, the information requirement must be determined by answering the three following questions (see Fig. 2): • • •
What: what information is necessary to the supervisory operator to achieve his tasks? When: when to display this information? How: how to present him this information?
The nature of cognitive behavior of the human operator is a function of the kind of task. For the monitoring tasks the human operator essentially achieves tasks of low levels (based on procedures and reflexes). However, for the diagnosis tasks human operators essentially achieve knowledge based behaviors. The fundamental difference between these two kinds of task has an effect on the structure and the data representation on the interfaces. For instance, the interfaces dedicated to the diagnosis can adopt a hierarchical organization and can present information in a symbolical way. A major difficulty in the design of a supervisory system is the inability to evaluate objectively the information requirement. Indeed, the information requirement is a concept which by nature depends on a lot of subjective parameters, such as the knowledge of a supervisory operator about the process, the way of reasoning and so on.
Fig. 2. Characterization of the information requirement.
R S
214
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
So, the construction of an objective indicator which would give a good image of the information requirement, seems very interesting. This indicator would be built from the typology (observable, commendable, measurable, etc.) and the number of the variables existing in the supervised process. More precisely this indicator, called ‘information power’, could be the division between the number of measured variables and the total number of measurable variables. Moreover, many interesting variants can be defined to supply information following different points of views. For instance, one can imagine a variety of information indicators applied to the interface dedicated to the diagnosis. Indeed the interfaces dedicated to the diagnosis have a hierarchical organization and so, a knowledge on the evolution of the information requirement between the different hierarchical levels is very interesting. For that, one can define a ratio between the number of new used variables at the studied level and the number of measured variables at the inferior level. So, through this indicator, one can evaluate objectively the progression of the information power and information density of the interface. 2.2.2. Information required for the supervisory system According to recommendations proposed by Vittet [9], a supervisory system has to give to the HO: • • • • •
A global view of the installation and its operation. The operator must access this pertinent information, without much reasoning. Information concerning the evolution of the process state. Information which permits results of operator’s actions to be controlled quickly . The means to drive away into the different levels of process abstraction. Good alarms; i.e. well defined, well commented and specific to the different running modes.
The analysis must give pertinent and important information for the operator as well as possible support systems. In other words, ‘what’ to display and ‘when’ to display it. The ‘how’ aspect is at the beginning ignored because it is less fundamental. The analysis of the production system and the control–command system is necessary to design the MMI. The authors think that a good process analysis has to enable a human centered supervisory system to be specified. The preliminary analysis stage of production and control–command systems has to enable the complexity to be overcome by different functions and running modes of the process being understood. Analysis methods have been developed and used by several scientific disciplines, such as Artificial Intelligence, automatic control and dependability sciences. These techniques are often developed for specific and narrow objectives and give a partial model of complex systems not suited to the design of supervisory systems. The analysis stage has to be a description of the
production and control–command systems. This description is a model which can be formal or not and depends on the analyst. Thus, a production system can be seen by an observer finely or abstractly. So, it is the analyst’s point of view which fixes the level of the analysis. Additionally, one can notice that the abstraction level of the analysis depends on the application [10]. So, a complete description of production and control– command systems requires the definition of: • •
•
A structural model showing the set of components of the plant and the links between them. This model indicates system parts that perform functions. A functional model which describes different functions. A function or mission of a component of a system is what this component performs as regards the goal of the system [11]. So this model is oriented by the goals achieved by the functions and allows the consequences of a loss of function to be estimated. A behavioral model which shows the way of performing functions.
