SIMPLE METHODS FOR ALARM SANITATION

Similar documents
Alarm Analysis with Fuzzy Logic and Multilevel Flow Models

Real-Time Root Cause Analysis for Complex Technical Systems

Security Management System - Configuring Video Analytics

Research on Evaluation of Fire Detection Algorithms

BRIDGING THE SAFE AUTOMATION GAP PART 1

Effective Alarm Management for Dynamic and Vessel Control Systems

Experiences from Intelligent Alarm Processing and Decision Support Tools in Smart Grid Transmission Control Centers

The evolution of level switches and detectors

Improving Control of Dual-Duct Single-Fan Variable Air Volume Systems

ON-LINE SENSOR CALIBRATION MONITORING AND FAULT DETECTION FOR CHEMICAL PROCESSES

Rule-based reduction of alarm signals in industrial control 1

ABB Ability System 800xA Alarm Management

SYNERGY IN LEAK DETECTION: COMBINING LEAK DETECTION TECHNOLOGIES THAT USE DIFFERENT PHYSICAL PRINCIPLES

Controllers, Indicators & Set Point Programmers

Diagnostics with fieldbus

Hello, my name is Audra Benzschawel and I m a marketing engineer in the C.D.S. Slide 1 TRACE 700

Remote Monitoring of Offshore Structures using Acoustic Emission.

SICK AG WHITEPAPER 3 TECHNOLOGIES FOR PCB DETECTION

Force Protection Joint Experiment (FPJE) Battlefield Anti-Intrusion System (BAIS) Sensors Data Analysis and Filtering Metrics

Where Technology Shapes Solutions. Alarm management : Wasn t that problem already solved years ago?

Alarm Management Plan

Failure Modes, Effects and Diagnostic Analysis

Video Analytics Technology for Disaster Management and Security Solutions

SIL DETERMINATION AND PROBLEMS WITH THE APPLICATION OF LOPA

Research Article Footstep and Vehicle Detection Using Seismic Sensors in Wireless Sensor Network: Field Tests

OPERATION MANUAL. Daikin Altherma indoor unit EKHVMRD50ABV1 EKHVMRD80ABV1 EKHVMYD50ABV1 EKHVMYD80ABV1

Artificial Intelligence Enables a Network Revolution

Implementation of Auto Car Washing System Using Two Robotic Arms

D Implementation of a DEMO system related to Smart Fault Management in LV network (normal/storm conditions)

ADIPEC 2013 Technical Conference Manuscript

Cool, calm and collected No cause for alarm on the Grane oil rig

Intelligent Signature Series Analog Detection

An improved Algorithm of Generating Network Intrusion Detector Li Ma 1, a, Yan Chen 1, b

Water Tank and Heater

AN ANALYSIS OF THE PERFORMANCE OF RESIDENTIAL SMOKE DETECTION TECHNOLOGIES UTILIZING THE CONCEPT OF RELATIVE TIME

USER APPROVAL OF SAFETY INSTRUMENTED SYSTEM DEVICES

FUNCTIONAL SAFETY IN FIRE PROTECTION SYSTEM E-BOOK

Relay Performance Index for a Sustainable Relay Replacement Program

AVOID CATASTROPHIC SITUATIONS: EXPERT FIRE AND GAS CONSULTANCY OPTIMIZES SAFETY

Why Building Occupants Ignore Fire Alarms

Dynamic Simulation of Double Pipe Heat Exchanger using MATLAB simulink

Reducing Arc Flash Risks with Electrical Maintenance Safety Devices - Part 2

Fundamental Principles of Alarm Design

Fire Risks of Loviisa NPP During Shutdown States

THERMAL DIAGNOSIS OF MV SWITCHBOARDS: A COST-EFFECTIVE, DEPENDABLE SOLUTION BASED ON AN OPTICAL SENSOR

AVOID CATASTROPHIC SITUATIONS: EXPERT FIRE AND GAS CONSULTANCY OPTIMIZES SAFETY

doi: / _57(

DEPTH OF EMBEDMENT OF A SHEET PILE WALL

IE Code IE Competency Title Credit OAC Ref.

