Formalisation of normative knowledge for safe

Safety Science 41 (2003) 241–261
www.elsevier.com/locate/ssci
Formalisation of normative knowledge for
safe design
Jean-Christophe Blaisea,*, Pascal Lhostea, Joseph Ciccotellib
a
CRAN (Research Centre for Automatic Control), University of Nancy, BP 239, F54 506,
Vandoeuvre Les Nancy Cedex, France
b
INRS (National Research and Safety Institute), Avenue de Bourgogne, BP 27, F54 501,
Vandoeuvre Les Nancy Cedex, France
Accepted 18 December 2001
Abstract
This paper presents a formal methodology for modelling knowledge included in safety
standards. The use of the NIAM/ORM method addresses the problem of unprecise semantics
and the misinterpretation introduced by the use of natural languages. It also allows for producing a formal model of the knowledge. This formalisation is a necessary step in order to
exploit the knowledge efficiently, but is not sufficient in itself. So, we propose to restructure
the normative knowledge, basing this restructuring on a generic structure of engineering
views. This multi-criterion approach allows the designer to use standards much easier in this
form than in their current textual expression. Furthermore, the resulting formal model of a
standard can be implemented. This implementation results in the production of a Computer
Aided Safety Standards Application for design (CASSA) tool. This tool allows to analyse
various application scenarios, all included in the safety knowledge model, through specific
user-oriented interfaces depending on each user’s objective. Nevertheless, the implemented
model of the safety knowledge is independent and unique with regard to these scenarios. In so
doing, our contribution can concern users other than machine designers, such as valuers,
standardisation experts or teachers, as well as relate to other areas dealing with standards
such as the environment, toy industry, etc.
# 2002 Elsevier Science Ltd. All rights reserved.
Keywords: Safety; Standards; NIAM/ORM; Natural language; Modelling; Machine design; Integration
* Corresponding author. Tel.: +33-3-83-50-20-00; fax: +33-3-83-50-21-03.
E-mail address: [email protected] (J.-C. Blaise).
0925-7535/02/$ - see front matter # 2002 Elsevier Science Ltd. All rights reserved.
PII: S0925-7535(02)00004-8
242
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
1. Introduction
The main objective of this paper is to present a methodology for knowledge modelling that aims at the safe design of Machinery and Production Automated Systems
(MPAS). This aim is directly related to research in automation engineering (Lhoste,
1994) and in system safety (Mayer et al., 1998; Fadier and Ciccotelli, 1999). In particular, it concerns the inclusion of the knowledge and know-how (which consist in
knowledge application procedures) related to safety throughout the automation life
cycle, especially in the first steps of this cycle (van Gheluwe, 1993). In terms of automation engineering, this methodology aims at improving the quality of the resulting
automated systems by gathering the technical automation views and safety rules
(Lacore, 1993a; Council directive, 1998). These safety rules are often considered very
late (even too late) in the design process in conjunction with informal approaches.
That often leads to normative text interpretations, subjective choices, etc. From this
point of view, the problem of the lack of a computer aided tool is important; such a
tool could be used when designing MPAS to support safety aspects. Furthermore,
safety should be considered as a systematic and specific part of the technical requirements (Fig. 1) rather than as a low-priority constraint (Jouffroy et al., 1998).
With respect to safety, this paper aims to formalise the technical and legislative
frameworks included in the safety standards, and to define their relationships with
developments in technical automation. The problem is how to apply the technical
regulations and the rules of the ‘‘Safety of Machinery’’ standards during the MPAS
specification and design phases. Moreover, this exploitation of knowledge must be
coherent with other automation design constraints. In particular, just as the automation engineering process requires models to support the automation (Denis and
Lesage, 1995), the engineering of safe systems should use models of the safety standards (Blaise et al., 1999a). Hence, we present Safe Design as a link between Safety
and Design. In particular, we show how the legislation and the associated standardisation process can be considered as a link between the design of a machine and its
future use (Boudillon and Sourisse, 1996). However, the increasing number of standards and the difficulties that users, and even designers, of standards experience in
mastering the resulting complexity are at odds with such a relationship. This
demonstrates that the means of controlling this complexity must be available. As in
the field of MPAS design, methods and models must be used to apply the knowledge
Fig. 1. From safety and design to safe design.
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
243
included in safety standards. In this respect, we propose to use Nijssen Information
Analysis Method (NIAM; Habrias, 1988; Wintraecken, 1990), also known as Object
Role Modelling (ORM; Halpin, 1998), allowing to formalise any text expressed in a
natural language. Aiming at the integration of the resulting formal knowledge into
machine design, we show that this modelling is insufficient, and we define a common
structure in order to link the technical points of view produced by the design and
those of a normative nature. Finally, we illustrate the interest of this approach by a
partial model of a standard, specific to a class of machines, and by some few examples of its use during the design of such a machine.
