Figure 1. Mimic diagram illustration of DURESS (adapted from Vicente, 1991).
The abstraction hierarchy (AH) is a multileveled
representation framework, consisting of physical and functional
system models, which has been proposed as a useful framework for
developing representations of complex work environments. Despite
the fact that the AH is well known and widely cited in the cognitive
engineering community, there are surprisingly few examples of
its application. Accordingly, the intent of this paper is to
provide a concrete example of how the AH can be applied as a knowledge
representation framework. A formal instantiation of the AH as
the basis for a computer program is presented in the context of
a thermal-hydraulic process. This model of the system is complemented
by a relatively simple reasoning mechanism which is independent
of the information contained in the knowledge representation.
This reasoning mechanism uses the AH model, along with qualitative
user input about system states, to generate reasoning trajectories
for different types of events and problems. Simulation outputs
showing how the AH model can provide an effective basis for reasoning
under different classes of situations, including challenging faults
of various types, are presented. These detailed examples illustrate
the various benefits of adopting the AH as a knowledge representation
framework, namely: providing sufficient representations to allow
reasoning about unanticipated fault and control situations, allowing
the use of reasoning mechanisms that are independent of domain
information, and having psychological relevance.
Knowledge representation plays a multi-faceted, central role in the analysis and design of complex human-machine systems. For example, a representation of the work environment can serve as a problem space for interpreting operators' actions and verbalizations. It can also serve as an input to interface design by specifying the informational content and structure of the interface. Similarly, decision support systems (DSS's) also require a work domain representation to form the knowledge-base upon which the reasoning mechanisms will act. The structure and content of the work domain representation constrains the information that can be provided by a DSS. Thus, the identification of useful, implementable system models is a critical element in the design of effective human-machine systems such as operator aids and DSS's.
The abstraction hierarchy (AH) is one of the best known representation frameworks that has been proposed for describing complex work environments (Rasmussen, 1985). The AH is a multileveled representation format, with each level describing the system in terms of a different set of attributes or "language." Higher levels of abstraction represent the system in terms of purpose and functions, whereas lower levels represent the system in terms of physical implementation. In effect, each level of the AH is a different model of the same system.
It is important to realize that the AH is intended to represent the set of goal-relevant constraints governing the operation of the controlled system. As a result, it does not contain representations of any specific system events or operator tasks. This type of representation can be described as event-independent (Vicente & Tanabe, 1993), since it provides information about system structure that is independent of any specific events or consequences of events. This is in contrast to representations which are event-dependent, consisting of the symptoms or corrective procedures associated with a set of events, or classes of events, which must be identified a priori. This latter type of work domain representation cannot, by definition, help operators consistently cope with unanticipated events. And since unanticipated events pose the greatest threat to the safety of complex systems (Vicente & Rasmussen, 1992), it is essential that the work domain representation be event-independent, as the AH is. For a more detailed description of the AH, the reader is referred to Rasmussen (1985) and Vicente and Rasmussen (1990, 1992).
Though the AH is well-known and widely cited among the cognitive engineering community, it does not seem to be as frequently applied as one might expect (cf. Vicente, 1991). While there are a few exceptions (e.g., Vicente, 1992a; Vicente & Rasmussen, 1990; Itoh, Yoshimura, Ohtsuka, & Masuda, 1990; Sakuma, Sato, Mizukami, Yoshikawa, & Ikeda, 1990), most papers that refer to the AH limit themselves to describing the representation framework rather than adopting it to solve a particular problem. Also, misconceptions about the AH exist, such as the belief that it is a descriptive operator model rather than a normative system model, and that it is only useful at a general, descriptive level rather than as a formal, implementable model (e.g., Jones & Mitchell, 1987). There seem to be at least two reasons for this. First, there have been very few concrete examples illustrating the characteristics of the AH and the ways in which the AH can be used for analysis or for design. Most papers introducing the AH (e.g., Rasmussen, 1985) contain only a description of the AH rather than a detailed example of how it can be applied. Second, the few papers that do describe applications of the AH tend to be inaccessible to most readers since the examples are from large-scale work environments, usually nuclear power plants (e.g., Itoh et al., 1990; Sakuma et al., 1990). Because the examples are so complex and technical in nature, they demand a great deal of domain knowledge on the part of the reader. For both of these reasons, a widely accessible, detailed application of the AH illustrating its benefits as a knowledge representation framework has yet to be provided.
The purpose of this paper is to provide a concrete example of how the AH can be applied as a knowledge representation framework and to illustrate the benefits of applying the AH in such a fashion. Since the AH representation provides an informational basis for coping with unanticipated system events (Vicente & Rasmussen, 1992; Vicente & Tanabe, 1993), an implementable form of the AH will be useful in the development of human-machine interfaces which aid operators in diagnosing such events. Though the design of such systems is a logical continuation from this work, the computer system presented here is not intended to represent an actual fault diagnosis aid, but rather serves as a vehicle for demonstrating the benefits of applying the AH in the fault diagnosis domain. The application domain is a comparatively simple yet representative thermal-hydraulic process, which does not require a great deal of specialized knowledge to understand. A formal representation of this process has been developed in the form of a computer program. This multileveled system model is complemented by a relatively unsophisticated reasoning mechanism which asks the user certain questions about the current state of the system. The program was not intended to serve as a stand-alone automated fault diagnosis system, but instead was intended to show how the AH might be used to guide an operator in fault diagnosis. Thus, the user of the model plays the role of data gatherer. This configuration allows one to generate very detailed trajectories of reasoning within an AH representation for different types of events and problems. These examples in turn allow one to illustrate, in concrete terms, the various capabilities of the AH as a knowledge representation framework. We hope that the formalized and detailed application provided here will clearly illustrate how the AH can be applied to various problems in the analysis and design of human-machine systems, as well as indicating the benefits that can be expected from such applications.
The remainder of the paper is organized as follows. First, a description of DURESS, the thermal-hydraulic process that will serve as the application domain, is provided. Second, a formalized model of an AH representation of DURESS is described, as is the reasoning mechanism that acts on the model. Third, the ways in which this AH model of DURESS can support operators in dealing with various types of situations are illustrated by describing detailed program outputs for several scenarios, including various types of faults. Finally, a discussion of the benefits and limitations of the AH as a knowledge representation format is provided. Relationships to other work and topics for future research are also discussed.
The present research was conducted within the context of DURESS (DUal REservoir System Simulation), a thermal-hydraulic process simulation that was developed as a research vehicle (cf. Vicente, 1991). A mimic diagram illustration of DURESS is presented in Figure 1. The system consists of two redundant feedwater streams, each consisting of a pump and three valves, which can be configured to supply water to two reservoirs. The system goals are to keep each of the reservoirs at a prescribed temperature (40 °C and 20 °C), and to maintain enough water in each reservoir to satisfy each of the current externally determined demand flow rates (D1, D2). The water entering the system is at 10 °C. The means available for control are six valves (VA, VA1, VA2, VB, VB1, VB2), two pumps (PA, PB), and two heaters (H1, H2). The temperature (T1, T2) and volume (V1, V2) of the two reservoirs are also displayed in Figure 1.