New requirements for IEC best practice compliance

Measurement and modelling of a multifunctional solar plus heatpump system from Nilan. Experiences from one year of test operation.

Operating instructions

Smart Green Roofs: Cooling with variable insulation

Getting Started with Live Exceptions

Intelligent. Signature Series Multisensor Detection. An EDWARDS brand.

Reducing the Carbon Footprint of Existing Domestic Heating: A Non-Disruptive Approach

A Generalized Delay-timer for Alarm Triggering

[ [ ADMIN PANEL USER GUIDE

Carbon Monoxide (CO) Gas Detector March 15 GCO 300

Effective Use of Statistical Models to Establish and Update Vibration Alarm

Use of Autoassociative Neural Networks for Signal Validation

G-MAX IVS R123 Vibration Sensors Perimeter Intrusion Detection System

How the People Counter Works. Enhanced Safety, Security and Building Automation, and Improved Marketing Intelligence. 3D MLI Sensor Technology

Study in Step by Step Electric Energy Meter Connection Detection Method

Temperature Control of Heat Exchanger Using Fuzzy Logic Controller

EPSS FOR CARGO HOLD HUMIDITY CONTROL. Mr Rajan Bhandari Senior Lecturer. Ms. Chong Yee Shia Technical Officer. Mr. Apurva Lawale Technical Officer

Energy Efficiency. Intercept HDDperDay <2e 16 kwhperday

Ramon 2.2 Radon-Monitor

Welcome to MultiSight TM Vision Sensor Hands-On Lab

1 Introduction - The rating level. 3 Subjective or objective analysis? 2 Determination of the adjustment for annoying tones

ANALYSIS OF HUMAN FACTORS FOR PROCESS SAFETY: APPLICATION OF LOPA-HF TO A FIRED FURNACE. Paul Baybutt Primatech Inc. and

Exception Handling for Optimal Batch Production

Ovation Alarm Management System

for family composition, time allocation of people, ownership and specification of home appliances. This paper first presents the simulation procedure

Conceptual Design of a Better Heat Pump Compressor for Northern Climates

CSP-204 CSP-208 CSP-104 CSP-108

3. PLAN AND IMPLEMENT A CROP MONITORING PROGRAM

/ / White Paper. Focusing on user experience

Using BIM model for Fire Emergency Evacuation Plan

SAFETY MANUAL. Electrochemical Gas Detector GT3000 Series Includes Transmitter (GTX) with H 2 S or O 2 Sensor Module (GTS)

Autonomous Waste Sorter Design Project

COOLED PLATE TESTS ON TEXTILE MATERIALS IN SIMULATED COCKPIT UNDER SOLAR RADIATION

Statistical cluster analysis and visualisation for alarm management configuration. Butters, T D and Güttel, S and Shapiro, J L and Sharpe, T J

Alarm Management for SCADA control rooms

Aalborg Universitet. CLIMA proceedings of the 12th REHVA World Congress Heiselberg, Per Kvols. Publication date: 2016

DESIGN FOR ELDERLY EGRESS IN FIRE SITUATIONS

Coupling Multiple Hypothesis Testing with Proportion Estimation in Heterogeneous Categorical Sensor Networks

Improved Dryer Control

Fire and Gas Detection and Mitigation Systems

Effective Biomass Moisture Control

Research Article. ISSN (Print) , China. *Corresponding author Chen Hao

False Alarm Analysis of the CATM-CFAR in Presence of Clutter Edge

A novel test method for predicting crushing elasticity in medium fluting with higher relevance than for instance currently used methods like CMT

Person Detection Techniques for an Internet of Things(IoT)-Based Emergency Evacuation System

