- 1:45 PM
60d

Human Model-Based Dynamic Evaluation for Alarm System in Chemical Plant

Xiwei Liu, Masaru Noda, and Hirokazu Nishitani. Graduate School of Information Science, Nara Institute of Science and Technology, Systems and Control Lab. 8916-5 Takayama-cho, Ikoma-shi, Nara-ken, Japan, Ikoma, 630-0192, Japan

With the advances in computer control of chemical processes, low-level control actions such as opening or closing a valve, which used to be performed by human operators, are now routinely performed by computers or instruments. However, the important control tasks are still manual operations performed by human operators. These involve tasks of responding to abnormal events such as alarm messages and flashing icons. Statistics shows that in Japan's chemical plants there are commonly 200 alarms per day per operator [1]. Consequently, designing an effective alarm system is an important task for the safety of plant operations.

According to the principles of user-centered design, the viewpoint of the human operator should be primarily regarded in the design and evaluation of alarm systems and user panels. However, in the evaluation stage, since humans have advanced capabilities of adaptation and learning, a subject's performance and evaluation may be unstable for the same research object at different times. A promising solution to this problem is the human-model-based evaluation approach, which is widely used in the domains of aircraft piloting, car driving, and plant operation. Because the human being is a complex research object, human models or cognitive modeling involves a variety of viewpoints such as memory, cognition, and human errors [2]. Currently there is no all-purpose model or framework covering all of these viewpoints. A human model is typically developed for a certain research topic from one viewpoint. In this research, we propose a human model as a virtual subject that substitutes for an operator. Based on this model, fault detection and identification (FDI) performance is investigated and cognitive obstacles and workloads are revealed for different designs of an alarm system in a boiler plant simulator.

In light of the model human processor proposed by Card et al. [3], we built a research framework of a human-machine system, which includes a human-machine interface (HMI) model, a human model, and an attention-resource model. The HMI model contains static and dynamic information of all user panels such as numbers, icons, layouts of user panels, and responses to key presses and mouse clicks. In the dynamic evaluation, the process is investigated in an emergency, and the process variables are updated every second by communication with a plant simulator. By reconstructing the HMI model according to different design schemes, we can evaluate and compare these schemes.

The human model is a metaphor of a human operator as an information processing system, which typically consists of a perceptual processor, short-term and long-term memories, a cognitive processor, and a motor processor. In every evaluation scenario, the virtual subject's main tasks are routine monitoring and fault diagnosis. The perceptual processor mainly concentrates on a certain few items or areas that are determined by the virtual subject's knowledge bases. After capturing a target item, the perceptual processor directly transfers it into the short-term memory (STM). Three knowledge bases (KBs) for variable information (VI), failure-symptom relation (FS), and alarm management (AM) are built in the long-term memory (LTM). VI-KB includes color, position, and the normal range of each process or control variable on the user panels. FS-KB contains all of the known failures with these symptoms as a bipartite graph. Once a malfunction occurs, several process variables change outside of their normal ranges. These abnormal changes are symptoms of some failure cause. We defined upper and lower limits to assess the trends of a process variable. AM-KB includes responses to alarm messages. Two procedures for normal state monitoring (NSM) and abnormal state supervising (ASSP) are built-in, as well as knowledge bases. NSM simply defines a scanning sequence when the plant is in the normal state before detecting the first abnormality.

The ASSP procedure is listed below: 1) Detect an alarm. 2) Search in FS-KB and reject some failure causes according to the alarm. 3) Obtain a set of possible failure causes based on the alarm messages and FS-KB. 4) Select the possible failure cause whose AS value is largest among the set of available failure causes. 5) Confirm symptoms related to the selected failure cause in the descending order of AS. 6) Total AS values if the corresponding process variable matches the symptom and the identification ends when the total AS is larger than a threshold. 7) If the corresponding process variable does not match the symptom, reject the selected failure cause and return to step 4). If all possible failure causes are rejected, return to step 3).

To simplify user interface evaluation, we assume the human model never errs due to lack of knowledge. The KBs and procedures are created according to process risk analyses, operational experience, and expert reviews. The cognitive processor searches the needed information from LTM, judges the abnormality of a process variable, and sends commands to a motor processor. The motor processor executes the commands from the cognitive processor to control gaze point or to push a button. The attention resource model is employed to estimate physical and mental workloads and, accordingly, to allocate limited attention resources for each element of the human model.

After causing a malfunction in the boiler plant simulator, the virtual subject will detect the first symptom from an alarm message or a routine NSM procedure. Based on the knowledge bases and procedures, FDI is automatically performed, and the behavior track is recorded. These behaviors in the FDI process are classified into physical and mental subtasks. Physical subtasks include gaze point movement and finger movement. Mental subtasks includes perception, cognition, STM, and LTM activities: for example, reading an alarm message, remembering a previous alarm, searching in a KB, and rejecting a failure cause are perception, STM, LTM, and cognition subtasks, respectively. An operational stage is defined as a set of processes in the sequence of perception, short-term memory, cognition, long-term memory, and physical subtask, which has and only has a certain goal, begins from a perception subtask or cognitive search, and ends at physical subtask, STM subtask, or cognitive judgment.

The physical workload for these subtasks is assessed by the magnitude of motion; for example, keyboard input workload is assessed by the number of key presses. On the other hand, the mental workload for perception, cognition, STM, and LTM subtasks are scaled to several levels according to the required information of the subtasks, human subject experiments, and expert questionnaires by referring to the VACP workload method [4]. The workload index is a vector that includes the five elements for perception, cognition, physical, STM, and LTM subtasks, and it is updated at each operational stage.

The following criteria are considered to evaluate FDI performance: 1) Number of operational stages, 2) Total shift distance of mouse cursor, 3) Total shift distance of eye movement, 4) Required time to identify a failure cause, and 5) Changes in mental and physical workload.

As an illustrative example, the virtual subject was applied to a boiler plant simulator, which is a dynamic distributed control system. A failure cause—fuel tube leak—was caused, and the FDI process was recorded. The cognitive threshold for identifying a failure cause was set as 0.9. In the original alarm system, there are 187 operational stages. From the FDI track, we found alarm limits of several process variables—fuel-flow rate, drum pressure, and furnace pressure should be defined for better performance. After we tuned these alarm limits several times, the new alarm settings decreased the number of operational stages to 156 without a nuisance alarm.

In this research, we presented a human model with FDI knowledge for a boiler plant simulator. In an emergency, the virtual subject mimics a human operator's behavior to detect and identify failure causes. By running simulations, the effectiveness of an alarm system could be evaluated and improved.

References [1] Plant Operation Subsection, System Information Simulation Section, Society of Chemical Engineers, Japan: Questionnaire report about plant operations and technology transfer (2005). [2] J. Tanji, K. Monta, J. Kawai, T. Masui, and I. Ezaki: Evaluation method of human-system interface for nuclear power plants, Proceedings of CSEPC 2000, Taejon, Korea, pp. 233-240 (2000). [3] S. K. Card, T. P. Moran, and A. Newell: The Psychology of Human-Computer Interaction, Lawrence Erlbaum Associates, London (1983). [4] J. H. McCracken and T. B. Aldrich, Analyses of selected LHX mission functions: Implications for operator workload and system automation goals, Technical Note ASI479-024-84, Army Research Institute Aviation Research and Development Activity, Fort Rucker, AL (1984).