Second, because it does not represent the overwhelming level of complexity of a real industrial process, the physical principles governing the operation of DURESS are comparatively simple. As illustrated in Table 1, the system can be completely described by 34 process variables. In addition to the relatively small number of process variables, the constraints that govern the operation of DURESS under normal circumstances are limited to elementary thermal-hydraulic principles. These physical principles are listed in Table 2. The top of the table lists the nine algebraic equations pertaining to reservoir 1 and feedwater stream A, and the two goals for each reservoir. The bottom of the table lists the two state equations corresponding to the two goal variables for reservoir 1, temperature and volume. The five state equations for the control variables in reservoir 1 and stream A (i.e., the heater, valve, and pump settings) are not shown. These equations are simple first order lags. There is an identical set of constraints to that shown in Table 2 (plus five more state equations for the control variables) for reservoir 2 and feedwater stream B. Thus, the absence of complex relationships (e.g., non-linear two phase flow, nuclear kinetics, etc.) makes DURESS a comparatively straightforward process to understand.
A third and final justification for adopting
DURESS is that it has already served as a testbed for investigating
research issues surrounding the AH. More specifically, an experiment
was conducted comparing two different interfaces for DURESS, one
traditional and one based on an AH (cf. Vicente, 1992a). As a
precursor to this empirical investigation, an AH representation
for DURESS was developed (cf. Vicente & Rasmussen, 1990).
This analysis was detailed enough to specify the content and
structure of the AH interface for DURESS, although the resulting
system representation was not formal in a computational sense.
Consequently, there is already a significant body of relevant
research that we can build and draw upon in developing a formal
AH representation for DURESS.
Model Description
The AH was used as a basis for developing a formal representation of DURESS. DURESS was described in terms of objects which comprise the system at each level of abstraction, along with the means-end links connecting those objects across levels. Two types of means-end links are included in the formalization, reflecting either the means by which a function or goal can be accomplished (a link to the level below), or the goals or functions an object can affect (a link to the level above). This allows traversal of the means-end links in either a top-down (from ends to means) or bottom-up (from means to ends) direction, respectively.
There are two useful additions to the AH included in the knowledge representation. The first is a part-whole decomposition dimension which is conceptually orthogonal to the means-end dimension (Rasmussen, 1985). This allows reasoning through different levels of system decomposition in addition to different levels of abstraction. For example, feedwater stream A can be decomposed into pump PA and valves VA, VA1, and VA2. As with the means-end hierarchy, both top-down (from whole to part) and bottom-up (from part to whole) part-whole links are included. Second, topological connections between system components have also been included. These links reflect connections between system objects at the same location in the means-end/part-whole space. The interpretation of the topological connections depends on the level of abstraction. For example, topological links may reflect spatial relations between objects or indicate physical connections between objects. Topological links can also be categorized by the direction of causal propagation. System objects can be linked through either causal links (forward propagation) or effect links (backward propagation) to other objects.
For a given physical system, the appropriateness of descriptions at different levels of decomposition may depend on the level of abstraction, though the two hierarchies are theoretically independent structures. Results from several experiments and field studies have shown that, in practice, there is a coupling between level of abstraction and level of decomposition (see Vicente, 1992b for a review). At higher levels of abstraction, operators tend to think of the system at a coarse level of decomposition, whereas at lower levels of abstraction more fine-grained levels of decomposition are more natural. For instance, it is more appropriate to describe overall goals at the level of the entire system, while the location and appearance of the system objects are more naturally described at the level of individual components. Figure 2 shows the positions in the means-end/part-whole space where representations for DURESS have been included. A description of components at all relevant locations in the means-end/part-whole space is given below. Figures 3, 4, and 5 show the means-end, part-whole, and topological links between objects in the system representation, respectively. This model is based on the AH representation for DURESS developed by Vicente and Rasmussen (1990) although several modifications and additions have been made.
Beginning with the part-whole dimension, three levels of resolution were selected: component, subsystem, and system. The objects at the component level of decomposition are the pumps, valves, heaters, and reservoirs. At the next level, these components are aggregated into meaningful subsystems. Thus, the objects are now the feedwater stream, reservoir subsystem, and heater subsystem. Finally, at the system level, the entire system is described as a single whole. Part-whole links are shown in Figure 3.
Figure 3. Representations of half of DURESS
in abstraction/decomposition space showing part-whole links at
the generalized function level. Similar links exist for Heat and
Water Input 2, etc. Objects with no part-whole links are not
included in this diagram.
The AH, which is orthogonal to the part-whole dimension, consists of five levels of description, as shown in Figure 4.
Functional purpose. Objects at this level of abstraction correspond to system goals, and therefore are appropriately described at the system level of the part-whole decomposition. There are four goals in this system: Keep the water at the set-point temperature for each reservoir (two goals), and keep enough water in each reservoir to keep up with the current demand flow rate (two goals).
Abstract function. This level can be described in terms of the conservation of mass and energy for each reservoir subsystem. In addition to shifting downward in abstraction from the functional purpose level, this corresponds to a decomposition from the system to sub-system level (see Figure 2). As shown in Figures 4 and 5, each subsystem has one mass and energy store (the reservoirs), one source of mass (the incoming water), two sources of energy (the incoming water and the heater), and one sink of mass and energy (the demand). Topological links at this level, shown in Figure 5, indicate the flows of mass and energy through the subsystems.
Figure 4. Representations of half of DURESS in abstraction/decomposition space showing means-end links. Similar links exist for objects associated with Supply Temperature 2 and Supply Demand 2. At the component level of decomposition, individual valves and pumps exist but are not shown due to space constraints.
Generalized function. Flows and storage of heat and water are described at this level of abstraction. At the subsystem level of decomposition (see Figures 4 and 5), the rate of flow of water and heat transfer from the input stream, rate of heat transfer from the heating system, storage of heat and storage of water in the reservoirs, and rate of removal of heat and water due to demand are described for both subsystems. A further decomposition to the component level, shown in Figure 3, allows the description of the rate of heat transfer and water flow through each valve and pump, as well as the rate of heat transfer from the heater, storage of heat and water in the reservoir, and rate of removal of heat and water due to demand. For both the subsystem and component descriptions, the topological links, shown in Figure 5, indicate the flows of water and heat through the components.
Figure 5. Representations of half of DURESS in abstraction/decomposition space showing topological links. Similar links exist for objects associated with Supply Temperature 2 and Supply Demand 2.
Physical function. The states of system components are described at this level of abstraction. Because only individual components have measurable states in this system, the descriptions are at the component level of decomposition. The settings of valves, pumps, and heaters are described, along with the volume and temperature in the reservoir, and the temperature and demand setpoints. Topological links at this level indicate physical connections between components (see Figure 5).
Physical form. At this level, the appearance, condition, and location of each component are described. The topological links reflect spatial relationships between components.
