Formalisation of normative knowledge for safe
Transcription
Formalisation of normative knowledge for safe
Safety Science 41 (2003) 241–261 www.elsevier.com/locate/ssci Formalisation of normative knowledge for safe design Jean-Christophe Blaisea,*, Pascal Lhostea, Joseph Ciccotellib a CRAN (Research Centre for Automatic Control), University of Nancy, BP 239, F54 506, Vandoeuvre Les Nancy Cedex, France b INRS (National Research and Safety Institute), Avenue de Bourgogne, BP 27, F54 501, Vandoeuvre Les Nancy Cedex, France Accepted 18 December 2001 Abstract This paper presents a formal methodology for modelling knowledge included in safety standards. The use of the NIAM/ORM method addresses the problem of unprecise semantics and the misinterpretation introduced by the use of natural languages. It also allows for producing a formal model of the knowledge. This formalisation is a necessary step in order to exploit the knowledge efficiently, but is not sufficient in itself. So, we propose to restructure the normative knowledge, basing this restructuring on a generic structure of engineering views. This multi-criterion approach allows the designer to use standards much easier in this form than in their current textual expression. Furthermore, the resulting formal model of a standard can be implemented. This implementation results in the production of a Computer Aided Safety Standards Application for design (CASSA) tool. This tool allows to analyse various application scenarios, all included in the safety knowledge model, through specific user-oriented interfaces depending on each user’s objective. Nevertheless, the implemented model of the safety knowledge is independent and unique with regard to these scenarios. In so doing, our contribution can concern users other than machine designers, such as valuers, standardisation experts or teachers, as well as relate to other areas dealing with standards such as the environment, toy industry, etc. # 2002 Elsevier Science Ltd. All rights reserved. Keywords: Safety; Standards; NIAM/ORM; Natural language; Modelling; Machine design; Integration * Corresponding author. Tel.: +33-3-83-50-20-00; fax: +33-3-83-50-21-03. E-mail address: [email protected] (J.-C. Blaise). 0925-7535/02/$ - see front matter # 2002 Elsevier Science Ltd. All rights reserved. PII: S0925-7535(02)00004-8 242 J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 1. Introduction The main objective of this paper is to present a methodology for knowledge modelling that aims at the safe design of Machinery and Production Automated Systems (MPAS). This aim is directly related to research in automation engineering (Lhoste, 1994) and in system safety (Mayer et al., 1998; Fadier and Ciccotelli, 1999). In particular, it concerns the inclusion of the knowledge and know-how (which consist in knowledge application procedures) related to safety throughout the automation life cycle, especially in the first steps of this cycle (van Gheluwe, 1993). In terms of automation engineering, this methodology aims at improving the quality of the resulting automated systems by gathering the technical automation views and safety rules (Lacore, 1993a; Council directive, 1998). These safety rules are often considered very late (even too late) in the design process in conjunction with informal approaches. That often leads to normative text interpretations, subjective choices, etc. From this point of view, the problem of the lack of a computer aided tool is important; such a tool could be used when designing MPAS to support safety aspects. Furthermore, safety should be considered as a systematic and specific part of the technical requirements (Fig. 1) rather than as a low-priority constraint (Jouffroy et al., 1998). With respect to safety, this paper aims to formalise the technical and legislative frameworks included in the safety standards, and to define their relationships with developments in technical automation. The problem is how to apply the technical regulations and the rules of the ‘‘Safety of Machinery’’ standards during the MPAS specification and design phases. Moreover, this exploitation of knowledge must be coherent with other automation design constraints. In particular, just as the automation engineering process requires models to support the automation (Denis and Lesage, 1995), the engineering of safe systems should use models of the safety standards (Blaise et al., 1999a). Hence, we present Safe Design as a link between Safety and Design. In particular, we show how the legislation and the associated standardisation process can be considered as a link between the design of a machine and its future use (Boudillon and Sourisse, 1996). However, the increasing number of standards and the difficulties that users, and even designers, of standards experience in mastering the resulting complexity are at odds with such a relationship. This demonstrates that the means of controlling this complexity must be available. As in the field of MPAS design, methods and models must be used to apply the knowledge Fig. 1. From safety and design to safe design. J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 243 included in safety standards. In this respect, we propose to use Nijssen Information Analysis Method (NIAM; Habrias, 1988; Wintraecken, 1990), also known as Object Role Modelling (ORM; Halpin, 1998), allowing to formalise any text expressed in a natural language. Aiming at the integration of the resulting formal knowledge into machine design, we show that this modelling is insufficient, and we define a common structure in order to link the technical points of view produced by the design and those of a normative nature. Finally, we illustrate the interest of this approach by a partial model of a standard, specific to a class of machines, and by some few examples of its use during the design of such a machine. As this paper includes NIAM/ORM models and their translation into Binary Natural Language (BNL), we would advise readers unfamiliar with this technique to refer to the short presentation of this formalism in the Appendix. 