development of an analysis support system for man-machine system design information

9
Pergamon PII:S0967-0661 (97)00019-1 Control Eng. Practice, Vol. 5, No. 3, pp. 417-425, 1997 Copyright @ 1997 Ehevie," Science Lid Printed in Gn~ Britain. All righu ~ed 0967-0661/97 $17.00 + 0.00 DEVELOPMENT OF AN ANALYSIS SUPPORT SYSTEM FOR MAN-MACHINE SYSTEM DESIGN INFORMATION H. Yoshikawa*, T. Nakagawa**, Y. Nakatani**, T.Furuta*** and A. Hasegawa*** *Graduate School of Energy Science, Kyoto University, Japan ([email protected]) **Industrial Electronics and Systems DevelopmentLaboratory, Mitsubishi Electric Corporation, Japan ***Institute of Human Factors, NuclearPower Engineering Corporation, Japan (Received September 1996; in final form January 1997) Abstract: An integrated software system has been under development, aimed at analyzing and evaluating the effectiveness of man-machine system design, by computer simulations from various viewpoints of human factors. The target software system consists of two functional blocks; (i) a distributed simulation system for man-machine interaction at the man-machine interface, and (ii)a man-machine design information evaluation system. In this paper, the configuration o f the distributed simulation system is first introduced, followed by an explanation of how the operator simulator model is organized, using a Petri-net model. An example simulation is also presented for the man-machine interaction at a PWR LOCA accident using the developed system. Copyright © 1997 Elsevier Science Ltd Keywords: Man/machine systems, man/machine interaction, man/machine interfaces, human factors, human error, cognitive systems 1. INTRODUCTION Owing to the recent progress in computer control, in information processing and in human interface devices, the design of instruraentation and control (I&C) systems for various plant systems is rapidly moving toward fully digital I&C systems with an increased proportion of automation. This is known as "supervisory control" (Sheridan, 1992) in man- machine systems (MMS). The problems of I&C System design in these days have centered on how to evaluate the man-machine interface (MMI) design from various human factors viewpoints, such as (i) the appropriateness of the operators' role in the man- machine system, (ii) an evaluation of its effectiveness for the operator's task fulfilment, and (iii) an evaluation of the impact on human reliability, of the introduction of new operating procedure. The authors have made a preparatory analysis, aimed at understanding the human-machine interaction structure in the existing emergency operating procedure of a nuclear power plant (Yoshikawa, et al., 1992). This was done using a graphical task- analysis procedure which is comprised of (i) a task transition diagram, (ii) a hierarchical task analysis diagram, (iii) a crew organization and communication diagram as the input information for analysis, with (iv) an action mode analysis table as the output product. From this desk-top analysis (which has been the traditional procedure in human factors analysis), the authors have proceeded to the development of a computer-aided, simulation-based evaluation support system, for the predictive analysis of man-machine system design from various viewpoints of human factors, especially centering on the "cognitive mismatch in human-machine 417

Upload: h-yoshikawa

Post on 05-Jul-2016

212 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Development of an analysis support system for man-machine system design information

Pergamon

PII:S0967-0661 (97)00019-1

Control Eng. Practice, Vol. 5, No. 3, pp. 417-425, 1997 Copyright @ 1997 Ehevie," Science Lid

Printed in G n ~ Britain. All righu ~ e d 0967-0661/97 $17.00 + 0.00

DEVELOPMENT OF AN ANALYSIS SUPPORT SYSTEM FOR MAN-MACHINE SYSTEM DESIGN INFORMATION

H. Yoshikawa*, T. Nakagawa**, Y. Nakatani**, T.Furuta*** and A. Hasegawa***

*Graduate School of Energy Science, Kyoto University, Japan ([email protected]) **Industrial Electronics and Systems Development Laboratory, Mitsubishi Electric Corporation, Japan

***Institute of Human Factors, Nuclear Power Engineering Corporation, Japan

(Received September 1996; in final form January 1997)

Abstract: An integrated software system has been under development, aimed at analyzing and evaluating the effectiveness of man-machine system design, by computer simulations from various viewpoints of human factors. The target software system consists of two functional blocks; (i) a distributed simulation system for man-machine interaction at the man-machine interface, and (ii)a man-machine design information evaluation system. In this paper, the configuration o f the distributed simulation system is first introduced, followed by an explanation of how the operator simulator model is organized, using a Petri-net model. An example simulation is also presented for the man-machine interaction at a PWR LOCA accident using the developed system.