At this level, it is important to note that the topological links are not specified in the knowledge representation because essentially, every component is spatially linked to every other component. Including all spatially linked components for each component in the knowledge representation would cause difficulties when reasoning about the system because there would be no unique solution to any problem; all components could affect all others. While this may be an accurate reflection of the real world, it does not facilitate meaningful suggestions of the type needed if the AH model were to be imbedded in a DSS. One solution to this problem would be to constrain the list of spatially linked components to those which are most likely to affect one another (due, for example, to physical proximity). However, this type of constraint amounts to building specific situations into the knowledge representation, thereby limiting the system's ability to diagnose unanticipated situations. Our modeling approach does not make any assumptions about the likelihood of physical interactions between components, thereby broadening the scope of situations that can be handled (see Discussion section, below).
Knowledge Representation
The model of DURESS was computationally formalized using LISP. Each object in the representation was encoded as a LISP structure containing the following slots:
name: the object name
description: description of the object (goal, function, component state or physical appearance, depending on the level of abstraction)
why: list of linked objects at the next higher level of the AH (why this object is necessary - the "ends" this object can accomplish)
how: list of linked objects at the next lower level of the AH (how this object attains its function - the "means" by which it is implemented)
is-part: list of objects this object is a part of (aggregation)
has-parts: list of objects that comprise this object (decomposition)
topological: list of all objects that are topologically linked to this object
top-forward: list of other objects topologically linked to this object which are affected by changes to this object
top-backward: list of other objects topologically linked to this object which can affect this object
controllable: whether the object is controllable by the user.
An example of the knowledge structure for valve A is given in Table 3.
| name: "valve A" |
| description: "allow flow through pipe A" |
| why:'(flow A) |
| how: '(vAform) |
| is-part: 'nil |
| has-parts: 'nil |
| topological: '(pumpA valveA1 valveA2) |
| top-forward:'(valveA1 valveA2) |
| top-backwards:'(pumpA) |
| controllable: 'true |
Two computer programs were developed, each of which uses the knowledge representation just described. The first, a fault diagnosis program, uses input from the user about the system states to provide suggestions about possible faulty components. Given symptoms input by the user, the program asks the user questions about system objects at various levels of abstraction in order to select a set of components which could cause the symptoms. Upon request, the program provides justifications for the questions it asks and explanations for the faults it suggests. The second program is capable of performing two types of searches. If the user enters a description of a system function or goal, the program will list all of the controllable components which can affect that function or goal. Conversely, if the user enters a description of a controllable component, the program will list all of the higher-order goals which that component can affect.
To avoid any confusion, it is important to reemphasize that our primary goal in this paper is to show how the AH can be used as a basis for reasoning and the properties that it has, not to develop operator aids based on the AH. As a result, no particular claims are being made about the reasoning mechanisms or the interface implemented in the programs described below. These mechanisms were included simply because it is not possible to generate any problem solving trajectories without some type of reasoning rules. The implications of the AH for the design of DSS's and interfaces will be addressed in the Discussion section.
The remainder of this section provides a more detailed discussion of system inputs and outputs, including the types of situations each program is capable of handling.
Functional Specification
Fault diagnosis program. The fault diagnosis program is intended to show how an AH model can support troubleshooting performed by the user, who would make actual measurements or observations of the physical system. Though it may be possible to use the AH as a basis for automated fault diagnosis, this idea and its consequences have not been explored here. The program does not have access to state information about DURESS, so it relies on the user to assess the condition of objects in the system. It uses this information to ask questions of the user, thereby guiding the search process.
Users input initial symptoms in the form of object descriptions which match the form of the object description slots of the represented components. Users can specify symptoms at any point in the means-end/part-whole space. For instance, a possible symptom might be a problem with "inputting water and heat to water holding system 1." The program then responds with a list of yes/no questions about the presence of other possible symptoms (also in the form of object descriptions). These questions are developed in a systematic way from the links between system objects. The program continues asking questions based on the user's answers to previous questions until it can pinpoint the components which could be responsible for the given symptoms. At any point, the user can respond to a question with "why" and receive a justification for how the symptom in question relates to the original symptoms. Once a suspect component has been identified as faulty, an explanation is provided linking that component to the given symptoms.
The fault diagnosis program allows users to input any number of initial symptoms at the same location in the means-end/part-whole space. It then attempts to find a single component responsible for all symptoms; however, if no one component can be responsible, the program will resort to finding a set of possible components. For instance, in the above example, the program would first identify links to a single pump causing the faulty input rather than links to multiple valves. Thus, the fault diagnosis program will handle problems with multiple symptoms caused by multiple faults as well as multiple symptoms caused by single faults.
Control information program. The control information program is composed of two elements which provide information about the selection and effect of control actions. The first element links a function or goal input by the user with controllable components which may affect that function or goal. As in the fault diagnosis case, these inputs correspond to the description slot of a component representation. A function at any level of abstraction can be entered. The program provides a list of controllable components, such as particular pumps and valves, which can affect the goal or function, such as inputting water and heat to a holding system, along with explanations for the suggestions if requested by the user. Given a component input by the user, the second element of the control information program lists goals (at the highest level of abstraction) which are affected by the control of that component. For example, it would tell the user that adjusting a heater would affect the goal of maintaining a specific temperature in a reservoir. It also provides an explanation of its reasoning if desired by the user.
For both control information programs, users
are limited to one input. That is, they can request the control
suggestions for only one goal or function, or the goals affected
by only one controllable component.
Reasoning Components
Fault diagnosis program. The reasoning process starts by identifying the objects associated with the input symptoms (object descriptions). Then, part-whole, means-end, and topological links are searched to find components which might also show symptoms. The reasoning module tries first to decompose the problem by moving through the part-whole hierarchy in a top-down fashion towards the component level (see Figure 4). If the symptom cannot be further decomposed, the reasoning program then examines the next level in the AH, again in a top-down direction. If there are no "how" links, topologically linked components are examined. The topological links are examined in both forward and backward causal chains, because in a fault situation single direction connections may be violated.
The fault diagnosis program first tries to identify objects which can each be linked to all given symptoms. If this fails, it identifies all objects linked in at least one way to the given symptoms. Part-whole, means-end, and topological links are examined in order with the single object case being searched first and the multiple object case second, if necessary. Users are then asked to inspect the system for the presence of each of the new possible symptoms. The existing symptoms are collected, and the reasoning program searches for a new set of objects which can be linked to the new set of symptoms. Throughout the fault diagnosis process, the program keeps track of the path from the initial to current symptoms, to allow for justification, explanation, and back-tracking. If all objects relevant to the current symptoms have been previously examined, the program tries to back up to the previous set of symptoms and search for other unexplored links which may account for the given symptoms.
The reasoning program continues in this fashion until it can find no more part-whole or means-end links, indicating that the system has reached the physical form/component level of description (i.e., the bottom right corner of Figure 2). It then informs the user that it has found one or more system components which may be responsible for the symptoms.
In terms of the example stated above, with an initial symptom related to "inputting water and heat to water holding system 1," the program would first ask the user for symptoms in the two valve flows that comprise the input to the holding system. If the valves controlling those flows were not faulty (the valves are connected to the valve flows in a means-end manner), the program would look for symptoms in the valve and pump flows connected topologically to the two valve flows. Again, the program would search means-end links to these flows to find the faulty component(s).