Q&A Session from Alarm Management Workflow Webinar (Apr.24/2013)

SOCIETY OF FIRE PROTECTION ENGINEERS POSITION STATEMENT P THE ROLE OF THE FIRE PROTECTION ENGINEER IN THE CONSTRUCTION DESIGN PROCESS

Video Smoke Detection using Deep Domain Adaptation Enhanced with Synthetic Smoke Images

The cooling capacity of the Thermo Active Building System combined with acoustic ceiling

Smart Defrost Control for Refrigeration System

Implementing a Reliable Leak Detection System on a Crude Oil Pipeline

Transcription:

SIMPLE METHODS FOR ALARM SANITATION Jan Eric Larsson Department of Information Technology Lund Institute of Technology Box 118, 221 00 Lund, Sweden Abstract : Large industrial processes are often equipped with many alarms. A significant proportion of these alarms may be badly tuned, and therefore activated too often or too seldom. This means that the alarms in question are not useful, and such a situation can potentially be dangerous. Alarm sanitation is the process of finding badly tuned alarms and retuning them. This paper describes an ongoing project, in which we are developing simple methods to detect and retune such alarms. Keywords : Alarm systems, Automatic process control, Calibration, Complex systems. 1. INTRODUCTION Complex industrial processes are usually equipped with a large number of alarms. It is also common that a significant proportion of these alarms are more or less badly tuned. Many examples are known in di f- ferent systems, from steel mills to airplane cockpits, where alarm limits are too narrowly set, so that the alarm is activated incorrectly. In such cases, the alarm will disturb the operators, but will not work as a reliable source of supervision information. Alternatively, the alarm limits may be set too widely, so that the alarm is never activated, which also may have negative consequences. To improve the alarm system of a plant, one has to detect wrongly tuned alarm limits, and retune these limits to correct values, a process, which we will call alarm sanitation. To conduct an alarm sanitation is not difficult in principle, but will demand an effort, which can be large if there are many alarms in the plant. In an ongoing project, we are developing simple methods for detection and retuning of badly tuned alarms. Through automatic logging of alarm activations and signals, it is possible to detect suspicious alarms and to suggest new, more realistic alarm limits. If, for example, an alarm has been activated ten times during one hour, with no other response than a reset, the alarm could be presented to operators or service engineers, together with the measured signal s mean value, standard deviation, and upper and lower extreme va lues, with a suggestion for retuning of the alarm s limits. This will make an alarm sanitation easier, because a large fraction of the troublesome alarms will be automatically detected, and saved knowledge about the signal s actual values will be helpful in the tuning operation. The project described in the following is concerned with alarm detection and presentation, but not so much with validation and consistency checking of sensor values. Instead, we assume that we already have sensors, an on-line data collection system, and algorithms for measurement validation in place. 2. BACKGROUND Industrial processes usually have a large alarm system, in which measured signals are monitored. Such processes are conventional and nuclear power plants, pulp and paper plants, petroleum refineries, and Copyright 2000 by the International Federation of Automatic Control (IFAC). This paper was published in the proceedings of the IFAC Symposium on Artificial Intelligence in Real -Time Control, Budapest, 2000, and is made available as an electronic reprint by the pe rmission of IFAC.