2. Definition of the safe design problem Each design activity should lead to a safe machine. To achieve this, the designer must be familiar with all the safety aspects and standards related to the machine class. However, it is difficult for a designer to master all the knowledge regarding safety at the same time as all the technical knowledge required by the machine design. This is reinforced by differences in the content of these two types of knowledge. In fact, designers consider safety as a complementary skill that must be incorporated once the technical development has been completed. Nevertheless, this relationship between the designer and the safety could be improved if the technical and safety levels of expression were refined on the same basis and with an explicit conformity in order to make both safety knowledge and know-how more explicit (Vink, 1995) and easier to use. This refinement would contribute to integrate safety and design into a coherent safe design by taking into account all the predictive risks incurred by the future users and to assure the risk prevention not only by safeguarding but also by a more adequate design. With this in mind, we propose to gather the technical and safety views of a machine by considering the relationships between the machine, the designer and the end user. 2.1. Relationships between machine, designer and user of machine In a basic approach, there is no direct relationship between the designer and the user except the link with the same object, namely the machine. For many years, the only thing bonding them was the fact that the design restricted exploitation (Lacore, 1993b). However, the in situ use of a machine frequently differs from the foreseen one: what happens is not always what was predicted. The design may well respond to some of the needs expressed by users but does not always live up to their expectations! One of the first solutions is a closer integration of the user’s needs into the design activities. In this way, users must be involved in the design process or, more exactly, they have to provide an exploitation feedback towards the design (Neboit et al., 1993). Nevertheless, this feedback often occurs very late in the 244 J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 design life cycle, leading to modifications of the machine or, at least, to partial redesign of the machine. An early feedback aims to integrate the needs of the user during the preliminary design. 2.2. Relationships based on requirements Designers want to integrate the needs of their customers through their involvement into the requirement drafting (Malhotra et al., 1980). By this way, a relation Designer/User of machine is established (Fig. 2). This relationship helps the integration of user expectations into the design process, meaning that the number of potential errors can be reduced as these expectations are stated at the outset. However, such a relationship is not sufficient in itself to ensure a direct connection between the exploitation and the machine design areas. 2.3. Relationship based on experience feedback Because the joint formulation of requirements is not sufficient, engineering and design departments use a direct feedback from the application field. This permits a better integration of the real machine exploitation conditions and a clearer understanding of design errors, resulting in an improved integration of user expectations throughout the design process (Corbel, 1995; Fig. 3). In reality, as this experience feedback is an integral part of the design, this activity is not clearly identifiable. In fact, it allows the designer to detect repeatable errors with a view to capitalise (Hasan et al., 2000) the corrections in order to take them into account in each new machine design. These activities show us that the designer wishes to integrate the constraints detected by exploitation as soon as possible in the design process (Cantin, 1995). 2.4. Relationship based on European legislation It can be seen that requirements and feedback experience establish two types of informal relationships between design activity and exploitation. The legislation has Fig. 2. Partial ORM model of the relationship between designer and user by the requirements and the partial model translation into BNL. J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 245 Fig. 3. Partial ORM model of the relationship between designer and user by experience feedback and the partial model translation into BNL. formalised this connection between designers and users by the introduction of directives which define a legislative framework between what the designer must produce and what the user expects by establishing safety constraints on products. The harmonisation work relative to the legislative and regulatory texts is based today on the ‘‘New Approach’’ directives (Council directive, 1998; New Approach, 2000) which do not lay down precise technical specifications but impose only very general requirements, the so-called ‘‘Essential Requirements’’. However, in spite of the emergence of this ‘‘new’’ concept of legislation, designers still have to integrate the requirements contained in the directives into their machinery design activities. These directives state overall objectives without specifying how they should be achieved. The harmonised standards serve as a guide for the application of the European directives and as a reference for the design of products, however without constituting intangible constraints. Once again, this is not enough to obtain an easy integration of these regulations because safe design means finding technical solutions that satisfy the objectives of the standards (Fig. 4). 