As this paper includes NIAM/ORM models and their translation into Binary
Natural Language (BNL), we would advise readers unfamiliar with this technique to
refer to the short presentation of this formalism in the Appendix.
2. Definition of the safe design problem
Each design activity should lead to a safe machine. To achieve this, the designer
must be familiar with all the safety aspects and standards related to the machine
class. However, it is difficult for a designer to master all the knowledge regarding
safety at the same time as all the technical knowledge required by the machine
design. This is reinforced by differences in the content of these two types of knowledge. In fact, designers consider safety as a complementary skill that must be
incorporated once the technical development has been completed. Nevertheless,
this relationship between the designer and the safety could be improved if the technical and safety levels of expression were refined on the same basis and with
an explicit conformity in order to make both safety knowledge and know-how more
explicit (Vink, 1995) and easier to use. This refinement would contribute to integrate
safety and design into a coherent safe design by taking into account all the predictive
risks incurred by the future users and to assure the risk prevention not only by
safeguarding but also by a more adequate design. With this in mind, we propose to
gather the technical and safety views of a machine by considering the relationships
between the machine, the designer and the end user.
2.1. Relationships between machine, designer and user of machine
In a basic approach, there is no direct relationship between the designer and the
user except the link with the same object, namely the machine. For many years,
the only thing bonding them was the fact that the design restricted exploitation
(Lacore, 1993b). However, the in situ use of a machine frequently differs from the
foreseen one: what happens is not always what was predicted. The design may well
respond to some of the needs expressed by users but does not always live up to their
expectations! One of the first solutions is a closer integration of the user’s needs into
the design activities. In this way, users must be involved in the design process or,
more exactly, they have to provide an exploitation feedback towards the design
(Neboit et al., 1993). Nevertheless, this feedback often occurs very late in the
244
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
design life cycle, leading to modifications of the machine or, at least, to partial redesign of the machine. An early feedback aims to integrate the needs of the user
during the preliminary design.
2.2. Relationships based on requirements
Designers want to integrate the needs of their customers through their involvement into the requirement drafting (Malhotra et al., 1980). By this way, a relation
Designer/User of machine is established (Fig. 2).
This relationship helps the integration of user expectations into the design process,
meaning that the number of potential errors can be reduced as these expectations are
stated at the outset. However, such a relationship is not sufficient in itself to ensure a
direct connection between the exploitation and the machine design areas.
2.3. Relationship based on experience feedback
Because the joint formulation of requirements is not sufficient, engineering and
design departments use a direct feedback from the application field. This permits a
better integration of the real machine exploitation conditions and a clearer understanding of design errors, resulting in an improved integration of user expectations
throughout the design process (Corbel, 1995; Fig. 3).
In reality, as this experience feedback is an integral part of the design, this activity
is not clearly identifiable. In fact, it allows the designer to detect repeatable errors
with a view to capitalise (Hasan et al., 2000) the corrections in order to take them
into account in each new machine design. These activities show us that the designer
wishes to integrate the constraints detected by exploitation as soon as possible in the
design process (Cantin, 1995).
2.4. Relationship based on European legislation
It can be seen that requirements and feedback experience establish two types of
informal relationships between design activity and exploitation. The legislation has
Fig. 2. Partial ORM model of the relationship between designer and user by the requirements and the
partial model translation into BNL.
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
245
Fig. 3. Partial ORM model of the relationship between designer and user by experience feedback and the
partial model translation into BNL.
formalised this connection between designers and users by the introduction of
directives which define a legislative framework between what the designer must
produce and what the user expects by establishing safety constraints on products.
The harmonisation work relative to the legislative and regulatory texts is based
today on the ‘‘New Approach’’ directives (Council directive, 1998; New Approach,
2000) which do not lay down precise technical specifications but impose only very
general requirements, the so-called ‘‘Essential Requirements’’. However, in spite
of the emergence of this ‘‘new’’ concept of legislation, designers still have to integrate the requirements contained in the directives into their machinery design activities. These directives state overall objectives without specifying how they should be
achieved. The harmonised standards serve as a guide for the application of the
European directives and as a reference for the design of products, however without
constituting intangible constraints. Once again, this is not enough to obtain an easy
integration of these regulations because safe design means finding technical solutions that satisfy the objectives of the standards (Fig. 4).
3. The normative framework relative to the safety of machinery, its evolution
3.1. The concept of standard: definition (ECS, 1998a)
Standard: Document established by consensus and approved by a recognised
body, that provides for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context.