chemical and biochemical plants. However, they also include other systems, such as airplane cockpits, medical intensive-care units, and comm and centrals for different systems. In all such systems, there is a large number of automated alarms, which are usually set to monitor a measured value, and to activate a warning signal if the value goes outside an interval with a lower and an upper limit. There can be several problems with complex alarm systems. Some of these are: The alarm system is badly designed. Some important alarms may be missing, while other alarms may actually be unnecessary for the operation of the plant. The alarm system is des igned for one operating state but fails to meet the requirements of another. For example, an alarm system may work well in normal operation and for small problems, but fail in case of a major accident. The alarm system has a badly designed interface, so that it fails to present the current fault state to operators in an efficient way. The alarm system presents too much information and causes mental overload and stress for the operators. A good example of such problems is provided by the Three-Mile Island accident, see for example Perrow (1999). The alarm system of the Three -Mile Island nuclear power plant was designed to provide alarms for even very small problems, which was useful during normal operation. During the accident, however, too many alarms were activated, and one of the major problems for the operators was to understand the actual state of the plant. In such cases, one would wish for methods or algorithms that could degrade or suppress less important and purely consequential alarms, so as to avoid overloading the operators. 2.1 Trying to Improve the Alarm Situation In order to improve the situation concerning the problems mentioned above, several methods and algorithms are under development. For example, in the Swedish research program for Complex Technical Systems, sponsored by NUTEK, the Swedish National Board for Industrial and Technical Development, the following projects have been performed : Separation of alarms into primary and consequential based on an analysis of the logic of the alarm and control system, a project from the Department of Computer Science, Stockholm University. Grouping of connected alarms into super alarms, based on learning from existing alarm lists, the same project as above. Better visualization of the process, the process state, and the alarm state through better cognitive design of the interface, a project from the Department of Computer Science, Uppsala University. Separation of alarms into primary and consequential based on models of goals and functions of the plant, see Larsson (1998, 1999), Larsson and Öhman (1998), a project of the author from the Department of Information Technology, Lund Institute of Technology. These are just a few examples. Several other projects are going on, within different research disciplines, such as computer science, artificial intelligence, control theory, human factors, safety, and user interface design. Hopefully, some of these projects will result in improved alarm system technologies. 2.2 What Are Badly Tuned Alarms? Before mor e advanced methods and algorithms can be used, some simpler problems must first be solved. Among other things, the problem of badly tuned alarms must be addressed. Before it makes sense to send alarm information to advanced algorithms, the alarms that prod uced the information must be correctly tuned. In many industrial processes, a significant number of alarms have wrongly set alarm intervals. The limits may be either too tight or too wide. If the limits are too tight, the alarm will be activated unnecessarily, when there are small disturbances or noise, but no real fault or problem. If the limits are too wide, the alarm will be activated too seldom or never, and faults will remain undetected. In both these cases, the alarm in question will not fulfill its function, and in practice, it will be useless, which may potentially mean great risks. We do not know how large the fraction of badly tuned alarms are in a typical plant. It most certainly varies from branch to branch, between different countries, different technologies, and from plant to plant. From automatic control, it is a well-known fact that a significant fraction of all PID controllers are suboptimally or badly tuned. The figures are usually stated to be in the order of 30%, see Bialkowski (1993), Ender (1993), Hägglund (1995). We would