It is possible that influences outside the system bounded by the knowledge representation may be causing the symptoms. In that case, none of the components presented will be identified as faulty by the user. If no faulty components can be found, the system suggests that there may be outside influences on the system. Also, if there is more than one component responsible for the symptoms, it is possible that one component may be causing faults in other components through some kind of physical interaction. However, there are no topological links corresponding to the spatial relationship between components at the physical form level. Therefore, the program suggests to the user that, given a situation where there are several faulty components, a single faulty component may be physically interacting with the other components to cause the faults. Examples of these various situations will be given in the next section.
Control information program. The reasoning mechanisms for the control information program are similar to those for fault diagnosis. For the control suggestion part of the program, all paths through the part-whole, means-end, and topological links are searched to identify the set of all controllable components which are linked to the goal. The part-whole and means-end links searched are those in the top-down direction. In this case, as opposed to the fault diagnosis program, only resultant (i.e. backward) topological links are examined because the control situations are assumed to be non-fault situations. That is, because there are no faults present, the constraints in direction of causality are not broken. The controllable components suggested are those which can affect the stated goal during standard operating conditions. For the control effect part of the program, the three types of links are searched in the opposite direction (bottom-up) from the input component to find all possible effects on the functional purposes of the system.
Explanation and Justification Generation
Justifications for queries about symptoms, and explanations for fault suggestions and control information are all generated in a similar manner for both programs. The means-end, part-whole, and topological links between the initial symptom, goal, or controllable component and the suggested fault, component, or effect are described, using the component descriptions from the knowledge representation. Essentially, the stored path from the inputs to the system outputs is followed backwards to explain the links followed in the systems' reasoning process.
The inputs, outputs, reasoning processes, and explanation features of the fault diagnosis and control information procedures are all illustrated in the following examples.
The examples presented in this section are problem solving trajectories that are generated by the interaction between the user and either the fault diagnosis or control information programs described above. These interactions could be similar in content to an operator interacting with a control interface or a DSS based on the AH representation. However, it should be emphasized that the interface used here is not intended to portray an appropriate interface to a DSS. Instead, it is merely used as a mechanism to demonstrate how interactive fault diagnoses based on an AH model would progress. The examples given here highlight the ability of the programs to diagnose faults in unanticipated situations, such as interactions between components or multiple failures. To demonstrate the use of the knowledge representation and reasoning mechanisms, one fault diagnosis and one control information example will be discussed in detail. Transcripts of other cases which demonstrate the programs' capabilities are also provided and briefly described.
Fault Diagnosis Examples
The fault diagnosis program was able to reason about problems with single or multiple faults and symptoms, as well as make suggestions about interacting faults and external influences on the process. For instance, the transcript of a case where the program reasoned about a multiple symptom problem caused by a single fault (in pump B) is shown in Figure 6. The problem solving trajectory followed by the program is illustrated in Figure 7, and demonstrates how the program follows links from more abstract, general symptoms to specific, physical components. Note that Figure 7 is similar to those given by Rasmussen (1985, 1986) which show how verbal protocols of an electronic troubleshooting task, given by domain experts, can be mapped onto the means-end/part-whole space.
Figure 6. Annotated fault diagnosis example for a multiple symptom/single fault case, where a failed pump caused problems with the water input systems. (Annotations are in bold, inputs to the system are in italics).
In this example, two symptoms caused by the
failed pump were input by the user: there were problems with the
water and heat inputs to both water and heat holding systems.
These symptoms correspond to the objects "Heat and Water
Input 1" and "Heat and Water Input 2" which are
at the generalized function/sub-system point in the means-end/part-whole
space (see Figures 3-5, and 7). Because there were multiple symptoms,
The program first tried to find some component which could explain
both symptoms. However, in this case there was no single object
linked through part-whole, means-end, or topological links which
could explain both symptoms. Therefore, the program looked for
all objects which were linked to the original objects, beginning
with the part-whole links. The program asked the user to examine
flows A1, B1, A2, and B2, which are linked to the original symptoms
through part-whole links, and are at the generalized function/component
position (see Figure 7).
Figure 7.Problem solving trajectory for
the diagnosis of a faulty pump.
Since the user indicated that there
were only problems with flow B1 and B2, the program then looked
for new objects which could explain both of these problems. There
was no single object linked through part-whole or means-end links
to both flow B1 and flow B2. However, flow B was linked topologically
to both problems so the user was asked to examine it. Flow B
was found to be faulty, so the program checked for objects linked
through part-whole links (of which there were none) and then means-end
links to find the component valve B. The user did not find any
faults with valve B, so the program then found the objects pump-flow
B, flow B1, and flow B2 which are topologically linked to flow
B. Since flow B1 and flow B2 were known to have problems from
previous questioning, the program first inquired about pump-flow
B. The user indicated that pump-flow B was exhibiting problems.
Once again, there were no objects connected through part-whole
links to pump-flow B, so the program asked the user about pump
B, at the physical function/component position. Pump B was found
to be faulty, and again there were no part-whole links, so the
user was instructed to examine the physical form of pump B, which
was the faulty component. The explanation provided describes
the reasoning links backwards, from the form of pump B, to pump
B, to the flow through pump B, to the flow through valve B, to
the flows through valves B1 and B2, to the initial symptoms.
In Figure 6 and Figures 8 - 12, annotated results showing different
examples from the reasoning programs are provided, including the
reasoning path and explanation links, which are identified as
means-end, part-whole, and topological links. Means-end, part-whole,
and topological links are also identified in Figure 7, along with
arrows indicating the problem solving trajectory.
Figure 8. Annotated fault diagnosis example for a case where an external heat source is unexpectedly warming a reservoir.
The next example, shown in Figure 9, shows how the program can handle multiple symptom fault situations caused by unexpected physical interactions between components. In this case, there was a leak from reservoir 1 into reservoir 2, because the former is physically located above the latter. Again, this is a challenging fault to diagnose because the symptoms seem like they are being driven by two independent faults when in fact there is one fault which is propagating to another part of the process due to physical proximity (cf., the discussion in Davis, 1984 regarding bridge faults in electronic troubleshooting). In this example, two faulty tanks were suggested as the cause of four symptoms regarding the heat and water stores, which were described at the level of generalized function. Also, since the user indicated that a physical interaction was present, the program suggested that the problem in tank 1 could have been causing the problem in tank 2. Tank 1 could be leaking into tank 2, causing the volumes in both to be disrupted. Again, this example shows how the program can handle unanticipated fault situations, such as multiple failures and physical interactions between components.
Figure 9. Annotated fault diagnosis example
for a multiple symptom/multiple interacting fault case,
where one reservoir tank is leaking into the other.
The final fault diagnosis example, shown in Figure 10, demonstrates how the program can reason about another type of unanticipated situation, in which there are multiple, independent failures. The unlikely event to be diagnosed consisted of simultaneous, independent faults in valves A1 and B1. In this case, the initial symptom was a problem with the heat and water input system at the generalized function level of abstraction, and the user indicated that both flows A1 and B1 were exhibiting problems. In contrast to Example 1, no single component could be found which accounted for both symptoms, so the program searched for more than one fault and determined that valves A1 and B1 were both faulty. Like the previous example, the program asked the user if there was a physical interaction between the valves. However, in this case, there was no physical interaction indicating that the faults were in fact independent.