Copyright © 1997 Elsevier Science Ltd

Keywords: Man/machine systems, man/machine interaction, man/machine interfaces, human factors, human error, cognitive systems

1. INTRODUCTION

Owing to the recent progress in computer control, in information processing and in human interface devices, the design of instruraentation and control (I&C) systems for various plant systems is rapidly moving toward fully digital I&C systems with an increased proportion of automation. This is known as "supervisory control" (Sheridan, 1992) in man- machine systems (MMS). The problems of I&C System design in these days have centered on how to evaluate the man-machine interface (MMI) design from various human factors viewpoints, such as (i) the appropriateness of the operators' role in the man- machine system, (ii) an evaluation of its effectiveness for the operator's task fulfilment, and (iii) an evaluation of the impact on human reliability, of the introduction of new operating procedure.

The authors have made a preparatory analysis, aimed at understanding the human-machine interaction structure in the existing emergency operating procedure of a nuclear power plant (Yoshikawa, et al., 1992). This was done using a graphical task- analysis procedure which is comprised of (i) a task transition diagram, (ii) a hierarchical task analysis diagram, (iii) a crew organization and communication diagram as the input information for analysis, with (iv) an action mode analysis table as the output product. From this desk-top analysis (which has been the traditional procedure in human factors analysis), the authors have proceeded to the development of a computer-aided, simulation-based evaluation support system, for the predictive analysis of man-machine system design from various viewpoints of human factors, especially centering on the "cognitive mismatch in human-machine

417

Page 2: Development of an analysis support system for man-machine system design information

418 H. Yoshikawa et al.

- - _ ( D i s t r i b u t e d S i m u l a t i o n S y s t e m - - - "1 r - - - I M M I D e s i g n I n f o r m a t i o n E v a l u a t i o n S y s t e m ) - - -

Databasef .... 1 Plant i i ! Pl~t S i m ~ [ S i m u l a t o r

. . . .

at!r ~ ] . . . . t . . .~ Analyzer ~'~

~ = ' m " " D a t a f low A n a l y s i s ~ t a b l e S y s t e m C o n t r o l . , of Potential[

D a t a b a s e Human Erro~ . . . . . . . A c c e s s

t Total System Manager

Operation

Fig. 1. Configuration of the SEAMAID system

interaction". The authors have named this system SEAMAID (Simulation-based Evaluation and Analysis support system for MAn-machine Interface Design). The whole software system is now under development, the principal functional parts of which are divided into two sub-systems: the distributed simulation system and the man-machine design information evaluation system. The distributed simulation system is the back-end simulation system for all the three types of behavior concerned in a total man-machine system, i.e., the plant behavior, the behavior of the man-machine interface equipment, and the operator's cognitive behavior. On the other hand, the man-machine design information evaluation system is the front-end analysis support interface for both qualitative and quantitative evaluations of the causes and consequences of potential human errors resulting from a cognitive mismatch between the information perceived by the operator and the information presented through the man-machine interface.

In this paper, the methodology for organizing the distributed simulation system will be presented, highlighting the modeling and simulation of the operator's cognitive behavior at the man-machine interface using a Petri-net model (Peterson, 1981).

2. DISTRIBUTED SIMULATION SYSTEM

The method of integrated dynamic simulation for man-machine systems as a whole will be provided by a straight-forward and thus effective tool for the predictive analysis of the cognitive mismatch between the behavior of the operator and that of the plant system. Regarding the plant system simulation,

the related modeling methods and computer simulation techniques have been studied in the area of traditional system engineering, and many plant simulators are available as software tools.