3. The normative framework relative to the safety of machinery, its evolution 3.1. The concept of standard: definition (ECS, 1998a) Standard: Document established by consensus and approved by a recognised body, that provides for common and repeated use, rules, guidelines or characteristics for activities or their results, aimed at the achievement of the optimum degree of order in a given context. In fact, the contents of standards can be statements, instructions, recommendations or requirements. The application of standards is not obligatory, and standards do not indicate regulations. Within the new approach framework the harmonised standards serve as a guide for the application of the European directives and, as defined in Article 5(2) of the directive: 246 J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 Fig. 4. Partial NIAM/ORM model of the relationships between Legislation, Standardisation, Designer and User, and the partial model translation into BNL. When a national standard transposing a harmonised standard, the reference for which has been published in the Official Journal of the European Communities, covers one or more of the essential safety and health requirements, a product constructed in accordance with this standard shall be presumed to comply with the relevant essential requirements. 3.2. Characteristics of the standardisation framework The standardisation authorities formulate technical specifications through multiple texts such as group safety standards (type B standards) and machine safety standards (type C standards). These standards are based on the fundamental safety standards (type A standards) such as the EN 292 standard (ECS, 1991). The framework and organisation of the standards are based on these concepts of horizontal standards and vertical standards (Fig. 5). This representation of the standardisation framework shows the complexity of interaction existing between the various standards. In addition to this complexity, another characteristic feature of the standardisation framework is its volume. Currently 100 horizontal standards and 177 vertical standards have been drawn up by different Technical Committees (TC) with the following distribution (New Approach, 2000): 30 standards on safety of machinery, three standards on electrotechnical J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 247 Fig. 5. Horizontal standards distribution in CEN [CEN : European Committee of Standardisation (ECS)] and CENELEC [CENELEC : European Committee of Electrotechnical Standardisation (ECES)]. aspects, one standard on lighting, 16 standards on vibration, 26 standards on noise, 15 standards on ergonomics, and nine standards on explosive atmosphere. The 1997–1998 ECS annual report (ECS, 1998b) specifies that of a total of 840, 80% will be published within three years, whereas currently only 164 have been published in the Official Journal of the European Communities. In addition, the commission for occupational health, safety and standardisation (KAN1) has published the following progress report on standards (Fig. 6) for the 1992–2004 period. 3.3. Users of the standardisation framework The changes in the standardisation process relative to the safety of machinery, as presented by (Lacore, 1993b), show clearly the full expansion of this field which justifies a significant effort, such as presented in our contribution. Apart from designers, other categories of users, who also have problems interpreting the rules and dealing with the quantity of information, are concerned by the standardisation framework. They include: normative experts and standards makers within the ECS and ECES, teachers who use the standardisation framework as the basis of safety training courses for students and the industry, machine valuers and certifiers. 1 Kommission Arbeitsschutz und Normung (http://www.kan.de). 248 J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 Fig. 6. Evolution of ‘‘the safety of machinery’’ standards. In fact, everyone concerned with the standardisation framework has the common problem of mastering this normative knowledge even though they require specific forms of presentation. In order to solve this general problem, formalisation of the normative knowledge is proposed. 4. Eliciting, formalising and exploiting safety knowledge As in any creative activity, safe design requires the application of knowledge. Concerning the global design activity of a complex system, all the necessary knowledge is distributed between various experts. In order to contribute to the design objective, knowledge must be shared and be integrated by its future users (Rösner et al., 1997; Beeckman, 1993). This integration implies communication and knowledge sharing that involves the use of explicit knowledge expressed in a universal and comprehensible language in order to be understood by the expert, the user and the elicitor (Firlej, 1990). The following section defines more precisely the links between people involved in this common reference platform, namely knowledge. We can notice that as far as safe engineering is concerned, the user of the normative knowledge is the designer. However, we have shown in the previous section that there are other potential users of normative knowledge. All what we say about designer concerns also other users of standards. 