In fact, the contents of standards can be statements, instructions, recommendations or requirements. The application of standards is not obligatory, and standards
do not indicate regulations. Within the new approach framework the harmonised
standards serve as a guide for the application of the European directives and, as
defined in Article 5(2) of the directive:
246
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
Fig. 4. Partial NIAM/ORM model of the relationships between Legislation, Standardisation, Designer
and User, and the partial model translation into BNL.
When a national standard transposing a harmonised standard, the reference for
which has been published in the Official Journal of the European Communities,
covers one or more of the essential safety and health requirements, a product
constructed in accordance with this standard shall be presumed to comply with
the relevant essential requirements.
3.2. Characteristics of the standardisation framework
The standardisation authorities formulate technical specifications through multiple texts such as group safety standards (type B standards) and machine safety
standards (type C standards). These standards are based on the fundamental
safety standards (type A standards) such as the EN 292 standard (ECS, 1991). The
framework and organisation of the standards are based on these concepts of horizontal standards and vertical standards (Fig. 5).
This representation of the standardisation framework shows the complexity of
interaction existing between the various standards. In addition to this complexity,
another characteristic feature of the standardisation framework is its volume. Currently 100 horizontal standards and 177 vertical standards have been drawn up by
different Technical Committees (TC) with the following distribution (New Approach,
2000): 30 standards on safety of machinery, three standards on electrotechnical
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
247
Fig. 5. Horizontal standards distribution in CEN [CEN : European Committee of Standardisation (ECS)]
and CENELEC [CENELEC : European Committee of Electrotechnical Standardisation (ECES)].
aspects, one standard on lighting, 16 standards on vibration, 26 standards on noise,
15 standards on ergonomics, and nine standards on explosive atmosphere. The
1997–1998 ECS annual report (ECS, 1998b) specifies that of a total of 840, 80% will
be published within three years, whereas currently only 164 have been published in
the Official Journal of the European Communities. In addition, the commission for
occupational health, safety and standardisation (KAN1) has published the following
progress report on standards (Fig. 6) for the 1992–2004 period.
3.3. Users of the standardisation framework
The changes in the standardisation process relative to the safety of machinery, as
presented by (Lacore, 1993b), show clearly the full expansion of this field which
justifies a significant effort, such as presented in our contribution.
Apart from designers, other categories of users, who also have problems interpreting the rules and dealing with the quantity of information, are concerned by the
standardisation framework. They include:
normative experts and standards makers within the ECS and ECES,
teachers who use the standardisation framework as the basis of safety training courses for students and the industry,
machine valuers and certifiers.
1
Kommission Arbeitsschutz und Normung (http://www.kan.de).
248
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
Fig. 6. Evolution of ‘‘the safety of machinery’’ standards.
In fact, everyone concerned with the standardisation framework has the common
problem of mastering this normative knowledge even though they require specific
forms of presentation. In order to solve this general problem, formalisation of the
normative knowledge is proposed.
4. Eliciting, formalising and exploiting safety knowledge
As in any creative activity, safe design requires the application of knowledge.
Concerning the global design activity of a complex system, all the necessary knowledge is distributed between various experts. In order to contribute to the design
objective, knowledge must be shared and be integrated by its future users (Rösner et
al., 1997; Beeckman, 1993). This integration implies communication and knowledge
sharing that involves the use of explicit knowledge expressed in a universal and
comprehensible language in order to be understood by the expert, the user and the
elicitor (Firlej, 1990).
The following section defines more precisely the links between people involved in
this common reference platform, namely knowledge. We can notice that as far as
safe engineering is concerned, the user of the normative knowledge is the designer.
However, we have shown in the previous section that there are other potential users
of normative knowledge. All what we say about designer concerns also other users of
standards.
4.1. People involved in using knowledge
The expert and the designer, which is the user of the normative knowledge, should
have the same common knowledge. In fact, the user exploits implicit and informal
knowledge whereas he needs explicit and formal ones. So, the knowledge produced
by the expert must be more explicit by identifying the different meanings of this
knowledge. To reach this goal, an intermediate and independent actor, the elicitor, is
required to extract the knowledge objectively and to ensure that it corresponds to
the needs of the designer. The elicitor is not an expert in the area of the knowledge
application and is therefore able to absorb knowledge without personal subjective
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
249
interpretation (Sharp, 1998). In order to perform this extraction and to refine the
relevant areas of the entire available knowledge, he needs to use a knowledge
acquisition method and the assistance of the expert. Furthermore, the elicitor needs
to check the coherence2 and the completeness3 of the extracted knowledge, which
implies the use of knowledge modelling and formalisation techniques (Yunker,
1993). The aim of these operations is to ensure the coherence through formal rules
and to ensure the completeness of the knowledge, for a given context, contained in
the model (van Bommel et al., 1991). The designer, as well as other actors, can then
exploit this formal knowledge by using the resulting model. However, this model is
not very convenient for efficient exploitation of the knowledge included in it, and it
has to be processed to become more usable.