Concerning the behavior of the human element, this is completely different from the modeling of the machine elements with respect to the principles and mechanisms of behavior, and it is very difficult to model human cognitive behavior at the man-machine interface. The authors have applied Petri nets for the modeling of human cognitive behavior, because of the ease with which they can be used to organize the distributed simulation system concemed, considering a variety of levels of human models, from a fairly simple one to a more elaborate one, in order to implement the whole system gradually. The authors are now developing the initial phase of the operator simulator using a Petri-net model which still takes account of the necessary psychological factors in operator cognitives such as perception, cognition and motor actions, with different mechanisms of human memory. The details of the modeling framework, the simulation method and the current status of development will be described separately in Section 3.

Apart from the problem of human modeling mentioned above, a model of the man-machine interface will be needed for an integrated simulation of the man-machine interaction. This should be an abstract model of the real man-machine interface equipment (i.e., the control board), that can effectively interface the model parameters in the simulators of both the plant and the operator. For this purpose, a "Man-Machine Interface (MMI) simulator" is being developed as a kind of on-line

Page 3: Development of an analysis support system for man-machine system design information

Analysis Support System for Man-Machine System Design Information

knowledge database model. By using this MMI simulator, multifaceted conditions of the man- machine interface equipment (with respect to structural configuration, topological relationship, functional characteristics, etc.) are modeled by a knowledge database with a hierarchical frame representation. The dynamic information elements coming from and going to both simulators can be included in the appropriate slots of the frames, and can be updated from time to time during the dynamic simulation.

To sum up, the computer simulation of the man- machine interaction will be organized by a distributed architecture consisting of the three simulators: plant simulator, operator simulator and MMI simulator. Figure 1 summarizes the general idea of this distributed simulation system, with the information flow among the three different simulators.

3. OPERATOR SIMULATOR

3.1 Conceptual framework of a human model using Petri nets

Reason, who viewed humans as "fallible machines", proposed a general framework of human modeling which will be able to predict not only the right human performance, but also possible forms of human error (Reason, 1990). This is the product of conceptual aggregation from the existing knowledge in the field of cognitive psychology, and from his thinking; the general idea of how to model human cognitives at the man-machine interface can be summarized as shown in Figure 2.

Outer World Information sad postural con

ation from other

KB units with higher aotivation level in KB

Parallel lm'ocessing ~

419

Recieve/selectim meclm*im for KB content~

:Similmity matching

Uncemciem ¢hmlle of activalicm lewl ofKB tmitJ

Buffer

Calling condition (2-3 word) to KB

Two kimk of KB : KB with azlion prosnml : KB without action prosmm

Many simulation studies have been published thus far for modeling human cognitive behavior, and most of them apply AI techniques using blackboard architectures. However, the authors set out to develop an operator simulator model by applying a Petri-net model because of the following considerations involved in implementing the general framework in Figure 2 in an efficient, distributed simulation system: (I) The need to model both serial processing

(conscious processes) and parallel processing (unconscious processes),

(2) The need to describe "chunking" of the knowledge structure in a hierarchical way,

(3) The need to visualize state transitions in cognitive processes,

(4) The ease of modeling the interaction between cognitive processes and outside information through the MMI simulator,

(5) The ease of handling the knowledge-base structure (updates and upgrades) to meet the analysis objectives flexibly, and

(6) The need to estimate various performance measures (such as the mental workload index).

The advantage of applying a Petri-net lies in its capability to describe state transitions by the use of "places" and "transitions", where both serial and parallel processes can be mixed, and the structure and the dynamic process of state transition can be comprehensively visualized on graphical displays.

However, problems remain if the Petri-net model is applied for formulating the conceptual model as described in Figure 2. The most important point is that the distinction between the "processing

] Filtering of input information Semantic Cognitive from man-machine interface by

interpreter filter perception proceumg v

Ltmit~l information elements with c.onspicuous saliency will be highlighted as in PWM

&b ;oion, world): Background information storage ' . ~ for comciom pto~.mg

m wM <Con.oion. wo,ld): I @ Attentiona, end se".l I N ~ :Limitation of infe~nmation umt within mas~al numbers ~ W :Cycle time about several milliseconds ~ i / ~ ~'~ :Worklnad ~ a a . when d~ity of ~o~tiv0 M pr°cesaing bee°me hish . . . . . . . . . . . . . . . . .