Figure 10. Annotated fault diagnosis example
for a single initial symptom/multiple independent fault
case, where two faulty valves are disrupting one water input
system.
Control Information Examples
The control information programs were capable of determining which high level goals would be affected by the control of a particular component, as well as finding controllable components which would affect given goals. Figure 11 shows an example of the former: goals at the level of functional purpose which are affected by the control of valve B2 are listed. Then, an explanation linking each goal with valve B2 is provided. For example, Demand 1 at the functional purpose level is affected because it is linked through a mean-end relationship to mass source 1, at the abstract function level (see Figure 4). Mass source 1 also has a means-end link to input system 1 at the generalized function level. Input system 1 can be decomposed into flow A1 and flow B1 (see Figure 3) using part-whole links, and flow B1 is topologically linked to flow B2 as shown in Figure 5. Flow B2 has a means-end link to valve B2, the component in question. The reasoning paths and explanations regarding the other three effects are similar.
Figure 11. Annotated control information example showing the goals affected by controlling valve B2.
An example of the second type of control information reasoning is provided in Figure 12. Four controllable components are suggested which can affect the flow rate through valve A1. The components pump A, valve A, valve A1, and valve A2 are each connected through means-end links to the respective flows through them, and these flows are linked topologically to the flow rate through valve A1.
Figure 12. Annotated control information
example showing the controls which can affect the goal
of maintaining the appropriate flow rate through valve A1.
Summary
The detailed examples presented in this section provide a concrete, and hopefully convincing, illustration of the potential advantages to be gained from adopting the AH as a representation framework, whether it be in the design of an interface or DSS. The trajectories indicate how adopting such an approach makes it possible to effectively reason about various types of challenging events, including: single faults with multiple symptoms, faults caused by external influences on the system, multiple faults caused by propagation of an initial fault via a physical interaction with another system component, and finally, simultaneous, multiple faults that are independent. In addition, the examples also show how the programs were also capable of determining which high level goals would be affected by the control of a particular component, and finding controllable components which could be manipulated to affect given goals.
In this section, several topics are discussed including: a summary of the benefits of the AH as a representation framework, the relationship of our work to previous research, the limitations of the AH and of our particular implementation, and finally, promising directions for future research.
Benefits
The use of a knowledge representation based on the AH to encode information about a physical system provides several benefits, which have important implications for the design of a DSS or interface. More specifically, this type of representation allows reasoning about unanticipated fault and control situations, allows the use of reasoning mechanisms that are independent of domain information, and has psychological relevance.
The most important benefit of this knowledge representation is that since the AH is based on a description of system structure rather than system or operator behavior, no specific events or tasks are built into the representation or reasoning mechanisms. This is in contrast to other modeling techniques such as production rule models which tend to include specific system situations and responses (e.g., Baron, 1984), models which relate symptoms to their causes (e.g., Chu & Reggia, 1991), or discrete control and operator function models which model normative operator behaviors rather than system structure (Miller, 1985; Mitchell & Miller, 1986). Similarly, GOMS models also include descriptions of specific methods and operators required to accomplish goals (Card, Moran, & Newell, 1983). All of these are event-dependent representations and therefore differ significantly from the event-independent nature of the AH.
Because no specific tasks or events are built in, this type of representation allows reasoning about unanticipated situations, such as the physical interaction between the two reservoirs, the external heat source from the adjacent pizza oven, and the simultaneous failure of two valves, all described in the previous section. Also, by including the human operator in the reasoning process, restrictive assumptions about the likelihood of specific types of fault propagation do not have to be made. Consequently, this knowledge representation has an advantage over rule-based representations. Because it is impossible for system designers to anticipate all possible system failure states (USNRC, 1979; Lipsett, Olmstead, & Stevens, 1989), not all rules necessary to diagnose unanticipated faults can be included in expert systems. As emphasized by Vicente and Tanabe (1993), an event-independent system representation is necessary to support diagnosis of unanticipated system events. The need for diagnosis in process control based on system models rather than rules developed by experts in order to reason about unanticipated faults has also been noted by Dvorak and Kuipers (1991). The AH's ability to provide operators with an informational basis for dealing with unanticipated events makes it attractive as a system model that can be implemented in an interface or a DSS for complex, high-risk systems.
A second benefit of this approach is the clear partition between system model and reasoning mechanism. Although the construction of an AH was not a trivial process, it resulted in a representation which was intended to contain all relevant information about system structure. This allowed us to develop reasoning and explanation mechanisms which did not include any information about DURESS, nor about the number of levels in the means-end and part-whole hierarchies. This is a beneficial feature because it suggests that, even for complex systems, reasoning and explanation mechanisms can be constructed which depend only on information about the structure of the means-end, part-whole, and topological links and not on specific domain information nor on the levels of detail at which the system is represented. Such a system could therefore reason successfully about a larger or more interconnected system simply by adding new component descriptions, without altering the reasoning portion of the system. This feature of the AH has obvious implications for the design of DSS's.
A third advantage of the AH is that it provides a psychologically relevant problem representation. Although this claim has not been tested here, there is a significant body of empirical research from a number of quite diverse domains showing that problem solving protocols can be mapped onto an AH representation (see Rasmussen, 1986 and Vicente & Rasmussen, 1992 for reviews). Some of these results were obtained in realistic field settings with very experienced subjects engaged in representative and challenging tasks. These findings indicate that the AH provides a representation that is consistent with operators' problem solving processes. A problem representation that has psychological relevance is essential for the design of operator aids (as opposed to automated fault diagnosis systems), since it is necessary to provide advice in a manner that is consistent with the operator's own fault diagnosis processes (Amalberti, Grau, & Valot, 1991).
There are two complementary reasons for the psychological relevance of the AH. First, higher levels of abstraction are less detailed than lower levels. Since these multiple representations are provided, operators can cope with complex systems by shifting their representation when necessary from a low (i.e., very detailed) level to a higher level of abstraction with less resolution. Metaphorically, moving up one or more levels allows one to "see the forest through the trees." The fact that diagnosis using multiple representations allows the diagnosing agent to avoid the explicit consideration of unnecessary details is also pointed out by Chu and Reggia (1990). Thus, part of the psychological relevance of the AH lies in the fact that it allows resource-bounded agents, as people are, to deal with systems that would be unmanageable if they had to observe the whole system in full detail all at once. For example, an operator may be more easily able to identify and describe a system fault at a higher, less detailed level of abstraction, and then use the means-end relationships provided by the AH to constrain the search down through the hierarchy to the faulty components.
The second reason for the psychological relevance of the AH is that it constrains search, not in a context free, but in a goal-relevant manner. The AH is explicitly goal-oriented since the various levels in the hierarchy are linked by a means-end relation. Thus, search can be constrained by initiating the problem solving process at a high level of abstraction, deciding which part of the system is relevant to current goals, and then concentrating on the sub-tree of the hierarchy that is connected to the subsystem of interest. This "zooming-in" pattern is illustrated by Rasmussen (1985, 1986) in an electronic troubleshooting domain, and is exhibited by all of the diagnosis scenarios described in the previous section (e.g., Figure 7). The important point to note is that this is an efficient form of search (cf. Korf, 1987) since it allows one to ignore parts of the system that are not pertinent the function of current interest. Thus, an AH representation allows people to engage in goal-directed problem solving in a computationally economic manner. Note that a hierarchy that is not defined by a means-end relation (e.g., a part-whole hierarchy) does not enjoy this advantage (Vicente & Rasmussen, 1992). This suggests that it would be beneficial to adopt the AH as a basis for the design of interfaces or DSS's.