Structural and behavioral descriptions (or models) refer to the notion of function. So, the functional analysis is at the center of the analysis and for this reason is fundamental. The main difficulty in designing a human centered supervisory system will be to define the level and the depth of the functional analysis. To illustrate the use of FA techniques in the design of a supervisory system, a study of the development of new generation displays has been carried out at the LAMIH of the University of Valenciennes in collaboration with the LAG (‘Laboratory of Automation of Grenoble’, France) and the LIA (‘Laboratory of Advanced Computing’) of Marcoule (France), a research department of the CEA (‘Atomic Energy Commission’). In fact, in this project, two major types of supervisory tasks have been considered, the monitoring and the diagnosis tasks which require specific information. So, with the help of FA techniques (Functional tree, SADT and MFM), views dedicated to each of these tasks have been designed [12,13], performed and evaluated. Starting from a numerical simulator of a nuclear fuel reprocessing system supplied by the CEA, the LAMIH has performed the supervisory interfaces of this process based on new concepts (Mass-Data-Display [14] for the monitoring and causal graph [15] for the diagnosis). These interfaces integrate an original alarm filtering system developed by the LAG [16], based on the analysis of the deviation of the measure and the model thanks to the knowledge of a dynamic model of the process and realized by using fuzzy reasonings. 2.2.3. Basic concepts of functional analysis for supervisory systems Today there is often confusion about FA which covers in fact two different aspects. First, coming from the Value Analysis, external FA methods allow the definition of
R S
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
215
Fig. 3. Utility of Functional Analysis.
functional requirements, a necessary stage in the design of a new product. A Value Analysis consists of describing the product in terms of functions to fulfill, in order to satisfy user’s requirement [17]. Second, internal or technical FA methods allow the running of the system to be understood by describing expected functions and its characteristics. So it gives good help during the first stage of understanding of the process running modes [18]. For the design of a supervisory system, technical FA is more interesting because the production system and its control–command part already exist and the HO’s tasks are roughly defined. Technical FA techniques can be classified according to their application fields. Techniques which can be used for process analysis are for instance: SADT (Structured Analysis and Design Technique), MFM (Multilevel Flow Modeling) [19], GTST–MPLD (Goal Tree Success Tree–Master Plan Logic Diagram) [20], Functional Tree and FAST (Functional Analysis System Technique). The application of adapted FA techniques is useful for different reasons (see Fig. 3): • •
In normal running, FA permits the process working to be described and the information necessary to monitor efficiently to be determined. In abnormal running, FA application permits the required information for the design of hierarchical diagnosis views to be determined, due to the abstraction hierarchy concept. Moreover, it is the primary stage for risk analysis studies such as FMEA (Failure Mode and Effects Analysis) or event trees [21]. Riera et al. [22] proposed a specific FMEA for the supervisory operator, called FMEA oriented IRHO (i.e. Information Requirement of Human Operator) to design alarms taking into account human factors. The choice of applications of the FA technique is a function of the objectives
of the study, the experience of the designer, the nature of the system, etc. 3. Application of functional analysis techniques 3.1. Basic concepts of the applied techniques The representation of a system can be made at different abstraction levels according to two main axes [19]: wholepart axis and means-end axis (see Fig. 4). The whole-part axis corresponds to a top-down hierarchical decomposition of the global system into several sub-systems less complex, themselves broken up until the basic level. This decomposition power is a feature of SADT. The means-end axis corresponds, for one decomposition level, to the requirements of achieving the goal. The SADT (Structured Analysis and Design Technique) model is based on a hierarchical and modular description of the system in terms of functions. A SADT model is composed of boxes linked together by arrows showing transformation of inputs in outputs by means of mechanisms or support data and this, under the supervisory of control activities.
Fig. 4. The two axes of modeling by Lind [19].
R S
216
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
Fig. 5. Actigram and datagram representations.
The FAST (Function Analysis System Technique) method consists of representing the links between the technical functions. For that, the set of system functions is obtained from the most important function, by asking the following questions ‘how to realize this function’, ‘what for’ and ‘when’. The answers determine upstream and downstream functions. 3.1.1. SADT SADT [23–26], which was designed by Ross in the 1970s, was originally destined for software engineering but rapidly other areas of application were found, such as aeronautic, production management, etc. This method has got several advantages: •
Large field of applications such as automation, software developments, management systems and so on.