4.1. People involved in using knowledge The expert and the designer, which is the user of the normative knowledge, should have the same common knowledge. In fact, the user exploits implicit and informal knowledge whereas he needs explicit and formal ones. So, the knowledge produced by the expert must be more explicit by identifying the different meanings of this knowledge. To reach this goal, an intermediate and independent actor, the elicitor, is required to extract the knowledge objectively and to ensure that it corresponds to the needs of the designer. The elicitor is not an expert in the area of the knowledge application and is therefore able to absorb knowledge without personal subjective J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 249 interpretation (Sharp, 1998). In order to perform this extraction and to refine the relevant areas of the entire available knowledge, he needs to use a knowledge acquisition method and the assistance of the expert. Furthermore, the elicitor needs to check the coherence2 and the completeness3 of the extracted knowledge, which implies the use of knowledge modelling and formalisation techniques (Yunker, 1993). The aim of these operations is to ensure the coherence through formal rules and to ensure the completeness of the knowledge, for a given context, contained in the model (van Bommel et al., 1991). The designer, as well as other actors, can then exploit this formal knowledge by using the resulting model. However, this model is not very convenient for efficient exploitation of the knowledge included in it, and it has to be processed to become more usable. 4.2. The processing of knowledge These actors are involved in three knowledge-related processes: acquisition, formalisation and exploitation. The partial model presented in Fig. 7 shows the interaction between the actors, the knowledge itself, and the knowledge model defining the scope of each process. 4.2.1. Eliciting safety knowledge from the standards In our case study, knowledge is formulated within the reference sources, namely standards. As shown in Section 3, standards are in reality a consensus reached after a long drafting procedure during which the experts extract the knowledge and knowhow. Nevertheless, only a part of all this knowledge is explicitly used as reference knowledge in the resulting standards. In order to have a clear understanding of all the knowledge contained in the standards, the elicitor needs to analyse the texts (the reference sources containing the reference knowledge) and to complement it by interactions with experts that aim at acquiring their know-how. To succeed in this elicitation process and to ensure the coherence and the completeness of all knowledge expressions, it is necessary to alternate this process with the formalisation one. Indeed, these properties can only be verified using a formal model (ter Hofstede and van der Weide, 1993). 4.2.2. Formalising safety knowledge The NIAM/ORM method (Fig. 8) is employed to formalise the knowledge contained in the standards. There are several reasons for using NIAM/ORM. The first one is its ability to support both the elicitation and the formalisation processes by guiding the elicitor from the implicit knowledge identification to the explicit knowledge modelling. The second reason is that this method is based on a linguistic analysis of a Universe of Discourse (UoD: a delimited field) described in natural language expressions. This analysis requires the identification and the expression of elementary sentences which 2 3 The extracted knowledge is correct. (Sabah, 1990). The user can exploit the whole knowledge he needs (Sabah, 1990). 250 J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 Fig. 7. NIAM/ORM model of knowledge processes and actors, and the partial model translation into BNL. contain the whole knowledge about the application area. As previously stated, the associated refinement technique of these sentences allows the expressed knowledge to be supplemented with the unexpressed one. The identification of the relations between two objects, in the active and passive forms, and the identification of the constraints imposed on these relations are essential to clarify the knowledge. Thus, the possible lack of knowledge (Toussaint, 1992) is completed and the inaccuracies of the initial expression are eliminated. The result of this analytical method is a formal model using NIAM/ORM formalism (cf. Appendix). This model, represented in a form of draft diagram, can then be verbalised in BNL without losing any semantics. To avoid misinterpretation, a UoD expert can perform or at least check this verbalisation, and in so doing validate the model (ter Hofstede et al., 1997; Sharp, 1998). Furthermore, some algorithms can transform the resulting conceptual model in order to map it into a logical model, which allows a relational database system to be created. This method is used mainly for mapping conceptual and logical levels in order to implement information systems (ITS, 1991). Unfortunately, it is used less often for its ability to elicit and formalise information. 