guess that the fraction of badly tuned alarms in many applications is as large or even larger. That they cause large practical problems is clear, see Perrow (1999). Our contacts with people in industry tell us the same thing, Paavola (1999). 2.3 Why Are There Badly Tuned Alarms? It is our guess that the causes of badly tuned alarms are not of any complex or basic nature. Rather, we believe that the main cause is that too small resources are put into the design and maintenance of alarm systems. The detection and retuning of an erroneous alarm is most probably a simple matter, but when it comes to handling several thousands of alarms, the task becomes complex and costly. In addition, the gains of performing an alarm sanitation are not always immediately visible, at least not until faults and accidents have occurred. 2.4 What Are the Consequences? The existence of badly tuned alarms has several more or less serious consequences. First of all, let us see the effects of different errors in the alarm limit tuning: If the limits are too wide, this will cause an absence of alarms. This situation is potentially dangerous, since it is in principle equivalent to not having any alarm, with the added risk of false security, because the operators may believe that the alarm is working properly and the plant is in a normal state. If the alarm limits are too tight, this will cause false alarms. This situation is as bad as the previous one. The consequence of too many false alarms is that the op erators will have to disable or routinely ignore the alarm in question. In essence, the situation is again equivalent to not having an alarm at all, with the added risk of mental overload on behalf of the operators. In short, a badly tuned alarm is as bad or worse than a non -existing alarm. Now, let us analyze the potential negative consequences of having badly tuned alarms: One bad effect of having false alarms is that the operators may suffer from stress and mental overload, which in turn may cause them to commit mistakes. Another bad effect of false alarms is that the operators may have to use valuable time taking care of alarms, while they could have used that time to tune the process instead. The most obvious bad effect of any kind of badly tuned alarm is, of course, that faults may be overlooked, and that accidents may happen. In such cases, the cons equences may be both costly and dangerous. Finally, the most severe (but maybe not most obvious) consequence is the threat of unusual and complex accidents, which may be called once-in-a-lifetime events. Even if the operators are skilled in handling normal accidents without the support of a working alarm sy stem, unusual and rare circumstances may pose severe threats of disaster. In these cases, a good alarm system is of great importance, and any problem here will mean large risks. In conclusion, badly tuned alarms are common, and do pose serious risks. Before more advanced methods of alarm handling can be used, the problem of badly tuned alarms must be solved. The main obstacle against alarm sanitation is probably that the large number of alarms makes any simple hand tuning a large resource-consuming task. 3. AUTOMATED ALARM SANITATION In an ongoing project, we are developing simple metho ds for automated alarm sanitation. The basic ideas are: Equip the monitoring and control system with a few simple functions, which monitor the behavior of the alarms over time. T race those alarms that are activated often, and are either ignored by the operators, or followed by no other action than a reset of the alarm, and store information about them in a database. Likewise, trace those alarms that are never activated in spite of their signals changing mean value, variance, etc., and store this information too in the database. In addition, store samples of the signals monitored by suspicious alarms, together with a few statistical parameters, such as mean value, standard deviation, minimum and maximum, etc. At regular intervals, or when it is suspected that there is a high frequency of false alarms, present the contents of the database to the operators and to service personnel. Each potential culprit alarm could be evaluated, and the signal data would provide a good basis for new alarm limits.

3.1 An Alarm Sanitation Toolbox Our proposed design incorporates an automated tool for detection of candidate culprits, i.e., badly tuned alarms, and computer-based support for retuning of alarm limits. The evaluation of whether an alarm is actually badly tuned, whether a retuning should be done, and the actual choice of limits, are all to be performed by a human operator or service engineer. We strongly believe in letting human and machine share the burden of solving problems. T he tasks that the proposed system should be able to handle can be grouped as follows: Detection of too active alarms. Here, the methods may be based on activation frequency during a specified time interval, where both the frequency and time interval must be set to match the general time scale of the process. Simply looking at the most frequent alarms may also give good results. Other met hods can be based on an analysis of the actions taken after alarm activations. If the operators seem to ignore the alarm or only to reset it, this may be an indication of a known false alarm. Finally, the detection of alarms should also be related to the operating state of the plant, so that it is possible to detect alarms that are tuned for one state but not another. Detection of too passive alarms. Here, the methods used could analyze the monitored signals to detect a fault state, especially in connection to other alarms indicating a fault situation. A detection of changes in the mean value is an obv ious suggestion, but more sofisticated statistical metho ds could also be used. Simulated test signals could be sent to the alarm system to check that all alarms that should be activated actually do react. Finally, formal methods for consequence propagation could be used to see whether some alarms are too silent. MFM would be one possible basis for this, Öhman (1999). Tuning of alarm limits. Here, the methods used should provide a human user with enough information to select a new set of alarm limits. Different simple statistical measures from the monitored signal should be presented, such as mean value, standard deviation, and maximal and minimal value. In addition, a visual plot of a part of the signal should obviously be provided. Other algorithms could relate differences in these measures to changes of plant operating state, which could lead to the conclusions that an alarm should only be active during certain states, or that different limits should be used during different operating states. Presentation of data. Here, it is important to provide the system with a simple but good interface, so that the alarm sanitation becomes simple enough that the op erators or service personnel would actually have time to perform it. Deciding to initiate an alarm sanitation. The proposed system will supervise the activity of the alarm system, and when there are enough potential ly bad alarms, or such alarms are firing with a high enough frequency, the alarm sanitation system must activate an alarm of its own, meaning that it is now time to consider an alarm sanitation. Here, it is indeed important to make the act ivation decision behave well, so that the alarm sanitation system is not seen as a nuisance and ignored by the operators. A selection of available and newly developed methods will be chosen and put together for use in the project, to perform all the tasks described above. Rather than to evaluate and select one specific method for each task, we will construct a toolbox of algorithms, from which several different systems can be assembled and tested. In the long run, some methods may prove to be better than others, but the choice of particular method or algorithm may also proved to be a function of the target process and branch. 4. SOME EXAMPLES Here are some simplified examples of the different cases, where the alarm limits are either too narrow or too wide. mv 1.5 1 0.5 0-0.5-1 -1.5 0 20 40 60 80 100 120 140 160 180 200 Seconds Fig. 1. In this case, the alarm limits are well tuned, and when the signal goes out of bounds at time 100, it can be detected easily and r eliably. In Figure 1, we see a normal situation with welltuned alarm limits. When a fault occurs, this is seen