• •
Facility and universality of the basic concepts. Existence of a set of procedures, advises and guidelines.
SADT uses two kinds of dual representation, enabling the consistency of the model to be checked: •
•
Actigrams (see Fig. 5) which represent activities. These activities (defined by a verb) modify environment and communicate with the exterior through the interface, i.e. input, output, control and mechanism data. At the level of the graphical representation, boxes represent activities and data are represented by arrows. Datagrams (see Fig. 5) represent data. At the level of the graphical representation, data are modified by activities. In this case boxes represent data, and arrows show activities. For industrial process analysis, only actigrams
Fig. 6. Top-down, modular and hierarchical decomposition.
R S
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
217
Fig. 7. FAST formalism and logical operators.
are used because datagrams are more specific to data processing (software application). In actigrams, inputs are data, modified by activities to produce outputs. So, activity gives added value to input data. Control data are conditions which govern or adjust (engaging or inhibiting) activity. An important difference between input and control data exists; contrary to input, control data are never modified by activity. Control data involve a constraint on the activity and influence the transformation of input data. Mechanism data specify the resources which perform the activity. They usually express the question ‘how’ or ‘who’. Actigrams are linked together as indicated in Fig. 6. Serial, parallel and feedback descriptions are represented. If a set of data is input as well as control, it is represented as control. To break smoothly the complexity, SADT uses a topdown approach. A model is organized in a hierarchical way (see Fig. 6). At the first level, the system is ‘summed up’ as a single actigram box. After, the box is split up into several boxes giving more information. Boxes are decomposed into diagrams (i.e. a set of actigram boxes) and so on until the right level of decomposition has been reached.
of three basic questions: How, What…for and When. As for translating redundancy or parallelism, one can use logic operators such as ‘OR’ and ‘AND’ (see Fig. 7). So, along the horizontal axis of the FAST diagram (see Fig. 7), functions are determined thanks to: • •
The question ‘What…for’. It implies a response beginning with ‘In order to’ and isolates a higher function than the departure function. The question ‘How’. It calls for a response beginning with ‘By’ and isolates a function lower than that of the departure function.
Along the vertical axis (see Fig. 7), the functions are determined by the question ‘When’. This question is answered by a response beginning with ‘If, simultaneously’ and so, corresponds to a necessary condition. If, for instance, one takes a simple vacuum cleaner the main function is to aspire dust by creating an air flow to remove it from the local area, and this function can not be achieved without using a bag which permits keeping the dust isolated (see Fig. 8) 3.2. Models of the water supply process control system
3.1.2. FAST Imagined by Bithenay at the end of the 1960s, FAST [27– 31] belongs to the functional tree family and comes from Value Analysis, of which the objective is the new product design, but it can be used to study the existing system. Indeed, the FAST model allows the sequence of functions fulfilled by a system to be represented. FAST organization is hierarchical because when you go back up into the tree by the left from a given function you obtain functions of a higher level order. On the contrary, when you go down by its right, you obtain functions of a lower level order. The FAST formalism is simple: a simple box which contains a function expressed by a verb to infinitive with, if necessary, a complement (see Fig. 7). To build the FAST model, the departure point consists of determination of the main function of the system. Then, from this main function, the research and the determination of the other functions are possible thanks to the application
3.2.1. System overview Developed by Jalasghar [32], the WSPC system consists of a water source, a centrifugal self-priming continuous variable speed pump, a non-return valve, a small membrane vessel, a pipeline, and a tap used by the consumer. The main units of the system’s control part are a pressure sensor, an adjusting knob used by the consumer, a single
Fig. 8. FAST diagram of a vacuum cleaner.