4.2.3. Exploiting safety knowledge The availibility of a formal model of the safety knowledge modifies the relationship between designers and standards (Fig. 9). First, the model includes more J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 251 Fig. 8. NIAM elicitation and formalisation processes. coherent knowledge because it has been verified by the application of rules associated with the formal model and validated by experts. Secondly, the model is more complete than the initial knowledge described in the texts of standards through the transformation of implicit know-how into explicit knowledge. Finally, it is possible to use this model to generate a database which implements the knowledge with no loss of semantics. The model and its application are independent of any specific design. To establish a relationship between a specific type of designer and the model (or its application), it is necessary to take into account the requirements of the designer by defining specific interfaces. These interfaces aim at presenting the knowledge to the designer in a suitable form and apply particular scenarios compatible with the objectives of the designer. 4.3. Towards the safe design of machinery An initial experiment using this formal approach (Blaise et al., 1999a) on a ‘‘type A’’ standard (fundamental safety standard, applicable to all machinery) has shown the feasibility and the interest of knowledge analysis and formalisation in this field. Nevertheless, this type of standard contains too general information to be directly and efficiently used during the design of a specific machine. Therefore, we have chosen a ‘‘type C’’ standard which is dedicated to a particular class of machines, and which is more relevant to users concerned by the design of the machine. A ‘‘type C’’ standard takes into account the different hazards related to a machine but it does not cover the ‘‘genetic’’ characteristics of the machine (i.e. its engineering) in sufficient detail. From this point of view, our work is an alternative to the structuring approaches based on hazard (ECS, 1992). Indeed, our goal is to promote the application of safety rules as early as possible in and throughout the design process. In this respect, a text structured only by ‘‘type of risks’’ limits this integration. 252 J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 Fig. 9. Partial NIAM/ORM model of knowledge exploitation, and the partial model translation into BNL. It is for this reason that we propose to re-structure the safety knowledge according to the structure of the machine and its engineering. First, the re-structuring of standards aims at finding equivalent semantic levels between the standard views and the machine views. The different types of significant machine views can be identified from two points of view (Lemoigne, 1994): from a genetic or engineering viewpoint (how is the machine built?) and from an ontological or technical viewpoint (what is the machine?). Secondly, the same identification must be carried out with regard to the relevant safety information contained in the machinery standard. This approach leads to ‘‘dissecting’’ a machine and its related standard using the same criteria in order to be able to compare them semantically and to match their respective definitions. 4.3.1. Technical standpoint The first viewpoint is based on the examination of the machine structure. Each automated machine can be represented by a system divided into two parts: the Control part and the Operative part. In ‘‘Annex A’’, the EN 292 standard proposes a general schematic representation of a machine as shown in Fig. 10. This chart shows the links between these two parts and their different compenents. The human and environmental parts represented by the ‘‘Operator–Machine Interface’’ and a representation of ‘‘guards’’ and ‘‘safety devices’’ aimed at making the machine safer can also be distinguished. This machine structuring can also be observed throughout the entire ‘‘Safety of Machinery’’ standardisation framework itself. Indeed, as presented in Section 3, standards are divided into three categories: ‘‘type A’’ and ‘‘type B’’ standards related to all machinery and ‘‘type C’’ standards related to a particular machine. If a machine is considered in relationship to its own standard (‘‘type C’’), some components of this machine fall within the scope of other standards (‘‘type B’’). The new standardisation approach introducing ‘‘horizontal’’ standards (related to all machinery) and ‘‘vertical’’ standards (providing detailed safety requirements for a particular machine or a group of machines) (Lacore, 1993b), reinforces the compatibility between the technical standpoint of a machine and its different standards. So, the chart in Fig. 10 serves as our technical viewpoint reference. 4.3.2. Engineering standpoint The second viewpoint is based on the engineering views of a machine. We now focus on ‘‘how the machine has been built’’, in order to identify the different views J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 253 Fig. 10. General schematic representation of a machine (from the EN 292-1 standard Annex A). emerging from the engineering of the machine. Basically, a machine is built to ensure a number of functions, each performed by certain organised actions defining specific behaviour applied to the resources and components employed within a technological structure. Finally, we can propose a partial definition of a machine by its functional, behavioural, structural and technological views (Lhoste, 1994). Likewise, ‘‘type C’’ standards introduce safety rules with Functional viewpoints (what functions should be ensured in order to make the machine safer), Behavioural viewpoints (what behaviour should be respected or prohibited), Structural viewpoints (what components should be located in a certain place) or Technological viewpoints (what components should be of a certain type). We can illustrate these viewpoints by the following examples of standard requirements: Functional viewpoint: a press may have a manual feed or removal Behavioural viewpoint: initiation of the stroke of the slide shall be prevented until the guard gate is closed. Structural viewpoint: the