4.2. The processing of knowledge
These actors are involved in three knowledge-related processes: acquisition,
formalisation and exploitation. The partial model presented in Fig. 7 shows the
interaction between the actors, the knowledge itself, and the knowledge model
defining the scope of each process.
4.2.1. Eliciting safety knowledge from the standards
In our case study, knowledge is formulated within the reference sources, namely
standards. As shown in Section 3, standards are in reality a consensus reached after
a long drafting procedure during which the experts extract the knowledge and knowhow. Nevertheless, only a part of all this knowledge is explicitly used as reference
knowledge in the resulting standards. In order to have a clear understanding of all
the knowledge contained in the standards, the elicitor needs to analyse the texts (the
reference sources containing the reference knowledge) and to complement it by
interactions with experts that aim at acquiring their know-how. To succeed in this
elicitation process and to ensure the coherence and the completeness of all knowledge expressions, it is necessary to alternate this process with the formalisation one.
Indeed, these properties can only be verified using a formal model (ter Hofstede and
van der Weide, 1993).
4.2.2. Formalising safety knowledge
The NIAM/ORM method (Fig. 8) is employed to formalise the knowledge contained in the standards.
There are several reasons for using NIAM/ORM. The first one is its ability to
support both the elicitation and the formalisation processes by guiding the elicitor
from the implicit knowledge identification to the explicit knowledge modelling. The
second reason is that this method is based on a linguistic analysis of a Universe of
Discourse (UoD: a delimited field) described in natural language expressions. This
analysis requires the identification and the expression of elementary sentences which
2
3
The extracted knowledge is correct. (Sabah, 1990).
The user can exploit the whole knowledge he needs (Sabah, 1990).
250
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
Fig. 7. NIAM/ORM model of knowledge processes and actors, and the partial model translation into BNL.
contain the whole knowledge about the application area. As previously stated, the
associated refinement technique of these sentences allows the expressed knowledge
to be supplemented with the unexpressed one. The identification of the relations
between two objects, in the active and passive forms, and the identification of the
constraints imposed on these relations are essential to clarify the knowledge. Thus,
the possible lack of knowledge (Toussaint, 1992) is completed and the inaccuracies
of the initial expression are eliminated. The result of this analytical method is a
formal model using NIAM/ORM formalism (cf. Appendix). This model, represented in a form of draft diagram, can then be verbalised in BNL without losing any
semantics. To avoid misinterpretation, a UoD expert can perform or at least check
this verbalisation, and in so doing validate the model (ter Hofstede et al., 1997;
Sharp, 1998). Furthermore, some algorithms can transform the resulting conceptual
model in order to map it into a logical model, which allows a relational database
system to be created. This method is used mainly for mapping conceptual and logical levels in order to implement information systems (ITS, 1991). Unfortunately, it is
used less often for its ability to elicit and formalise information.
4.2.3. Exploiting safety knowledge
The availibility of a formal model of the safety knowledge modifies the relationship between designers and standards (Fig. 9). First, the model includes more
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
251
Fig. 8. NIAM elicitation and formalisation processes.
coherent knowledge because it has been verified by the application of rules associated with the formal model and validated by experts. Secondly, the model is more
complete than the initial knowledge described in the texts of standards through the
transformation of implicit know-how into explicit knowledge. Finally, it is possible
to use this model to generate a database which implements the knowledge with no
loss of semantics.
The model and its application are independent of any specific design. To establish
a relationship between a specific type of designer and the model (or its application),
it is necessary to take into account the requirements of the designer by defining
specific interfaces. These interfaces aim at presenting the knowledge to the designer
in a suitable form and apply particular scenarios compatible with the objectives of
the designer.
4.3. Towards the safe design of machinery
An initial experiment using this formal approach (Blaise et al., 1999a) on a ‘‘type
A’’ standard (fundamental safety standard, applicable to all machinery) has shown
the feasibility and the interest of knowledge analysis and formalisation in this field.
Nevertheless, this type of standard contains too general information to be directly
and efficiently used during the design of a specific machine. Therefore, we have
chosen a ‘‘type C’’ standard which is dedicated to a particular class of machines, and
which is more relevant to users concerned by the design of the machine.
A ‘‘type C’’ standard takes into account the different hazards related to a machine
but it does not cover the ‘‘genetic’’ characteristics of the machine (i.e. its engineering) in sufficient detail. From this point of view, our work is an alternative to the
structuring approaches based on hazard (ECS, 1992). Indeed, our goal is to promote
the application of safety rules as early as possible in and throughout the design
process. In this respect, a text structured only by ‘‘type of risks’’ limits this integration.