R S
218
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
chip integer-operating microcomputer, a pulse-width modulating signal-generator (PWM-generator), and a frequency converter. The three later units form the control section are shown in Fig. 9. The objective of the WSPC system is to deliver a desirable water flow (indicated by the position of the tap) with a desirable pressure (indicated by the position of the adjusting knob). This is achieved by the speed of the pump as a response to the pressure drop caused by opening the tap and sensed by the pressure sensor. The adjustment itself is accomplished by changing the frequency of the pump’s (its engine’s) supply voltage. As soon as the tap is opened, the pressure will fall below the desirable pressure. A controller uses the open loop process parameters, the close loop specifications, the samples of the pressure values from the sensor, the value of the desirable pressure, and the frequency of the pump’s supply voltage for computing a new frequency. The PWM-generator uses the information about the new frequency in order to generate three-phase shifted PWM-signals with the frequency computed by the controller. The PWM-signals are then fed to the frequency converter which is the last unit in the control section. The converter
supplies the pump’s engine with a three-phased voltage having the required frequency. This is done by first converting the main voltage to a dc-voltage and then converting it back to ac; this time having the same frequency as the one computed by the controller and carried by the three PWMsignals. Fig. 9 shows the flow of the sensor and the actuator variables through the process control system. As illustrated, the dc-voltage and the dc-current in the frequency converter are supervised in order to protect the pump’s engine. The controller adjusts the frequency continuously by responding to every change in the pressure (caused by change of the outflow). This is a very important feature, because the pressure variations are reduced considerably and the pressure of the outflow is hence practically equal to the pre-set one. However, this feature of the controller becomes a problem in the case of small amounts of outflow, since the pump will only stop if the tap is completely closed. In order to maintain the profitability of the plant, and hence the efficiency of the pump above a minimum level (i.e., to prevent the pump from running continuously in the case of a dripping tap), an on/off controller is used for the small amounts of outflow. Within this flow region, the pump will start with a constant relatively high speed (hence a constant
Fig. 9. The WSPC system.
R S
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
large discharge flow), as soon as the pressure is decreased to the desirable one minus an extra ‘buffering’ pressure. The pump will then stop, as soon as the pressure has reached the desirable one plus the same buffering pressure. The membrane vessel acts as a water source during the pump’s stop period. The boundary flow value for which a shift to on/off control takes place, is determined by the chosen start/stop frequency and the desirable efficiency of the pump. Since there is no flow sensor present in the system, a flow estimator is utilized instead. The flow estimator uses the variable relationships in the process, the samples of pressure values from the sensor, and the frequency of the pump’s supply voltage to estimate the flow value. It is then decided whether to activate the frequency controller or to start the on/off controller by comparing this value with the boundary flow value. The frequency controller, the on/off controller and the flow estimator are all implemented in the microcomputer. 3.2.2. Application of the SADT technique Based on the description of the WSPC operation, a corresponding SADT model of actigram type has been built. An important point must be noticed: the point of view of the analysis is that of a person without concrete experience on the WSPC system, i.e. only through a bookish knowledge, whose objective is the use of the final models for the design
219
of supervisory displays (monitoring, diagnosis displays, etc.). In fact, application of FA techniques must permit in this case: • • • •
to to to to
determine the functions of the system; put in evidence the different modes of running; split up the system into sub-systems; determine pertinent variables.
So, this SADT model composed exclusively of actigrams, has three decomposition levels (see Figs 10–14). It starts with the main function ‘To deliver a desirable water flow with a desirable pressure’ (see Fig. 10). Then, this function is broken into sub-functions and this process is developed until the last decomposition level has been reached (level A23 of Fig. 14).
3.2.3. Application of the FAST technique From the description of the WSPC operation, a corresponding FAST model has been built (see Fig. 15). Unlike the SADT model, the FAST model does not have several diagrams: a single diagram permits the total translation of the process operations. However, it starts with the same main function as the SADT model, i.e. ‘To deliver a desirable water flow with a desirable pressure’. Then, the three basic questions have been applied to each new box. The stop point is reached whenever one cannot find responses to the basic questions of the FAST model.
Fig. 10. A0 level of the SADT model.