provided guards and protective devices shall interface with the control system of the press. Technological viewpoint: all shaft position switches controlling the slide movement shall be of electro-mechanical type. 4.3.3. Synthesis of these standpoints This approach, however, is not comprehensive enough to take into account the close relationship that exist between the different engineering aspects. In fact, each component has its own engineering views, whereas the machine, which contains all 254 J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 these components, also has its own views, which may be different, as shown in Fig. 11. Similarly, certain paragraphs contained in the standards are dedicated to a certain kind of component, whereas others describe the interaction between the components and their characteristics. This approach allows to identify identical knowledge in the standards and in the engineering process. 4.3.4. Application of the multi viewpoint approach to the EN 692 Standard In order to illustrate the interest of such a structuring approach, it was applied to a ‘‘Mechanical Press’’ machine and its corresponding standard (Blaise et al., 1999b), namely EN 692 (ECS, 1996). First, we showed the correspondence between the different parts of the standard relative to the presses and the different parts of the general schematic description of a machine. Then, on the basis of the different types of mechanical presses within the standard, we showed the correspondence between the engineering views of the machine and the engineering views incorporated in the standard. These different types can be classified according to the different engineering views previously identified in Fig. 12. This figure shows a partial formalisation of these concepts and a number of constraints detailed in the EN 692 standard. It also shows an example of the restructuring approach with three engineering views: functional, behavioural and technological views. Certain constraints relative to these points of view are outlined. For example, the exclusion constraint (symbolised by ‘‘X’’ and referenced by in Fig. 12) between a press using a single cycle production mode and a press operating in an automatic feed or removal mode is an illustration of an obligatory constraint which must be considered during the design of the press. A functional choice (for instance, a press with automatic feed or removal) implies a behavioural choice (in this case a single cycle mode of production is forbidden). Finally, we formalised the relationships between the ‘‘press’’ standard and its corresponding normative references. The complexity of the standardisation framwork is very difficult for designers to master as they can easily get lost in this maze of Fig. 11. A machine contains features of its engineering. J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 255 Fig. 12. Partial NIAM/ORM model of different types of presses. standards. The EN 692 standard encompasses about 30 standards. These normative references are listed in the different paragraphs of the EN 692 standard. The sentences referring to the normative references can be formalised in order to propose a formal view of these relationships, as shown in Fig. 13. This model describes more clearly the different links between the EN 692 standard and other standards, indicating the main characteristics and constraints to be considered during the design of a press. 5. Towards a computer-aided safety standard application for design The formalisation of normative knowledge represents the ‘‘heart’’ of our contribution and also the basis of a future software tool. However, it is necessary to provide interfaces to guide designers throughout their engineering activities by allowing access to the correct normative information at the right time. In fact, the approach outlined in this paper, restructuring the contents of standards according to functional, behavioural, structural and technological viewpoints, must be considered as a particular example of such an interface configuration. In fact, despite attempts to model (Meinadier, 1998; Harani, 1998) or to standardise design activities (IEEE, 1998), each engineering company, and even each designer, has its own engineering procedure producing specific viewpoints. Furthermore, although our main aim is to help machine designers, other users are also concerned: standardisation experts, valuers, teachers, etc. All have their own requirements and viewpoints on normative knowledge. With an intention to develop a Computer Aided Safety Standard Application (CASSA) tool, it is necessary to define a configurable interface allowing every user of the safety knowledge to configure his own viewpoints to restructure the normative knowledge in relation to his individual needs. 256 J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 Fig. 13. NIAM/ORM model of a press and its matching normative references. The principle of this configuration can be represented as a supplement to the safety standard model by typifying each safety knowledge according to the types of user views (Fig. 14). On the basis of such a ORM model, the development of the corresponding relational database and the associated user interface is facilitated by the use of a Software Engineering environment, such as Visio Modeler4 TM or ISW5 TM (Fig. 15). This approach has been applied to the EN 692 standard, on the basis of its NIAM/ORM model and including the input brought by experts in mechanical presses. The development of the corresponding database and an interface prototype are now in progress. A card-indexing of standards models allows their manual exploitation and serves as a guide to develop CASSA interfaces in HTML–JAVA. As CASSA database directly results from standards modelling, so is the windows content (Fig. 16). The next step of this development consists in making this generic interface more specific to user (particularly machine designers) requirements, allowing user-friendly database access similar to the most widely used softwares on the market. The prototype shall put the usual software functionalities, such as online help with hypertext links and search by keywords, at the user disposal. CASSA shall also propose particular functions aiming at specific users, such as dedicated multimedia tutorials. 