Relation to Other Work
Research on the use of models for reasoning about physical systems has been previously conducted. However, the work presented here is novel in two senses. First, the AH has significant differences in terms of structure and properties from the other models that have been proposed. Second, the AH has not been formalized in this particular manner before. These differences will become clear by reviewing previous work in this area. The discussion will be focused on the system representations used by other researchers. We will only refer to the reasoning mechanisms where necessary.
Davis (1984) developed a computer program which used information about physical structure and device behavior to reason about faults in the domain of electronic circuits. As with the AH model, different representations were adopted to describe the system both physically and functionally. The representations included the notion that faults propagate between items that are in some sense adjacent. Davis noted that unconstrained use of adjacency in troubleshooting could lead to uninformative linkages between all components, a problem similar to the use of unconstrained topological links at the physical form level in our system (see above). However, the solution Davis devised to constrain the search was different from that adopted here. Possible fault categories were identified and prioritized for examination according to likelihood of occurrence. Though the system could diagnose novel faults within specified categories, it could not handle faults outside of those anticipated categories. Also, interactions between components were only considered if the components were physically or functionally adjacent. In effect, restricting physical interactions to adjacent components is tantamount to building in the capacity to handle only a certain class of faults.
Similar assumptions about likely categories of failures and lack of interaction between distant components were included in a program called Draphys (Abbott, 1990), which used multiple system representations to diagnose faults in an aircraft domain. Draphys diagnosed faults while a simulated dynamic system was operating, and also provided information about consequences of fault propagation to other components as well as appropriate corrective actions. It is important to note, however, that the multiple system representations used in Draphys differed in their level of detail rather than along a means-end dimension.
In both of the above cases, some assumptions about fault types and propagation patterns were built into the system models. These programs could handle some types of novel faults in the sense that inferences were made about faults from observed device behavior rather than predetermined patterns of symptoms. However, faults resulting from unanticipated interactions or causes, where appropriate categories had not been included in the model, could not be diagnosed. In part, the assumptions resulting in these restrictions were necessary because, unlike the programs described here, the systems were designed to diagnose faults without any operator input. In the representation and reasoning schemes developed here, the human operator, not the designers' assumptions, is used as the mechanism for bounding the set of possible faults. For instance, instead of presenting all, or a limited few, fault candidates in the case of a physical interaction, this system suggests that a physical interaction may be present between components regardless of how far apart they are, leaving it to the operator to make this determination.
In addition to the representations described by Davis (1984) and Abbott (1990), other models consisting of multiple representations have been developed. For example, Chu and Reggia (1990) used multiple representations in diagnosis to improve efficiency; however, their approach, being based on anticipated causal relationships between symptoms and faults, was not event-independent. Padalkar, Karsai, Biegl, and Sztipanovits (1991) also used multilevel functional and structural representations to describe a system. However, their representation provided a less coherent and comprehensive representation than the means-end/part-whole description used here, since the type of representation did not change consistently between levels in the functional hierarchy, and certain levels of abstraction (e.g., abstract function and physical form) were not included. Also, the structural hierarchy described the system at only one level of abstraction and was not orthogonal to the functional hierarchy, since the former described components and the latter described processes. Padalkar et al.'s representation also differs from the AH in that it contained causal relations linking structural components to faulty processes and the probabilities of those relations. In contrast, Dvorak and Kuipers (1991) used an event-independent system model which has some of the advantages of the AH. However, their representation provided less constraint and information for the fault diagnosis process than the AH because it used a single, rather than multiple, levels of representation.
Another type of event-independent representation is a functional representation which describes physical devices in terms of their overall and component functions, component behaviors, and structures (Sembugamoorthy & Chandrasekaran, 1986). The functional representation uses multiple representations to explicitly represent the device in terms of components and sub-components, called the physical structure, and the functions of components and sub-components, called the functional structure (Keuneke, 1991). However, the motivation for the different levels of functional decomposition was to understand the function of a device in terms of the functions of its components, not to describe the functionality of a device and its sub-components in different, meaningful ways. With the AH, the key is that the type or language of description between levels is connected by a means-end relation, not just by a part-whole relation. With the functional representation, the language of description changes as a by-product of the part-whole decomposition. Since the part-whole decomposition contained only one level of abstraction, and since levels of the functional representation were dependent on a structural decomposition, the two hierarchies were not orthogonal. This characteristic can be found in other representation schemes as well (e.g. Padalkar et al., 1991).
Chandrasekaran, Goel, and Iwasaki (1993) point out two limitations to the functional representation approach that can be resolved in the context of an AH based representation. First, they noted that there may be implicit device goals which are not represented (such as safety goals) since only one function of a device is represented. Additionally, the representation must be constructed carefully to insure that the function and behavior of a device or component is expressed in the same language or abstraction level. These problems would not occur with an AH based representation, since the AH does not limit the number of goals or functions any device or component may have, and since functionality and behaviors, if included, would be described at all levels of abstraction.
Lind (1988, 1990a, 1990b) developed and implemented a highly detailed formalism of a means-end/part-whole representation in the context of fault diagnosis and control support for a complex physical system. The system modeled was a central heating system which included a boiler and radiator, and was characterized by Lind (1990b) as having interacting and competing goals. Lind (1990b, 1991) developed a Multi-level Flow modeling technique (MFM) which describes physical systems at different levels of abstraction and decomposition. The abstraction levels included a level representing system goals, a level describing system functions in terms of mass and energy flows, and a level representing physical components. These levels were linked by means-end and part-whole links, as well as links within abstraction levels. Lind formalized this model, and implemented it as a computer system which used the MFM links and other system information, including physical constraint information, to reason about fault diagnosis and plant control.
As with the models discussed above, the MFM system reasoned about diagnosis and control actions without relying on input from a human operator. This is in contrast to the system described here, which required input from a human operator to constrain the search space. However, because the system developed by Lind was also based on the AH, some properties of his formalization are similar to this implementation. For instance, Lind (1988) found that, by using a representation that included deep knowledge about a physical device, simple reasoning mechanisms which were independent of the represented knowledge could be implemented to search through links between objects in the hierarchies to diagnose system faults. Also, unlike the systems developed by Davis (1984) and Abbott (1990), Lind's system did not contain specific fault categories and thus did not prematurely restrict the types of faults that could be diagnosed.