clearly in the step change of the signal. An alarm system would have no problems detecting this fault with the used limits. In Figure 2, we see a situation with too narrow alarm limits. The noise in the signal will cause the alarm to be activated over and over again, even though the signal actually co ntains no fault information. 1.5 1 detection, see Frank (1996). All the examples are, of course, trivial, but it is hoped that they will help to explain the problems with which alarm sanitation is concerned. These trivial problems do cause large problems in real life, and when they appear in thousands, together they become non -trivial. 5. DISCUSSION Here are a few further clarifications of the ongoing project and the proposed ideas. mv Fig. 2. In this case, the upper alarm limit is set too narrowly, so that the noise in the signal will activate an alarm repeatedly. Finally, in Figure 3, we see a case of too wide alarm limits. Although a change of level occurs in the signal, this is not detected, because the alarm limits are too widely set. Thus, faults may go undetected in this case. mv 0.5 0-0.5-1 -1.5 1.5 1 0.5 0-0.5-1 0 20 40 60 80 100 120 140 160 180 200 Seconds 5.1 Design of the Alarm Sanitation Toolbox It is important to observe that the detection of the badly tuned alarms should be done with full autom a- tion. Here, it is of paramount importance to use the good properties of the computer, i.e., that it will not forget events or miss them because of stress or tiredness, etc. The retuning of the alarms should make full use of any available human knowledge and judgment, though. Here it is instead important to provide the sy stem with a good interface, so that data can be interpreted quickly and correctly by human operators. For these reasons, we believe that the concept of a toolbox with several methods will be useful, at least until further exper iences with the whole task of alarm sanitation have been gained. 5.2 Testing the Methods on Real Cases The proposed ideas are fairly easy to implement. An implementation and a few test runs are not enough, though, esp ecially since this project addresses a problem that occurs only in practice. Thus, a large part of the project will be to test and evaluate the implemented system in practice, on several different kinds of processes. Here we plan to use our contacts within the research program for Complex Technical Systems, and try our system on conventional and nuclear power plants, on Swedish steel plants, and hopefully other processes too. -1.5 0 20 40 60 80 100 120 140 160 180 200 Seconds 5.3 The Decision to Warn about Badly Tuned Alarms Fig. 3. In this case, the alarm limits are set too widely, and changes in the monitored signal may go undetected. The examples given here all concern static alarm limits, but similar results would be valid for dynamical alarm limits and methods using model-based fault One very important design issue is how the detection system should warn the operators about a situation were an alarm sanitation may be needed. It is obvious that the system must be very careful and not give warnings about potential bad alarms too often. Otherwise, these meta alarms may cause more of the very problem that they were meant to relieve. Thus, a