R S
220
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
4. Discussions on the application of both techniques 4.1. Difficulties in use Recall that the techniques such as SADT and FAST are semi-formal. By consequence, for the same subject, different correct models can be built without having to know with certitude which model is the good or, at least, the best. In fact, this kind of model allows lets users sufficient freedom in its construction and so the subjective factor introduces a supplementary dimension for its validation. That is why the validation step on the whole necessitates the confrontation of different points of views. Indeed, few rules often remain; only some recommendations can be applied: •
As to the SADT technique, users can follow rules or recommendations to the level of the coherency of the model, such as distinction between the different types of interfaces, numeration of boxes and diagrams, minimal and maximal numbers of boxes by diagram, etc. One intends, by coherency application of the heritage rule i.e. when data are placed at a N decomposition level, it is explicitly or implicitly present at the inferior levels. However, a complementary mean to check coherency of actigrams is a confrontation between actigrams and datagrams, which is not possible in our case.
•
As to the FAST technique, there are still fewer rules or recommendations. Indeed, there is only a recommendation about a simple mean to verify the coherency of the model. This mean consists of applying the opposite question to a given function which has permitted us to find it (for instance, the opposite response of ‘What for’ is ‘How’), in order to check the reciprocity. However, one should not forget that the redundancy or the parallelism of activities are foreseen through the use of logical operators which are respectively ‘OR’ and ‘AND’. Hence, these kinds of technique require a minimum of experience. Often, experienced analysts use personal rules, more adapted to their application area.
4.2. Comparison of both techniques A fundamental difference exists between the SADT and FAST techniques: on the one hand, the SADT technique permits a model to be obtained in which the two decomposition axes, means/end and whole/part, are relatively well separated. In contrast, the FAST technique mixes them. Besides, as opposed to the FAST technique, in SADT, the distinction between data and activities which are completely linked to the concept of function, is clear. Indeed, inside the
Fig. 11. A0 level of the SADT model.
R S
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
221
Fig. 12. A2 level of the SADT model.
SADT box, there is the function (verb to infinitive) and around this box, the associated data are specified of which the nature (input, output, control or mechanism) appears directly. However, despite the differences between these two techniques, the models built supply roughly the same quantity of information: most of the functions are both developed and only a function, such as the function linked
to the membrane vessel, appears only through the FAST model. So, the FAST model can be seen more adapted to define all the functions fulfilled by the system. On the other hand, for the description of data, SADT model is undoubtedly more exhaustive and precise than FAST model.
Fig. 13. A3 level of the SADT model.
R S
222
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
4.3. Interests of techniques for the design of a supervisory system The possible uses for the SADT model are the design of a monitoring display and a diagnosis display. For the design of a monitoring display, the A0 level of this model (see Fig. 10) supplies a global view of the system. Indeed, information relative to each function represented through this level should appear in a monitoring display. For instance, to monitor the working of the pump and its efficiency (see box A6, Fig. 11), the information having to be displayed is relative to the corresponding function. That is to say: • • •
The water source as input data, i.e. to display a Boolean information in the presence or not of water. The desirable ac-voltage with the desirable frequency as input data, i.e. to display the ac-voltage value and its frequency value. The desirable water flow with a desirable pressure delivered as output data, i.e. to display the water flow value and its pressure value.
•
The pump’s speed as output data, i.e. to display speed of the pump.
For the design of hierarchical diagnosis displays, each actigram of the SADT model constitutes a vision at a given abstraction level. So, each of these actigrams gives a less or more detailed vision. In function of the objectives defined by the designer for each display, a particular actigram can supply the required information. For instance, for the objective, ‘To be able to diagnose a loss of function relative to the supply of energy’, information to be displayed appears implicitly or explicitly through the interface data of the actigram of the A3 level (see Fig. 13). The FAST model (see Fig. 15) seems particularly adapted to the design of the automatic supervisory system by applying a FMEA oriented IRHO from this model. Indeed, if we take the function ‘to pump water’, with the FAST model, we notice that the primary external cause of a loss of function could be ‘the energy is not supplied’. The consequence of this loss of function is that the water is not delivered. Finally, this application of FA techniques on this WSPC
Fig. 14. A23 level of the SADT model.