252
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
Fig. 9. Partial NIAM/ORM model of knowledge exploitation, and the partial model translation into BNL.
It is for this reason that we propose to re-structure the safety knowledge according
to the structure of the machine and its engineering. First, the re-structuring of standards aims at finding equivalent semantic levels between the standard views and the
machine views. The different types of significant machine views can be identified
from two points of view (Lemoigne, 1994): from a genetic or engineering viewpoint
(how is the machine built?) and from an ontological or technical viewpoint (what is the
machine?). Secondly, the same identification must be carried out with regard to
the relevant safety information contained in the machinery standard. This approach
leads to ‘‘dissecting’’ a machine and its related standard using the same criteria in order
to be able to compare them semantically and to match their respective definitions.
4.3.1. Technical standpoint
The first viewpoint is based on the examination of the machine structure. Each
automated machine can be represented by a system divided into two parts: the
Control part and the Operative part. In ‘‘Annex A’’, the EN 292 standard proposes
a general schematic representation of a machine as shown in Fig. 10. This chart
shows the links between these two parts and their different compenents. The human
and environmental parts represented by the ‘‘Operator–Machine Interface’’ and a
representation of ‘‘guards’’ and ‘‘safety devices’’ aimed at making the machine safer
can also be distinguished.
This machine structuring can also be observed throughout the entire ‘‘Safety of
Machinery’’ standardisation framework itself. Indeed, as presented in Section 3,
standards are divided into three categories: ‘‘type A’’ and ‘‘type B’’ standards related
to all machinery and ‘‘type C’’ standards related to a particular machine. If a
machine is considered in relationship to its own standard (‘‘type C’’), some components of this machine fall within the scope of other standards (‘‘type B’’). The new
standardisation approach introducing ‘‘horizontal’’ standards (related to all
machinery) and ‘‘vertical’’ standards (providing detailed safety requirements for a
particular machine or a group of machines) (Lacore, 1993b), reinforces the compatibility between the technical standpoint of a machine and its different standards.
So, the chart in Fig. 10 serves as our technical viewpoint reference.
4.3.2. Engineering standpoint
The second viewpoint is based on the engineering views of a machine. We now
focus on ‘‘how the machine has been built’’, in order to identify the different views
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
253
Fig. 10. General schematic representation of a machine (from the EN 292-1 standard Annex A).
emerging from the engineering of the machine. Basically, a machine is built to
ensure a number of functions, each performed by certain organised actions defining
specific behaviour applied to the resources and components employed within a
technological structure. Finally, we can propose a partial definition of a machine by
its functional, behavioural, structural and technological views (Lhoste, 1994). Likewise, ‘‘type C’’ standards introduce safety rules with Functional viewpoints (what
functions should be ensured in order to make the machine safer), Behavioural viewpoints (what behaviour should be respected or prohibited), Structural viewpoints
(what components should be located in a certain place) or Technological viewpoints (what components should be of a certain type). We can illustrate these
viewpoints by the following examples of standard requirements:
Functional viewpoint: a press may have a manual feed or removal
Behavioural viewpoint: initiation of the stroke of the slide shall be prevented until
the guard gate is closed.
Structural viewpoint: the provided guards and protective devices shall interface
with the control system of the press.
Technological viewpoint: all shaft position switches controlling the slide movement shall be of electro-mechanical type.
4.3.3. Synthesis of these standpoints
This approach, however, is not comprehensive enough to take into account the
close relationship that exist between the different engineering aspects. In fact, each
component has its own engineering views, whereas the machine, which contains all
254
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
these components, also has its own views, which may be different, as shown in
Fig. 11. Similarly, certain paragraphs contained in the standards are dedicated to a
certain kind of component, whereas others describe the interaction between the
components and their characteristics. This approach allows to identify identical
knowledge in the standards and in the engineering process.
4.3.4. Application of the multi viewpoint approach to the EN 692
Standard In order to illustrate the interest of such a structuring approach, it was
applied to a ‘‘Mechanical Press’’ machine and its corresponding standard (Blaise et
al., 1999b), namely EN 692 (ECS, 1996). First, we showed the correspondence
between the different parts of the standard relative to the presses and the different
parts of the general schematic description of a machine. Then, on the basis of the
different types of mechanical presses within the standard, we showed the correspondence between the engineering views of the machine and the engineering views
incorporated in the standard. These different types can be classified according to the
different engineering views previously identified in Fig. 12. This figure shows a partial formalisation of these concepts and a number of constraints detailed in the
EN 692 standard. It also shows an example of the restructuring approach with three
engineering views: functional, behavioural and technological views. Certain constraints relative to these points of view are outlined.