• ~ l " : ' O ~ a t l S i ; " ~ t ~ i ~ d f ~ t K ~ ............. :Generation of knowledge and evaluation

~:/~/~J Deductive reasoning ~//,/~ "#/~//~ Atxluctive reasoning

plan'Maintenance of context vs. change of pnonty of action ~

M 'Information chunk rig as mechanism of information I " compression -----

'exceution of action prngra~ when activation level becomes highJ

PWM: Peripl'm'al Workmg Memory FWM: Focal Working Memory KB : Knowledge Base (Long-term Memory)

Fig. 2. Conceptual framework of a human model for the man-machine interface problem

Page 4: Development of an analysis support system for man-machine system design information

420 H. Yoshikawa et al.

mechanism" and the "data structure" is not necessarily clear from Figure 2, because it is a rather crude picture of how human cognitives work as a whole. Therefore the general idea in Figure 2 must be restated in a more workable formulation, to construct a human model by means of a Petri-net model.

At the moment, the authors are thinking of translating it into the system architecture as shown in Figure 3, where the overall functions of human cognitives are divided into a perception process, a FWM process and a KB retrieval process.

The area labeled PWM is the background palette area of information elements coming from the perception process, and from the KB database, while FWM signifies the conscious processing of the information elements from PWM. The KB database corresponds to long-term memory.

The important functions in the FWM processing are: (i) p~oritization of incoming information elements

which come from the perception system and the KB database, by assigning an "Importance Index". (The information elements with high priorities are those with "high saliency", from the perception system all the way through the semantic interpreter and cognitive filter, and spontaneously activated knowledge elements with a "high activation level" in the KB database. The information elements or words with a high "importance index" correspond to "calling conditions" in Figure 2).

(ii) Retrieval of information elements from the KB database by keyword searches using the calling condition.

(iii)

(iv)

An inference function at the FWM, interacting with the KB database, and keeping the appropriate context. A chunking function, of both the information elements activated in the FWM during the attentional process and the knowledge elements in the KB database which are "theorized" unconsciously as learning or experience accumulates. If the cognitive process bypasses the FWM and the action is made only through the PWM palette, then this process will be a "skill-based process", and if the process is on the FWM but follows just the procedural knowledge base in the KB database with no further inference mechanism being triggered, then it will be a "rule-based process". Otherwise, it will be a "knowledge-based process".

The function of each unit at the current development status can be summarized as follows.

a) Shared Memory 1: the communication area from the MMI Simulator to the Operator Simulator. There are two types of information; (i) alarm information, and (ii) the focused MMI information.

b) Shared Memory 2: the communication area from the Operator Simulator to the MMI Simulator. There are two types of information; (i) information on how the operator manipulates, and (ii) MMI information, on which the operator is focusing.

c) Perception Process: this gets all the reformation from around the operator through Shared Memory 1, transforms it to information elements, and sends each information element to the PWM. (Peripheral Working Memory)

~ Plant simulator

MMI simulator

• Alarm information } • Instruments information/

/

• Operator action • Operators position

r Perception ~ PWM " ~

. Process ~ / Unconscious World , 1 Pr°¢~; Y ' 1

ss) . . . . . . . . . . . . . . . : - ~ Conscious World / ~

Operator Simulator

Fig. 3. Configuration of the operator simulator

Page 5: Development of an analysis support system for man-machine system design information

Analysis Support System for Man-Machine System Design Information 421

d) PWM: a temporary area holding information elements from the MMI simulator or the KB (Knowledge Base) database. The information in the PWM is processed unconsciously.

e) FWM process: the functions are (i) transporting information elements from PWM to FWM (Focal Working Memory), and (ii) prioritizing information elements in the FWM area, by assigning an "Importance Index" which calculates from a "saliency" or index of similarity with focal information, (iii) chunking function of the information elements in the FWM, and (iv) inference function at the FWM with interactions to the KB database to maintain the context.

f) FWM: a limited space; the information in it is processed consciously.

g) KB Retrieval process: retrieval of information elements from the KB database using keywords coinciding with information highest on the "importance index".

h) KB Database: this corresponds to long-term memory. The authors used a Petri-net model to model the KB database.