serious effort must be put into the design of the meta alarm decision, and the interface to it in the alarm sanitation toolbox. Obviously, there should be a possibility of clearing an alarm from suspicion for ever, or for ever as long as a set of specific conditions last. Maybe it would also be possible to have a menu of alternatives on how to perform the bad alarm detection. An interesting observation is that by warning about common alarms, it may also be possible to detect a deteriorating part of the process, where alarms start occu rring more often. The operators may ignore the alarms while they are actually an indication of a developing failure. Such cases have been described in, for example, a Swedish steel plant, see Paavola (1999). 6. CONCLUSIONS Complex industrial processes normally are equipped with a large number of alarms. Most probably, a significant fra ction of these alarms are badly tuned. The bad tuning of alarms poses risks of suboptimal production, accidents, and disasters. It also poses problems in using advanced algorithms for consequence analysis of alarms and visualization of the process state. In an ongoing project, we are developing simple methods for automated detection of badly tuned alarms, and for computer -based support for retuning of alarms. We are suggesting aut omated support for detecting badly tuned alarms, and computer-based support for retuning these alarms. A set of possibly useful methods will be implemented in a toolbox and tested and evaluated on several real processes. 7. ACKNOWLEDGEMENTS The author would like to thank his students, Fredrik Dahlstrand and Bengt Öhman, for encouragement and inspir ation, Jan Tuszynski at Southern Sweden Power Supply Inc. for cooperation and support, and Rutger Gyllenram, Kobolde, Jan Hill, Qualtech, and John Graffman, Bengt Larsson, and Arne Otteblad, NUTEK, for providing inspiring problems and questions, and finally Anu Uus for excellent suggestions on how to improve the paper. The project is sponsored by NUTEK, the Swedish National Board for Industrial and Technical Development, under the project num ber 1K1P 99 05989. REFERENCES Bialkowski, W. L., Dreams versus Reality: A View from Both Sides of the Gap, Pulp and Paper Canada, vol. 94, no. 11, 1993. Ender, D. B., Process Control Performance: Not as Good as You Think, Control Engineering, vol. 40, no. 10, pp. 180 190, 1993. Frank, P. M., Analytical and Qualitative Model- Based Fault Diagnosis A Survey and Some New Results, European Journal of Control, vol. 2, pp. 6 28, 1996. Hägglund, T., A Control-Loop Performance Monitor, Control Engineering Practice, vol. 3, no. 11, pp. 1543 1551, 1995. Larsson, J. E., Alarm Analysis for a Nuclear Power Plant Using Multilevel Flow Models, invited paper, Proceedings of the 9 th International Symposium on Sy stem, Modeling, Control, Z akopane, Poland, 1998. Larsson, J. E., Diagnostic Reasoning Based on Means-End Models: Experiences and Future Pr ospects, invited paper, Pr oceedings of the IEEE International Conference on Control Applications and the IEEE International Symposium on Computer-Aided Control System Design, Kohala Coast, Hawaii, 1999. Larsson J. E. and B. Öhman, Model-based Alarm Analysis for Large Plants, invited paper, Proceedings of the International Conference on Systems, Signals, Control, Computers, Durban, South Africa, 1998. Öhman, B., Failure Mode Analysis Using Multilevel Flow Models, Proceedings of the 5 th European Control Conference, Karlsruhe, Germany, 1999. Paavola, B., Larmsanering masugnsavsnittet, (Alarm Sanitation on the Melting Oven, Internal report, SSAB Tunnplåt, Swedish Steel Inc., 1999. Perrow, C., Normal Accidents: Living with High-Risk Technologies, Princeton University Press, Princeton, New Jersey, 1999.

2024 © homedocbox.com Privacy Policy | Terms of Service | Feedback