4 5 Visio Modeler is a product of Microsoft Visio. ISW is a product of I.T.S. Brussels. J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 257 Fig. 14. Principle of the interface configuration for design. Fig. 15. Development of the Safety Standard database and prototype with a Software Engineering Environment. 6. Conclusion We have shown that safe design is a complex activity combining the complexity of the design and the complexity of the safety standardisation framework. Designers need new methods and tools to integrate their technical knowledge and the corresponding normative knowledge (Ciccotelli, 1999). This normative knowledge is considered as a common reference that links designers and machine users, and must be formalised to avoid misinterpretation of the usual textual form of standards. In so doing, we have demonstrated the utility of the NIAM/ORM method in constructing a coherent model of normative knowledge based on its expression in natural language. More particularly, we have highlighted the ability of this method to ensure the semantic completeness of the resulting model by taking into account the implicit knowledge identified within the explicit knowledge. However, this demonstration is not enough to use this knowledge as the formal reference efficiently. With an aim to integrate technical and safety normative knowledge into design activities, it is necessary to apply the same approach to the technical knowledge and to the activities themselves. Despite a number of attempts to formalise and standardise the field of design process, there is no available and conscensual model to allow strong integration with the safety normative models. So, we propose to re-structure the safety normative knowledge on the basis of typical views (functional, behavioural, structural, and technological). We consider that these views emerge directly from the design process. In fact, this restructuring only corresponds to one specific configuration and allows specific access to the safety knowledge without modifying this knowledge. 258 J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 Fig. 16. From NIAM model to prototype windows. Finally, the formal model of the standard can be implemented as a Computer Aided Safety Standards Application tool for design (CASSA). In this tool, the specific requirements of the designer can be entered and processed via configurable interfaces. The construction of these interfaces does not bring the formalisation of normative knowledge into question, as both normative knowledge and its formalisation are independent of how they are used by designers, valuers and other categories of users. Our approach has been successfully applied to the EN 692 standard. It can be extended to other ‘‘type C’’ standards, even ‘‘type B’’ and ‘‘type A’’ standards, resulting in more consistent and more usable normative knowledge. As our research work is limited to a feasibility study, industrial developments would be necessary to apply our approach to the entire safety standardisation framework. In our opinion, this approach and the resulting tools can be used efficiently by all those involved in standards (valuers to help their certification procedures, teachers to improve the dissemination of standards, designers of standards themselves to J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 259 extend existing standards or to create new ones by ensuring the overall coherence of the entire standardisation framework, etc.) or applied in other fields of standardisation (environment, toy industry, etc.). Appendix. Main ORM symbols and associated signification References Beeckman, 1993. Modélisation de l’information dans les systèmes industriels. Ingénierie des systèmes d’information 1 (3), 305–323. Blaise, J.C., Ciccotelli, J., Lhoste, P., 1999a. Contribution à l’ingénierie sécuritaire des systèmes automatisés de production: formalisation de normes de Sécurité. Proceedings of the Safety of Industrial Automated Systems Conference. Montreal. pp 16–21. Blaise, J.C. Lhoste, P., Ciccotelli, J., 1999b. Safety of machinery: integration of engineering and normative views. In: Schuëller, Kafka (Eds.), Proceedings of ESREL’99—the Tenth European Conference on Safety and RELiability. Munich-Garching Germany, 13–17 September 1999. Balkema. Rotterdam. pp. 1411–1416. Boudillon, L., Sourisse, C., 1996. La sécurité des machines automatisées. Tome 1. Institut Schneider Formation, Cergy-pontoise. 260 J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 Cantin, R., 1995. Retours d’expérience de la pratique et maı̂trise des procédés industriels in Connaissances et savoir-faire en entreprise. Ed. Hermès, pp. 229–247. Ciccotelli, J., 1999. Des systèmes compliqués aux systèmes complexes. Eléments de réflexion pour l’ingénierie de prévention. Cahiers de notes documentaires—Hygiène et sécurité du travail. 