I tems

Information Content Importance Index

Information Source

Status of KB Processing

Relationship with Other Information

Contents

Which does what?

Priority measure of processing Perception System, Knowledge-Base, FWM processing Processing is n¢¢gl~l. Processing is finished. Processing is failed. Processing calls other rules. Processing is unknown.

Fig. 4. Information elements for the FWM

assumptions than those required for the f'mal targets as mentioned above: only rule-based procedural processes with a single calling condition (single word). The definition and expression of the ordinary Petri net (Peterson, 1981) has been extended in order to represent the operator's knowledge.

3.2 Petri-net model of the cognitive system

The Petri-net modeling of a part of cognitive system has been conducted using rather simpler modeling

The items and contents of the information elements in the FWM are shown in Figure 4, while the method of converting a given operating procedure into the Petri-net model, as information elements in the KB

Operating Knowledge for Diagnosing Small Leak LOCA in PWR after Alarm Triggering

If Alarm A is triggered, then question whether Accident-type A, Accident- type B, o r False Alarm.

And if Instrument X is low and Instrument Y is low, then Judge as Accident-type A.

And if Instrument Y is low and Instrument Z is low, then Judge as Accident-type B.

If nether Accident-type A nor Accident-type B, then judge as False alarm, and push Alarm Confirm Button and ignore the alarm.

KB Database

Alarm A Recognize

© /

I Simple Place I

C o n f i r m

Instr ent X Assume Judge as

• Accident-t'cDc A Acctde t-tYPe A

Confirm

. , r m

Accident-tvo© B Accident-type B

~ e Hierarchical

] Place

ASSulne Push Ignore Alarm False Alarm Alarm Confirm Button

Confirm Renletnber Move to Read htsttun|ent Instrun|cltt Position Instrument Position Instrument Judge Instrument End of Confirm

Fig.5. Method of converting operating procedure to Petri-net model as KB database

Page 6: Development of an analysis support system for man-machine system design information

422 H. Yoshikawa et al.

Type of Status of Meaning Token Place

0 "Ca te' for Action

Action "Finished"

If the place content which is already in a "candidate" state agreed with the request from FWM, then the token of this place will take the "Finished" state, after the action succeeds. But if the action failed, the token takes the "Failed" state. As soon as the upstream transition is fired, the place takes the 'Candidate" state and the information content of the place is sent to PWM, (If the place is the initial one of the Petri-net sequence, it is assumed to have "Candidate" status in initial condition.) When the place reaches this state, then the direct downstream transition of this place is checked as to whether or not it satisfies the firing condition. If it fires, then the output places of this transition reaches "Candidate" state. As soon as the place is found to shift from "'Candidate" to "'Finished" status following a request from FWM, the status flag of the information element in FWM is requested to change from "Needed" to "Finished".

X Action When the place reaches this state, the status flag of the information element in FWM "Failed" is requests to change from "'Needed" to "Failed" No firing of the downstream

transition occurs ordinarily, but the downstream transition can fire only if this place connected by a arc attached crossing mark.

o n e No a c ~ d m g The place with this token state is outside the FWM search. slate

Fig 6. Types o f tokens, and their meanings

database, is illustrated in Figure 5. This is a part of the operational procedure for diagnosing small leak LOCA in PWR. In the ordinary Petri-net, places and transitions mean the states and the events of a system respectively. In order to represent the operator's knowledge based on this method, the places must represent the information for each task in the operation procedure. But considering the character of long-term memory, the Petri-net should represent not only the cause and effect relations between the information, but also an activated level for each item of information. Therefore, the representation method of Petri nets is extended as follows. a) Place: this represents the information

corresponding to the operator's tasks. b) Transition: this represents a relation o f cause

and effect between the items of information. c) Hierarchical place: this is created to represent

some information which corresponds to hierarchical tasks.

d) Token: several types of token are created, to represent the status o f the place.

As seen in Figure 5, there are two types of places: simple places, indicated by single circles, and hierarchical places, by double circles. Note that a statement label attached to each place is a statement o f the specific action to be taken. The contents of a hierarchical place will be further expanded, like the sequence o f places and transitions shown at the bottom of Figure 5. The transitions are indicated by perpendicular bars, as shown in the same figure.