For example, the exclusion constraint (symbolised by ‘‘X’’ and referenced by in
Fig. 12) between a press using a single cycle production mode and a press operating
in an automatic feed or removal mode is an illustration of an obligatory constraint
which must be considered during the design of the press. A functional choice (for
instance, a press with automatic feed or removal) implies a behavioural choice (in
this case a single cycle mode of production is forbidden).
Finally, we formalised the relationships between the ‘‘press’’ standard and its
corresponding normative references. The complexity of the standardisation framwork is very difficult for designers to master as they can easily get lost in this maze of
Fig. 11. A machine contains features of its engineering.
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
255
Fig. 12. Partial NIAM/ORM model of different types of presses.
standards. The EN 692 standard encompasses about 30 standards. These normative
references are listed in the different paragraphs of the EN 692 standard. The sentences referring to the normative references can be formalised in order to propose a
formal view of these relationships, as shown in Fig. 13.
This model describes more clearly the different links between the EN 692 standard
and other standards, indicating the main characteristics and constraints to be considered during the design of a press.
5. Towards a computer-aided safety standard application for design
The formalisation of normative knowledge represents the ‘‘heart’’ of our contribution and also the basis of a future software tool. However, it is necessary to
provide interfaces to guide designers throughout their engineering activities by
allowing access to the correct normative information at the right time. In fact, the
approach outlined in this paper, restructuring the contents of standards according to
functional, behavioural, structural and technological viewpoints, must be considered
as a particular example of such an interface configuration. In fact, despite attempts
to model (Meinadier, 1998; Harani, 1998) or to standardise design activities (IEEE,
1998), each engineering company, and even each designer, has its own engineering
procedure producing specific viewpoints. Furthermore, although our main aim is to
help machine designers, other users are also concerned: standardisation experts,
valuers, teachers, etc. All have their own requirements and viewpoints on normative
knowledge. With an intention to develop a Computer Aided Safety Standard
Application (CASSA) tool, it is necessary to define a configurable interface allowing
every user of the safety knowledge to configure his own viewpoints to restructure the
normative knowledge in relation to his individual needs.
256
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
Fig. 13. NIAM/ORM model of a press and its matching normative references.
The principle of this configuration can be represented as a supplement to the
safety standard model by typifying each safety knowledge according to the types of
user views (Fig. 14). On the basis of such a ORM model, the development of the
corresponding relational database and the associated user interface is facilitated by
the use of a Software Engineering environment, such as Visio Modeler4 TM or ISW5
TM
(Fig. 15).
This approach has been applied to the EN 692 standard, on the basis of its
NIAM/ORM model and including the input brought by experts in mechanical
presses. The development of the corresponding database and an interface prototype
are now in progress. A card-indexing of standards models allows their manual
exploitation and serves as a guide to develop CASSA interfaces in HTML–JAVA.
As CASSA database directly results from standards modelling, so is the windows
content (Fig. 16).
The next step of this development consists in making this generic interface more
specific to user (particularly machine designers) requirements, allowing user-friendly
database access similar to the most widely used softwares on the market. The prototype shall put the usual software functionalities, such as online help with hypertext
links and search by keywords, at the user disposal. CASSA shall also propose particular functions aiming at specific users, such as dedicated multimedia tutorials.
4
5
Visio Modeler is a product of Microsoft Visio.
ISW is a product of I.T.S. Brussels.
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
257
Fig. 14. Principle of the interface configuration for design.
Fig. 15. Development of the Safety Standard database and prototype with a Software Engineering
Environment.
6. Conclusion
We have shown that safe design is a complex activity combining the complexity of
the design and the complexity of the safety standardisation framework. Designers
need new methods and tools to integrate their technical knowledge and the corresponding normative knowledge (Ciccotelli, 1999). This normative knowledge is
considered as a common reference that links designers and machine users, and must
be formalised to avoid misinterpretation of the usual textual form of standards. In
so doing, we have demonstrated the utility of the NIAM/ORM method in constructing a coherent model of normative knowledge based on its expression in natural language. More particularly, we have highlighted the ability of this method to
ensure the semantic completeness of the resulting model by taking into account the
implicit knowledge identified within the explicit knowledge.
However, this demonstration is not enough to use this knowledge as the formal
reference efficiently. With an aim to integrate technical and safety normative
knowledge into design activities, it is necessary to apply the same approach to the
technical knowledge and to the activities themselves. Despite a number of attempts
to formalise and standardise the field of design process, there is no available and
conscensual model to allow strong integration with the safety normative models. So,
we propose to re-structure the safety normative knowledge on the basis of typical
views (functional, behavioural, structural, and technological). We consider that
these views emerge directly from the design process. In fact, this restructuring only
corresponds to one specific configuration and allows specific access to the safety
knowledge without modifying this knowledge.