R S
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
223
Fig. 15. FAST model of the WSPC.
system shows briefly the interests of these techniques in the design of supervisory systems.
5. Conclusions Through this paper, the main functions and characteristics of supervisory systems for highly automated processes have been first presented through a general description. Then, a way to express more objectively the notion of the HO’s information requirement has been exposed by means of an indicator called ‘Information Power’. In fact, this indicator can be a useful tool for the design of supervisory interfaces, particularly for hierarchical supervisory interfaces. In the design of a supervisory system, the difficulty lies in the capacity to represent both the process faithfully and to provide for the designers usable information. In fact, a supervisory system must take into account the physiological and cognitive features of the supervisory operator because an inadequacy between the supplied information and the operator’s information requirement is dangerous. So, to be more efficient, the design of a supervisory system should be human centered. To reach this objective, FA techniques seem to be a promising way because the major advantage of these kinds of techniques is due to the concept of function and abstraction hierarchy which are familiar to the HO. These
techniques permit the complexity of a system to be overcome. In this paper, the application of two FA techniques, SADT and FAST on a real system, the WSPC system generates a source of useful information for the design of a supervisory system (monitoring and diagnosis displays, definition of alarms, etc.). So, research into the application of FA techniques for the design of a human centered supervisory system must be intensified in order to solve several difficulties and to improve their efficiency (tools to build the model, tools to check the validity of the model, etc.). References [1] Millot P. Supervision des proce´de´s automatise´s et ergonomie. Paris, France: Herme`s, 1988. [2] Rouse WB. Models of human problem solving: detection, diagnosis and compensation for systems failure. Automatica 1983; 19(6). [3] Moray N. In: Kaufman L, Thomas J, editors. Monitoring behavior and supervisory control. Handbook of perception and human performance, vol. 2. New York: K. Boff, 1986, chapter 40: 40–6. [4] Sheridan T. Forty-five years of man machine systems: history and trends. In: Proceedings of the Second IFAC Conference Analysis, Design and Evaluation of Man Machine Systems, Varese, Italy, 1985. [5] Rasmussen J. The role of hierarchical knowledge representation in decision making and system management. IEEE Transaction on Systems, Man and Cybernetics 1985; SMC-15(2).
R S
224
M. Lambert et al. / Reliability Engineering and System Safety 64 (1999) 209–224
[6] Debernard S. Contribution a` la re´partition dynamique de taˆches entre ope´rateur et syste`me automatise´: application au controˆle du trafic ae´rien. Phd dissertation, Universite´ de Valenciennes et du HainautCambre´sis, Valenciennes, France, 1993. [7] Lejon JC. L’e´volution de la conduite sur S.N.C.C. Dunod, Point de repe`re, 1991. [8] Goodstein LP. An integrated display set for process operators. In: IFAC congress analysis, design and evaluation of man–machine systems, Germany, 1982. [9] Vittet J. Ele´ments pour une conception inte´gre´e des salles de controˆle. Phd dissertation, Universite´ Scientifique et Me´dicale de Grenoble, Grenoble, France, 1981. [10] Modarres M. A pragmatic approach to a function-centured ontology of complex physical systems. In an internal document, Center for Reliability Engineering, Departement of Materials and Nuclear Engineering, University of Maryland, USA, 1993. [11] Fadier E, Artigny B, Chollet M-G, Garoff-Mercier C, Poyet