There are four types of tokens for places, as explained in Figure 6. If all the places connected to a transition in an upstream direction take the "finished" state, then the transition will fire, and all the places downstream take the "candidate" state. The state of a

place changes from "candidate" to "finished", if the content of an information element being attended to (highest importance index in the FWM list) agrees with a statement label from among the places with "candidate" state.

The way in which PWM, FWM and the KB database work together in the cognitive system is illustrated in Figure 7. The sequence of transitions is as follows; (1) In the KB database, "Alarm-A" is already in the

"candidate" state. The perception process gets the alarm information and notifies the FWM process.

(2) The FWM process translates this information to information element "Alarm-A occurred", and transports it to the FWM and prioritizes all information elements in the FWM to comply with the importance index. In this situation, this information element has the highest "importance index" vector in the FWM, so that the most urgent action in the FWM is "Alarm-A occurred".

(3) Then, the KB retrieval process starts an information search of the KB database using the keyword "Alarm-A occurred". The search of the KB database finds that the place "AIarrn-A occurred" with "candidate" state agrees with the keyword. Then this place will be activated.

(4) The token of this place changes to the "finished" state in the meantime, and the downstream transition fires. Then all the places downstream of the transitions become "candidate" states. Afterwards, information about those status changes in the KB database is sent back to PWM.

(5) The FWM information contents can be altered to "Alarm-A Finished", "Supposing an accident-B NEEDED", and "Supposing an

Page 7: Development of an analysis support system for man-machine system design information

Analysis Support System for Man-Machine System Design Information 423

I Perception Process )

.- larm-A occurred

t

KB Relrieval process )

. . . . . . . d uepip;:d~.g a

Perception Process 1 (5) .._.) PWM

Unconscious World I"' -

i( FWM Process 1

/ ;WA~r m C°o cmCc~ r~eW°rkt ~

L (4)

KB Retrieval process } __ KB Database

occurred supposing a accident-C

Fig. 7. Control algorithm on how the PWM, FWM and KB databases work together in the cognitive system

accident-C NEEDED". Then these items of information coming from the KB database have a high similarity because they are from downstream of the previous focal information in the same Petri-net, and the FWM process gives them a high "importance index".

Concerning the prioritizing of this information, rules for calculating the "importance index" have been set as follows: regarding saliency, if an alarm has occurred, the alarm information has the highest impo "rtance index. Regarding similarity, if the information came from a place downstream of the focal information at that time, that information has a higher importance index. Regarding frequency, the analyst can set a level of frequency for each place, to represent frequency gambling. If the analyst wants an operator model to have experience of a certain accident, the analyst can set a high value for frequency gambling into the place concerned with that accident.

4. EXAMPLE SIMULATION

The authors examined the distributed simulation system as it has been developed so far, to fmd out whether the required functions worked properly. The functions of the plant simulator in the distributed simulation system are the same as a real operator training simulator for a nuclear power plant.

A small coolant leak accident has occurred in a PWR type nuclear power plant. The operator simulator can

consider the frequency gambling proposed by Reason. By changing the parameter which represents frequency gambling, two types of simulation have been conducted.

When such a coolant leak accident occurs, the real operator immediately suspects a primary loop boundary break and knows that the coolant is leaking after he recognizes certain alarms. The way of describing the operator's diagnosis for small leak LOCA by the Petri-net has already been illustrated in Figure 5. In this situation, the operator has to fred where in the plant the coolant is leaking from. He recalls that leaks have occurred in the steam generator (SG) and in the compression vessel (CV). He then decides which one to inspect first. In this situation, the index of frequency gambling for the two hypotheses influences his decision. (Note that there are two alternative paths of arc-A and arc-B for accident-type determination in Figure 5.)

In one case, a high-frequency parameter for suspecting a leak in the CV has been set, and in another, a high-frequency parameter for suspecting a leak in the SG has been set. The correct situation is a leak in the CV.

The result of the execution in which a leak in the CV is suspected with a higher-frequency parameter is displayed in Figure 8. The result of the other execution is displayed in Figure 9.