It is important to realize that the models and representations described here have many similarities to the AH. For instance, some use multiple representations to describe physical systems, some describe system functionality, some describe system structure, some are concerned with providing event independent representations, and some are concerned with efficiency of diagnosis. However, an AH based representation is unique in that it combines all of these features using a coherent, consistent, event-independent representation format. Each representation provides a complete system model or description, and the different representations provide necessary information covering purposes, functions, physical structure, and form. The language within each level and the links between levels are consistently defined. Since the levels of the AH are derived in a means-end rather than an ad-hoc fashion, the AH provides a comprehensive model which covers different classes of constraints. Thus, constraints or interactions that arise at one level (e.g. physical form) but not at another (e.g. physical function) will still be represented. Also, changing the level of abstraction does not necessarily mean changing the level of decomposition. Therefore, the system can be described at as many levels of decomposition as are useful. Finally, since the AH is not dependent on a particular domain, the means-end structure can be applied across different domains; only the levels and particular languages used in description change (Rasmussen, 1985).
Limitations
There are several limitations to the work presented here. First, with regard to general limitations of the AH, it is difficult to construct an AH and the resulting representation is limited by the designer's knowledge about the system. However, this limitation is consistent across all types of modeling efforts and representation schemes that attempt to be comprehensive. Second, certain types of information represented in the AH may be unavailable or unreliable due to limitations in sensor technologies (Vicente & Rasmussen, 1992). Both of these considerations may constrain the types of applications to which the AH can be effectively applied.
A second set of limitations arise from the specific representation scheme and implementation described in this paper. First, using a knowledge representation based on system structure alone can be much less efficient than relying on diagnostic rules which directly link symptoms and causes. Thus, reasoning using an AH may be less efficient than reasoning based on heuristic rules derived from experts. However, as mentioned earlier, the primary threat to system safety in complex systems are events which are unfamiliar to operators and which have not been anticipated by designers. Diagnostic rules of the type just described are ineffective in such cases because they can only cope with familiar or anticipated events. In contrast, the AH provides a basis for dealing with unanticipated events (in fact, it was explicitly developed with these situations in mind; see Vicente & Rasmussen, 1992). This contrast in capabilities is indicative of the general trade-off between reasoning efficiency and scope of applicability. Heuristic rules are more efficient but deal with a smaller set of situations, whereas the AH can deal with a much broader set of events, but only by incurring an added cost in terms of efficiency. In complex systems, this added cost in efficiency is worthwhile since system safety is the primary concern.
It seems logical that a full-scale fault diagnosis system should combine both approaches in order to benefit from the efficiency of a procedural approach and the power of an AH, model-based approach. For instance, the real-time disturbance recovery and diagnosis system described by Chandrasekaran, Bhatnagar, and Sharma (1991) is based on a set of anticipated event classes which were used to define pre-compiled procedures to satisfy system goals. A system of this type can be seen as complementary to one based on an AH representation because it can provide efficient mechanisms for dealing with anticipated problems while the AH representation can provide the information necessary to deal with unanticipated events.
Second, our implementation was limited in that it was not connected to a dynamic system simulation, nor did it represent process states (Table 1) or constraints (Table 2). As a result, our program must rely on operator input to function, and therefore cannot serve as a stand-alone aid. In this sense, the programs described in the previous section are considerably more complex. Third, the reasoning mechanisms implemented here were relatively unsophisticated and were not intended to be psychologically valid. Clearly, there is much room for improvement in this regard (see below).
A fourth limitation, which follows from the previous two, pertains to the scope of the evidence we have presented. The reasoning trajectories illustrated earlier show that the AH has several significant properties which make it attractive as a representation framework. Also, the discussion has indicated how these properties have significant implications for the design of interfaces and DSS's. Other research has shown that adopting the AH as a basis for interface design can lead to improved performance (Vicente, 1992a), but empirical evidence indicating that the AH can be used to design effective DSS's has not yet been provided.
Future research
One interesting topic for further study is how the order in which links are explored affects the reasoning paths generated by the system. Preliminary investigation, based on the DURESS representation and the examples discussed above, suggests that changing the order in which links are explored changes the number of links examined before a solution is reached. This issue is important because the number of links explored is an obvious measure of reasoning efficiency. Also, the order of search affects the particular path from symptom to fault which, in turn, may affect the interpretability of the explanations provided. For the DURESS system, for instance, more links were examined if the topographic links were explored first although the final solution paths did not change. This seems to result from the larger number of topological links than means-end or part-whole links for this particular system, thereby suggesting that the most efficient order for link exploration may depend on characteristics of the system being represented.
Also, it would be informative to compare the fault diagnosis paths generated by the system to those generated by human experts. This would allow one to empirically evaluate the psychological validity of various candidate reasoning mechanisms. A promising path would be to investigate the appropriate order for searching links in order to best mimic human experts. For example, human experts may be more likely to search for faults in connected components before looking at component parts, indicating that to mimic experts, topological links should be searched before part-whole links. Since previous studies indicate that the AH has psychological relevance as a problem representation, computer solution paths should be similar to those of human experts if psychologically valid reasoning mechanisms are implemented along with the AH model. It also may be possible to use this representation to test the claim of psychological validity. For instance, cognitive models of human problem solving could be combined with system knowledge organized according to the representation described here. If this produced fault diagnosis behavior that mimics that of human experts, it may indicate that information organized according to the AH is sufficient to perform fault diagnosis. Thus, it would be possible for humans to be using such a formalization to find faults.
In addition, ways in which additional system information can be incorporated into the knowledge representation need to be explored. For instance, including information such as the algebraic and state equations described in Table 2 could provide additional constraints on the search space for problem components, as well as provide useful information to system operators. Additional work on representing time dependent information and processes, as well as the explicit consideration of sensor failures in some way, also needs to be conducted. The addition of such knowledge would be necessary if the AH representation developed here is to be incorporated into a full-fledged DSS.
Finally, future research should also investigate the performance achieved by a DSS based on the AH. We have shown that the AH has many desirable properties but this is not the same as showing that a DSS based on the AH will lead to improved performance. What design manipulations have to be made before the advantages of the AH can be realized? Under what conditions can such advantages be expected? These are important empirical questions which can only be addressed by developing a DSS based on the AH.
The primary purpose of this paper has been to make the AH concrete. First, a formal instantiation of the AH was developed in the form of a computer program. Second, this formal model was used as a basis for generating detailed trajectories of reasoning in an AH representation. These examples provide a concrete illustration of the various advantages of the AH as a representation framework. Third, the application of the AH was conducted within the context of a thermal-hydraulic system simulation that does not require a great deal of specialized knowledge to understand. Thus, we believe this to be the first case of a widely accessible, detailed application of the AH illustrating its benefits as a knowledge representation framework.
We hope that the formalized and detailed application presented here will suggest, in a tangible way, how the AH may be applied to various problems in the analysis and design of human-machine systems. For example, an AH representation of a work domain can serve as a knowledge-base, not only for the interface, but also for various computer-based support systems as well. This strategy has been adopted by a few control room designers in the nuclear industry (see Vicente, 1992b for a review). In addition, the AH could also be used as a tool for training. Because it provides a normative representation of system structure, the AH specifies a subset of the knowledge that a competent operator should possess. The AH can also be an effective data analysis tool since it can be used to interpret operator problem solving protocols (e.g., Itoh et al., 1990).
Clearly, the work presented here has generated many more questions than it has answered. This is consistent with our intention which has been to indicate the benefits that may be expected from applying the AH. Our effort will have been successful to the extent that it spurs other researchers and designers to explore, critique, elaborate, and revise these ideas. Given the widespread importance of knowledge representation to the field of cognitive engineering, it seems that such efforts are bound to be fruitful, regardless of the findings they produce.