C, Drozdz-Verly C. L’e´tat de l’art dans le domaine de la fiabilite´ humaine. Institut de Suˆrete´ de Fonctionnement (ISdF), Octare`s, 1994. [12] Lambert M, Riera B, Martel G. Design of a new interface for the supervision of a nuclear fuel reprocessing system. In: Proceedings of Sixth European Conference on Cognitive Sciences Approaches to Process Control, Baveno, Italy, 1997: 195–9. [13] Lambert M, Riera B, Vilain B. Application of some functional analysis techniques on a nuclear fuel reprocessing system. In: Proceedings of Fifth International Workshop on Functional Modeling of Complex Technical Systems, Paris, France, 1997. [14] Beuthel C, Boussoffara B, Elzer P, Zinser K, Tiben A. Advantages of mass-data-display in process S & C. In: Proceedings of IFAC analysis, Design and Evaluation of Man–Machine Systems, MIT Cambridge, USA, 1995: 439–44. [15] Dziopa P. Repre´sentation multi-mode`le pour la supervision de proce´de´s industriels continus. Phd dissertation, Institut National Polytechnique de Grenoble, Grenoble, France, 1996. [16] Gentil S, Evsukoff A, Montmain J, Les syste`mes flous pour l’aide en ligne aux ope´rateurs. In: Proceedings of ‘6 e`me Congre`s Franc¸ais de Ge´nie des Proce´de´s’, Groupe Franc¸ais de Ge´nie des Proce´de´s, Re´cents progre`s en ge´nie des proce´de´s, Simulation des proce´de´s et automatique, Paris, France, 1997; 11(6): 121–6.
[17] Poncelet P. L’analyse fonctionnelle est trop ne´glige´e en France. In: Industries et techniques, France, 1993: 739. [18] Chatain JN. Diagnostic par syste`me expert. Paris, France: Herme`s, 1993. [19] Lind M. Representing goals and functions of complex systems—an introduction to Multilevel Flow Modeling. In: Technical report, Institute of Automatic Control Systems, Technical University of Denmark, Lyngby, Denmark, 1990. [20] Modarres M. Functional modeling of complex systems using a GTST–MPLD framework. In: Proceedings of the First International Workshop on Functional Modeling of Complex Technical Systems, Ispra, Italy, 1993. [21] Villemeur A. Suˆrete´ de fonctionnement des syste`mes industriels: fiabilite´, facteur humain, informatisation. Paris, France: Eyrolles, 1988. [22] Riera B, Vilain B, Millot P. A proposal to define and to treat alarms in a supervision room. In: Proceedings of the Sixth IFAC Congress of Analysis, Design and Evaluation of Man–Machine Systems. Cambridge, MA: MIT, 1995. [23] Ross D. Structured Analysis (SA): a langage for communicating ideas. IEEE Transactions on Software Engineering, 1977; 3-1. [24] IGL Technology. SADT: un langage pour communiquer/IGL Technology. Paris, France: Eyrolles, 1989. [25] Lissandre M. Maıˆtriser SADT. Paris, France: Albert Colin, 1990. [26] Pierreval H. Les me´thodes d’analyse et de conception des syste`mes de production. Technologie de pointe. Paris, France: Herme`s, 1990. [27] Delafollie G. Analyse de la valeur. Paris, France: Hachette Technique, 1991. [28] Zwingelstein G. Diagnostic des de´faillances—the´orie pratique pour les syste`mes industriels. Paris, France: Herme`s, 1995. [29] Zwingelstein G. La maintenance base´e sur la fiabilite´ —guide pratique d’application de la RCM. Paris, France: Herme`s, 1996. [30] Vogin R. Pre´sentation de l’Analyse Fonctionnelle: C’est quoi? et pourquoi l’utiliser?. In: ‘Publications CETIM’, Confe´rence sur l’analyse fonctionnelle au service de la qualite´, France, 1995. [31] Hickling EM, Harvey JG, Hollywell PD. The consistent and structured definition of process plant HCI-based tasks using the ‘PAGODA’ method. In: Proceedings of the Ergonomics Society’s Annual Conference, Birmingham, England, 1992: 275–83. [32] Jalasghar A. Applications of functional Modeling in Control Systems. In: Proceedings of the Third International Workshop on Functional Modeling of Complex Technical Systems, College Park, MD, USA, 1995.
R S