The graph in the upper parts of Figures 8 and 9 displays the trend of the pressurizer level, charging

Page 8: Development of an analysis support system for man-machine system design information

424 H. Yoshikawa et al.

Casel: plant parameter transition t,.~/~ when inspecting LOCA is high level of frequency t,~ ,0 ~.- . , , ,~ ,,w, ~ c ~ f l o . ~ . . . . . . . . . . . . . . . . . . . . . . ~ ~0 ~[ ~ . . . . . . ,-" ]~0 20 I Lelflown fl,~w ] 4o

,o[

o o Content of FWM

O o ~ ~ ~ _~ ~_ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Case2: plant parameter lransition ~¢~J ~ae~ inspecting leak in SG is higher level of frequency. ~

3o f c~trBmsnow ~ . . . . -3 6o e5 Pr/. level I - " - . . . . . . . . t , . . . . . , ,o

I L~down flow

lo 2o

' i . . . . . . . . . '. '° : ' ' 0

Content of FWM

. . . . . . . . ? . . . . . 9 , ~

Fig. 8. Example simulation (Case 1) Fig. 9. Example simulation (Case 2)

flow and letdown flow, which are selected in order to clarify the plant situation and the operator's behavior. The graph in the middle part displays the number of contents of the FWM. The graph in the lower part displays the sequential operator action executed by the operator simulator.

In the case of Figure 8, the operator simulator identified the alarm, and correctly determined the coolant leak in the CV. In order to maintain the pressurizer water level, it started the B and C charging pumps. These actions are adopted with the operating procedure. As a result, the charging flow increased. After that, it began the emergency load down and completed it.

In the case of Figure 9, after the operator identified the alarm, it suspected that the coolant leak had oc- curred in the SG because of the setting of the fre- quency parameter. It tried to confirm the leak in the SG, but could not succeed in the confirmation and therefore rejected it. Then it inspected the CV and confirmed the leak. Although it executed the same sequential operator actions after confu'rnation, these operations were delayed compared with Figure 8.

In the above two cases, each task sequence was generally in good agreement with the real operator's action sequence.

In the middle part of Figure 9, the operation can be divided into two parts; diagnosing what happened (10 seconds - 115 seconds) and coping with the accident (115 seconds - 215 seconds). The number of contents of the FWM increases in two parts. These curves mean that this system can simulate a chunking mechanism.

5. CONCLUSION

In this paper, the authors have presented the modeling methods and the development of a distributed simulation system for man-machine interaction, especially highlighting the use of a Petri- net model for organizing the cognitive system in the operator simulator. Although the software system development is still in an initial phase, the sample simulations conducted thus far for a PWR LOCA accident showed that the proposed method would fundamentally provide an effective alternative approach to the use of AI methodology, to model the various aspects and characteristics of human cognitive behavior at a man-machine interface.

In the future, the authors are going to undertake further development, such as an increase of the Petri- net database for handling the other accident situations, the elaboration of the modeling capabilities of a cognitive system, and finally a total simulation system for man-machine interaction, as the back-end system of a complete analysis support system for man-machine system design information.

This work was performed under a contract with the Agency of Natural Resources and Energy, Ministry of International Trade and Industry, Japan.

REFERENCES

Peterson, J.L. (1981), Petri Net Theory and the Modeling of Systems, Prentice-Hall, New York.

Reason, J. (1990). Human Error, Cambridge University Press, Cambridge.

Page 9: Development of an analysis support system for man-machine system design information

Analysis Support System for Man-Machine System Design Information

Sheridan, T.B. (1992). Telerobotics, Automation, and Human Supervisory Control, The MIT Press, Cambridge.

Yoshikawa, H., Gofuku, A., Itoh, T.and Sasaki, K. (~992). An investigative study towards construc- ting anthropocentric man-machine system design evaluation methodology. Proc. Post-ANP'92 Conference Seminar on Human Cognitive and Cooperative Activities in Advanced Techno- logical Systems, (Kondo, S. (Ed.)), Atomic Energy Society of Japan, Tokyo, pp. 25-36.

425