177 (4), 125–133. Corbel, J. C., 1995. Méthodologie de retour d’expérience, démarche MEREX de Renault. in Connaissances et savoir-faire en entreprise. Ed. Hermès, pp. 93–110. Council directive, 1998. Council directive 98/37/EEC. The Approximation of the Laws of the Member States Relating to Machinery. O.J.E.C. No. L 207 of 23 July 1998. ECS, Brussels, pp. 1–46. Denis, B., Lesage, J.J., 1995. Un panorama de la recherche en conception de la conduite des systèmes de production. Proceedings of International Industrial Engineering Conference. Productivity in a world without borders. 3, 1537–1549. ECS, 1991. EN 292-1. Safety of Machinery—Basic Concepts, General Principles for Design. ECS. ECS, 1992. EN 414. Safety of Machinery—Rules for the Drafting and Presentation of Safety Standards. ECS, Brussels. ECS, 1996. EN 692. Mechanical Presses—Safety. ECS, Brussels. ECS, 1998a. EN 45020. Standardization and Related Activities—General Vocabulary. ECS, Brussels. ECS, 1998b. European Committee for Standardisation Annual Report (1997–1998). ECS Central Secretariat, Brussels. CEN B23/9809/7k. Fadier, E., Ciccotelli, J., 1999. How to integrate safety in design: methods and models. Journal of Human Factors and Ergonomics in Manufacturing 9 (4), 367–380. Firlej, M., 1990. Knowledge Elicitation: A Practical Handbook. Prentice Hall. Habrias, H., 1988. Le Modèle Relationnel Binaire. Méthode I.A. (NIAM). Ed. Eyrolles. Halpin, T.A., 1998. Object-Role Modeling (ORM/NIAM) in Chapter 4 of Handbook on Architectures of Information Systems. Springer. Harani, Y., 1998. Modèle de produit et modèle de processus pour la représentation de l’activité de conception. International Journal of Mechanical Production Systems Engineering 1, V-11–V-20. Hasan, R., Bernard, A., Ciccotelli, J., Martin, P., 2000. Intégration de la Sécurité dès la conception de systèmes de production: modélisation de l’interaction homme—machine dans le fonctionnement du produit lors du processus de conception. 3rd International Conference on Integrated Design and Manufacturing in Mechanical Engineering, IDMME’2000, Montreal, Canada. IEEE 1220, Standard for Application, Management of the Systems Engineering Process. IEEE, New York. ITS (Information Technology and Services), 1991. ISW: un Outil pour la Méthode NIAM ou Passer du Langage Naturel à des Spécifications non Ambiguës. Génie Logiciel & Systèmes Experts, pp. 36–41. Jouffroy, D., Demor, S., Ciccotelli, J., Martin, P., 1998. An Approach to Integrate Safety at the Design Stage of Numerically Controlled Woodworking Machines. in Integrated Design and Manufacturing in Mechanical Engineering. Kluwer Academic, pp. 643–650. Lacore, J.P., 1993a. Normes et normalisation européennes en matière de santé et de sécurité dans le cadre de la nouvelle approche. Cahiers de Notes Documentaires ND 1913. No. 150. INRS, Paris, pp. 79–86. Lacore, J.P., 1993b. Le Principe d’Intégration de la Sécurité et de la Norme EN 292. Journées CETIM des 14 et 15 Décembre 1993 sur la ‘‘Sécurité des Equipements de Travail: Les Nouvelles Règles Techniques Européennes et leur Transposition en Droit Français. Senlis, pp. 85–90. Lemoigne, J.L., 1994. La Théorie du Système Général, Théorie de la Modélisation. PUF. 4 ed. Paris. Lhoste, P., 1994. Contribution au Génie Automatique: Concepts, Modèles, Méthodes et Outils. Habilitation à Diriger des Recherches, Univ. Nancy-I. Mayer, A., Ciccotelli, J., Marsot, J., 1998. Contribution of a Research Laboratory to the Design of Safe Machinery. Safety by Design European Conference, Manchester, UK. Malhotra, A., Thomas, J.C., Caroll, J.M., Miller, L.A., 1980. Cognitive processes in design. International Journal of Man Machine Studies 12, 119–140. Meinadier, J.P., 1998. Ingénierie et Intégration des Systèmes. Hermes, Paris. Neboit, M., Fadier, E., Poyet, C., 1993. Analyse Systémique et Analyse Ergonomique, Application Conjointe à la Reconception d’une Cellule Robotisée d’usinage. NS 0100. INRS, Paris. J.-C. Blaise et al. / Safety Science 41 (2003) 241–261 261 New Approach, 2000. Web Site on the New Approach Standardisation in the European Internal Market. Available: http://www.newapproach.org. Rösner, D., Grote, B., Hartmann, K., Höfling, B., 1997. From natural language documents to sharable product knowledge: a knowledge engineering approach. Journal of Universal Computer Science 3 (8), 955–987. Sabah, 1990. L’Intelligence Artificielle et le Langage. Vol. 1—Représentations des Connaissances. Hermès. Sharp, J.K., 1998. Is it still a requirement if the subject matter expert didn’t tell the analyst? Journal of Conceptual Modeling. Available: http://www.inconcept.com/JCM/August1998/sharp.html. ter Hofstede, A.H.M., van der Weide, Th.P., 1993. Expressiveness in conceptual data modelling. Data and Knowledge Engineering 10 (1), 65–100. ter Hofstede, A.H.M., Proper, H.A., van der Weide, Th.P., 1997. Exploiting fact verbalisation in conceptual information modelling. Information Systems 22 (6/7), 349–385. Toussaint, Y., 1992. Méthodes Informatiques et Linguistiques pour l’Aide à la Spécification de logiciel. PhD thesis. Computer specialty. Univ. P. Sabatier, Toulouse. van Bommel, P., ter Hofstede, A.H.M., van der Weide, T.P., 1991. Semantics and verification of ObjectRole Models. Information Systems 16 (5), 471–495. van Gheluwe, J.P., 1993. La directive machines. Journées CETIM des 14 et 15 Décembre 1993 sur la Sécurité des Equipements de Travail: Les Nouvelles Règles Techniques Européennes et Leur Transposition en Droit Français. Senlis, pp. 5–13. Vink, D., 1995. La Connaissance: ses Objets et ses Institutions in Connaissances et Savoir-faire en Entreprise. Hermès. Wintraecken, J.J.V.R., 1990. The NIAM Information Analysis Method. Theory and Practice. Kluwer Academic Publishers, Netherlands. Yunker, 1993. The dependency between Representation and Procedure. NIAM-ISDM Conference. Working Papers. Utrecht (the Netherlands).