We would like to thank Brian Gaines and the anonymous reviewers for their thoughtful comments and assistance. The writing of this paper was supported, in part, by an NSERC research grant awarded to the second author.
ABBOTT, K. H. (1990). Robust fault diagnosis of physical systems in operation (Unpublished doctoral dissertation). New Brunswick, NJ: Rutgers University, Department of Computer Science.
AMALBERTI, R., GRAU, J. Y., & VALOT, C. (1991). Assistance in process control: Optimal systems versus human-like systems. In Proceedings of the Third European Conference on Cognitive Science Approaches to Process Control (pp. 255-265). Cardiff, UK: University of Wales College of Cardiff.
BARON, S. (1984). A control theoretic approach to modelling human supervisory control of dynamic systems. In W. B. Rouse (Ed.) Advances in man-machine systems research, vol. 1 (pp. 1-48). Greenwich, CT: JAI Press.
CARD, S. K., MORAN, T. P., & NEWELL, A. (1983). The psychology of human-computer interaction. Hillsdale, NJ: Erlbaum.
CHANDRASEKARAN, B., BHATNAGAR, R., & SHARMA, D. D. (1991). Real-time disturbance control. Communications of the ACM, 34 (8), 32 - 47.
CHANDRASEKARAN, B., GOEL, A. K., & IWASAKI, Y. (1993). Functional representation as design rationale. Computer, 26 (4), 48 - 56.
CHU, B., & REGGIA, J. A. (1990). Diagnostic reasoning at multiple levels of abstraction. In Proceedings of the Annual AI Systems in Government Conference (pp. 168 - 175). Piscataway, NJ: IEEE.
DAVIS, R. (1984). Diagnostic reasoning based on structure and behavior. Artificial Intelligence, 24, 347-410.
DVORAK, D., & KUIPERS, B. (1991). Process monitoring and diagnosis. IEEE Expert, 6 (3), 67 - 74.
ITOH, J., YOSHIMURA, S., OHTSUKA, T., & MASUDA, F. (1990). Cognitive task analysis of nuclear power plant operators for man-machine interface design. In Proceedings of the ANS Topical Meeting on Advances in Human Factors Research on Man-Computer Interactions: Nuclear and Beyond (pp. 96-102). La Grange Park, IL: ANS.
JONES, P. M., & MITCHELL, C. M. (1987). Operator modeling: Conceptual and methodological distinctions. In Proceedings of the Human Factors Society 31st Annual Meeting (pp. 31-35). Santa Monica, CA: Human Factors Society.
KEUNEKE, A. M. (1991). Device representation: The significance of functional knowledge. IEEE Expert, 6 (2), 22 - 25.
KORF, R. E. (1987). Planning as search: A quantitative approach. Artificial Intelligence, 33, 65-88.
LIND, M. (1988). Diagnosis using multilevel flow models: Diagnostic strategies for P96 demonstrator (88-E-309). Lyngby, Denmark: Institute of Automatic Control Systems, Technical University of Denmark.
LIND, M. (1990a). Abstractions version 1.0: Description of classes and their use (90-D-380). Lyngby, Denmark: Institute of Automatic Control Systems, Technical University of Denmark.
LIND, M. (1990b). Representing goals and functions of complex systems: An introduction to multilevel flow modelling (90-D-381). Lyngby, Denmark: Institute of Automatic Control Systems, Technical University of Denmark.
LIND, M. (1991). Representations and abstractions for interface design using multilevel flow modelling. In G. Weir and J. Alty (Eds.), Human-computer interaction and complex systems (pp. 223 - 243). London: Academic Press.
LIPSETT, J. J., OLMSTEAD, R. A., & STEVENS, J. E. S. (1989). Balancing the roles of humans and machines in power plant control (AECL-9955). Chalk River, Canada: Atomic Energy of Canada Limited, Chalk River Nuclear Laboratories.
MILLER, R. A. (1985). A systems approach to modelling discrete control performance. In W. B. Rouse (Ed.), Advances in man-machine systems research, vol. 2 (pp. 177-248). Greenwich, CT: JAI Press.
MITCHELL, C. M., & MILLER, R. A. (1986). A discrete control model of operator function: A methodology for information display design. IEEE Transactions on Systems, Man, and Cybernetics, SMC-16, 343-357.
PADALKAR, S., KARSAI, G., BIEGL, C., & SZTIPANOVITS, J. (1991). Real-time fault diagnostics. IEEE Expert, 6 (3), 75 - 85.
RASMUSSEN, J. (1985). The role of hierarchical knowledge representation in decisionmaking and system management. IEEE Transactions on Systems, Man, and Cybernetics, SMC-15, 234-243.
RASMUSSEN, J. (1986). Information processing and human-machine interaction: An approach to cognitive engineering. New York: North-Holland.
SAKUMA, A., SATO, N., MIZUKAMI, M., YOSHIKAWA, E., & IKEDA, J. (1990). An intelligent man-machine interface for supporting operator knowledge-based behavior. In Proceedings of the ANS Topical Meeting on Advances in Human Factors Research on Man-Computer Interactions: Nuclear and Beyond (pp. 271-277). La Grange Park, IL: ANS.
SEMBUGAMOORTHY, V., & CHANDRASEKARAN, B. (1986). Functional representation of devices and compilation of diagnostic problem-solving systems. In J. L Kolodner and C. K. Riesbeck (Eds.) Experience, memory, and reasoning (pp. 47-73). Hillsdale, NJ: Erlbaum.
TANNER, M. C., & KEUNEKE, A. M. (1991). The roles of the task structure and domain functional models. IEEE Expert, 6 (3), 50 - 57.
USNRC (1979). TMI-2 lessons learned task force final report (NUREG-0585). Washington, DC: USNRC.
VICENTE, K. J. (1991). Supporting knowledge-based behavior through ecological interface design (Unpublished doctoral dissertation). Urbana, IL: University of Illinois at Urbana-Champaign, Department of Mechanical and Industrial Engineering.
VICENTE, K. J. (1992a). Memory recall in a process control system: A measure of expertise and display effectiveness. Memory and Cognition, 20, 356 - 373.
VICENTE, K. J. (1992b). Multilevel interfaces for power plant control rooms I: An integrative review. Nuclear Safety, 33, 381 - 397.
VICENTE, K. J., & RASMUSSEN, J. (1990). The ecology of human-machine systems II: Mediating "direct perception" in complex work domains. Ecological Psychology, 2, 207-250.
VICENTE, K. J., & RASMUSSEN, J. (1992). Ecological interface design: Theoretical foundations. IEEE Transactions on Systems, Man, and Cybernetics, SMC-22, 589 - 606.
VICENTE, K. J., & TANABE, F. (1993) Event-independent assessment of operator information requirements: Providing support for unanticipated events. In Proceedings of the American Nuclear Society Topical Meeting on Nuclear Plant Instrumentation, Control, and Man-Machine Interface Technologies (pp. 389 - 393). LaGrange, IL: ANS.