258
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
Fig. 16. From NIAM model to prototype windows.
Finally, the formal model of the standard can be implemented as a Computer
Aided Safety Standards Application tool for design (CASSA). In this tool, the specific requirements of the designer can be entered and processed via configurable
interfaces. The construction of these interfaces does not bring the formalisation of
normative knowledge into question, as both normative knowledge and its formalisation are independent of how they are used by designers, valuers and other
categories of users.
Our approach has been successfully applied to the EN 692 standard. It can be
extended to other ‘‘type C’’ standards, even ‘‘type B’’ and ‘‘type A’’ standards,
resulting in more consistent and more usable normative knowledge. As our research
work is limited to a feasibility study, industrial developments would be necessary to
apply our approach to the entire safety standardisation framework.
In our opinion, this approach and the resulting tools can be used efficiently by all
those involved in standards (valuers to help their certification procedures, teachers
to improve the dissemination of standards, designers of standards themselves to
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
259
extend existing standards or to create new ones by ensuring the overall coherence of
the entire standardisation framework, etc.) or applied in other fields of standardisation (environment, toy industry, etc.).
Appendix. Main ORM symbols and associated signification
References
Beeckman, 1993. Modélisation de l’information dans les systèmes industriels. Ingénierie des systèmes
d’information 1 (3), 305–323.
Blaise, J.C., Ciccotelli, J., Lhoste, P., 1999a. Contribution à l’ingénierie sécuritaire des systèmes automatisés de production: formalisation de normes de Sécurité. Proceedings of the Safety of Industrial
Automated Systems Conference. Montreal. pp 16–21.
Blaise, J.C. Lhoste, P., Ciccotelli, J., 1999b. Safety of machinery: integration of engineering and normative
views. In: Schuëller, Kafka (Eds.), Proceedings of ESREL’99—the Tenth European Conference on
Safety and RELiability. Munich-Garching Germany, 13–17 September 1999. Balkema. Rotterdam. pp.
1411–1416.
Boudillon, L., Sourisse, C., 1996. La sécurité des machines automatisées. Tome 1. Institut Schneider
Formation, Cergy-pontoise.
260
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
Cantin, R., 1995. Retours d’expérience de la pratique et maı̂trise des procédés industriels in Connaissances
et savoir-faire en entreprise. Ed. Hermès, pp. 229–247.
Ciccotelli, J., 1999. Des systèmes compliqués aux systèmes complexes. Eléments de réflexion pour l’ingénierie de prévention. Cahiers de notes documentaires—Hygiène et sécurité du travail. 177 (4), 125–133.
Corbel, J. C., 1995. Méthodologie de retour d’expérience, démarche MEREX de Renault. in Connaissances et savoir-faire en entreprise. Ed. Hermès, pp. 93–110.
Council directive, 1998. Council directive 98/37/EEC. The Approximation of the Laws of the Member
States Relating to Machinery. O.J.E.C. No. L 207 of 23 July 1998. ECS, Brussels, pp. 1–46.
Denis, B., Lesage, J.J., 1995. Un panorama de la recherche en conception de la conduite des systèmes de
production. Proceedings of International Industrial Engineering Conference. Productivity in a world
without borders. 3, 1537–1549.
ECS, 1991. EN 292-1. Safety of Machinery—Basic Concepts, General Principles for Design. ECS.
ECS, 1992. EN 414. Safety of Machinery—Rules for the Drafting and Presentation of Safety Standards.
ECS, Brussels.
ECS, 1996. EN 692. Mechanical Presses—Safety. ECS, Brussels.
ECS, 1998a. EN 45020. Standardization and Related Activities—General Vocabulary. ECS, Brussels.
ECS, 1998b. European Committee for Standardisation Annual Report (1997–1998). ECS Central Secretariat, Brussels. CEN B23/9809/7k.
Fadier, E., Ciccotelli, J., 1999. How to integrate safety in design: methods and models. Journal of Human
Factors and Ergonomics in Manufacturing 9 (4), 367–380.
Firlej, M., 1990. Knowledge Elicitation: A Practical Handbook. Prentice Hall.
Habrias, H., 1988. Le Modèle Relationnel Binaire. Méthode I.A. (NIAM). Ed. Eyrolles.
Halpin, T.A., 1998. Object-Role Modeling (ORM/NIAM) in Chapter 4 of Handbook on Architectures of
Information Systems. Springer.
Harani, Y., 1998. Modèle de produit et modèle de processus pour la représentation de l’activité de conception. International Journal of Mechanical Production Systems Engineering 1, V-11–V-20.
Hasan, R., Bernard, A., Ciccotelli, J., Martin, P., 2000. Intégration de la Sécurité dès la conception de
systèmes de production: modélisation de l’interaction homme—machine dans le fonctionnement du
produit lors du processus de conception. 3rd International Conference on Integrated Design and
Manufacturing in Mechanical Engineering, IDMME’2000, Montreal, Canada.
IEEE 1220, Standard for Application, Management of the Systems Engineering Process. IEEE, New
York.
ITS (Information Technology and Services), 1991. ISW: un Outil pour la Méthode NIAM ou Passer du
Langage Naturel à des Spécifications non Ambiguës. Génie Logiciel & Systèmes Experts, pp. 36–41.
Jouffroy, D., Demor, S., Ciccotelli, J., Martin, P., 1998. An Approach to Integrate Safety at the Design
Stage of Numerically Controlled Woodworking Machines. in Integrated Design and Manufacturing in
Mechanical Engineering. Kluwer Academic, pp. 643–650.
Lacore, J.P., 1993a. Normes et normalisation européennes en matière de santé et de sécurité dans le cadre
de la nouvelle approche. Cahiers de Notes Documentaires ND 1913. No. 150. INRS, Paris, pp. 79–86.
Lacore, J.P., 1993b. Le Principe d’Intégration de la Sécurité et de la Norme EN 292. Journées CETIM des
14 et 15 Décembre 1993 sur la ‘‘Sécurité des Equipements de Travail: Les Nouvelles Règles Techniques
Européennes et leur Transposition en Droit Français. Senlis, pp. 85–90.
Lemoigne, J.L., 1994. La Théorie du Système Général, Théorie de la Modélisation. PUF. 4 ed. Paris.
Lhoste, P., 1994. Contribution au Génie Automatique: Concepts, Modèles, Méthodes et Outils. Habilitation à Diriger des Recherches, Univ. Nancy-I.
Mayer, A., Ciccotelli, J., Marsot, J., 1998. Contribution of a Research Laboratory to the Design of Safe
Machinery. Safety by Design European Conference, Manchester, UK.
Malhotra, A., Thomas, J.C., Caroll, J.M., Miller, L.A., 1980. Cognitive processes in design. International
Journal of Man Machine Studies 12, 119–140.
Meinadier, J.P., 1998. Ingénierie et Intégration des Systèmes. Hermes, Paris.
Neboit, M., Fadier, E., Poyet, C., 1993. Analyse Systémique et Analyse Ergonomique, Application Conjointe à la Reconception d’une Cellule Robotisée d’usinage. NS 0100. INRS, Paris.
J.-C. Blaise et al. / Safety Science 41 (2003) 241–261
261
New Approach, 2000. Web Site on the New Approach Standardisation in the European Internal Market.
Available: http://www.newapproach.org.
Rösner, D., Grote, B., Hartmann, K., Höfling, B., 1997. From natural language documents to sharable
product knowledge: a knowledge engineering approach. Journal of Universal Computer Science 3 (8),
955–987.
Sabah, 1990. L’Intelligence Artificielle et le Langage. Vol. 1—Représentations des Connaissances.
Hermès.
Sharp, J.K., 1998. Is it still a requirement if the subject matter expert didn’t tell the analyst? Journal of
Conceptual Modeling. Available: http://www.inconcept.com/JCM/August1998/sharp.html.
ter Hofstede, A.H.M., van der Weide, Th.P., 1993. Expressiveness in conceptual data modelling. Data and
Knowledge Engineering 10 (1), 65–100.
ter Hofstede, A.H.M., Proper, H.A., van der Weide, Th.P., 1997. Exploiting fact verbalisation in conceptual information modelling. Information Systems 22 (6/7), 349–385.
Toussaint, Y., 1992. Méthodes Informatiques et Linguistiques pour l’Aide à la Spécification de logiciel.
PhD thesis. Computer specialty. Univ. P. Sabatier, Toulouse.
van Bommel, P., ter Hofstede, A.H.M., van der Weide, T.P., 1991. Semantics and verification of ObjectRole Models. Information Systems 16 (5), 471–495.
van Gheluwe, J.P., 1993. La directive machines. Journées CETIM des 14 et 15 Décembre 1993 sur la
Sécurité des Equipements de Travail: Les Nouvelles Règles Techniques Européennes et Leur Transposition en Droit Français. Senlis, pp. 5–13.
Vink, D., 1995. La Connaissance: ses Objets et ses Institutions in Connaissances et Savoir-faire en
Entreprise. Hermès.
Wintraecken, J.J.V.R., 1990. The NIAM Information Analysis Method. Theory and Practice. Kluwer
Academic Publishers, Netherlands.
Yunker, 1993. The dependency between Representation and Procedure. NIAM-ISDM Conference.
Working Papers. Utrecht (the Netherlands).