774 5 Safety and Risk i n Engineering Design
Fig. 5.126 Fuzzy logic for m anaging uncertain data
a theoretical overview of reliability, availability, maintainab ility and safety in engi-
neering design—the methodology presented in this handbook.
Plant analysis in the AIB blackboard is the working memory of the knowledge-
based expert systems, consisting of a global database of facts relating to the integrity
of engineering design, which are used for establishing automated continual design
reviews. The basic aims of automated continual design reviews are to automatically
assess system requirements and allocations to ensure that the design specifications
are complete; to automatica lly compare the design output against design specifica-
tions; to automatically present the risks associated with a collaborative and continu-
ous design effort; and to continually allow for decision-making in selecting the most
suitable design amongst the current design solutions.
Figures 5.128 and 5.129 illustrate the typical AIB b lackboard format of an au-
tomated continual design review. Figure 5.128 shows the blackboard systems hier-
archy navigation and selection format whereby critical components can be viewed
with r egard to their systems r elationships.
Figure 5.129 shows a typical criticality assessment of a component, based on
condition and performance obtained from an FMECA analysis.
The artificial intelligence blac kboard model—overview Artificial intelligence-
based strategies for decision-making and, in particular, for decisions concerning the
5.4 Application Modelling of Safety and Risk in Engineering Design 775
Fig. 5.127 AIB blackboard model with plant analysis overview option
integrity of engineering design are centred around three approaches termed deter-
ministic knowledge, probabilistic knowledge and possibilistic knowledge.
Deterministic knowledge, in engineering design integrity formulation, is based
on a well-defined systems structure and d efinition of the operational and physical
functions of equipment, the usefulness of which depends on the ability to relate
the information specifically to failure conditions (or failure modes) in identifying
problems of equipment failure consequences.
Probabilistic knowledge is gain ed mainly from a statistical analysis of the prob-

able occurrences of events, such as component failures, in order to predict the ex-
pected occurrence of these events in the future to be able to design-out problems or
to implement some form of preventive action.
Possibilistic knowledge focuses primarily on imprecision or uncertainty that is
intrinsic to equipment degradation. Imprecision here is meant to express a sense of
vagueness, rather than the lack of any knowledge at all about predicted equipment
condition, particularly its physical condition. In other words, possibilistic knowl-
edge concerns the concept of ‘fuzziness’, and not ‘randomness’.
The application of fuzzy logic expert systems focuses on the use of expert systems
technology and fuzzy logic to achieve intelligent computer automated methodology
to determine the integrity of engineering design. The most important impact areas
of expert systems on the integrity of engineering design are:
776 5 Safety and Risk in Engineering Design
Fig. 5.128 Automated continual design review: component SBS
• automatic checking of design constraints that affect the design’s integrity, allow-
ing for alternatives to be considered in a co llaborative design environment;
• automation of complex tasks and activities for determining design integrity
where expertise is specialised and technical;
• strategies for searching in the space of alternative designs, and monitoring of
progress towards the targets of achieving the required design integrity;
• integration of diverse knowledge sources in an AIB blackboard system, with ex-
pertise applied concurrently to the problem of ensuring design integrity;
• provision of intelligent computer automated methodology for determining the
integrity of engineering design through automated continual design reviews.
5.4.2 Evaluation of Modelling Results
As previously indicated, blackboard systems consist mainly of a set of knowledge
sources and a blackboard data structure. A blackboard knowledge source is a highly
specialised, highly independent process that takes inputs from the blackboard data
structure, performs a computation, and places the results of the computation back in
5.4 Application Modelling of Safety and Risk in Engineering Design 777

Fig. 5.129 Automated continual design review: component criticality
the blackboard data structure. This blackboard data structure is a centralised global
data structure partitioned in a hierarchical manner and used to represent the problem
domain (in this case, the engineering design problem), and acts as a shared memory
visible to all of the knowledge sources to allow intercommunication between the
knowledge sources. The blackboard data structure contains shared blackboard data
objects and can be accessed by all of the knowledge sources. This design allows
for an opportunistic control strategy that enables a knowledge source to contribute
towards the solution of the current problem without knowing which of the other
knowledge sources will use the information.
Blackboard systems are a natural progression of expert systems into a more pow-
erful problem-solving technique. They generally provide a way for several h ighly
specialised knowledge sources to cooperate to solve larger and more complex prob-
lems. Due to the hierarchical structure of the blackboard, each data object on
the blackboard will usually have only one knowledge source that can update it.
Although these knowledge sources are often referred to as ‘experts’, knowledge
sources are not restricted to expert systems such as the ExSys
c

Expert System
(ExSys 2000) or other AI systems, and include the ability to add conventionally
coded software such as the artificial intelligence-based (AIB) model, to cooperate
in solving problems.
778 5 Safety and Risk in Engineering Design
Many knowledge sources are numeric or algorithmic in nature (i.e. the AIB
blackboard knowledge source for artificial neural network (ANN) computation that
is specifically applied for processing time-varying information, such as non-linear
dynamic modelling, time series prediction, adaptive control, etc. of various engi-
neering design problems). The use of multiple, independent knowledge sources al-
lows each knowledge source to use the data representation scheme and problem-

solving strategy that best suit the specific purpose of that knowledge source. These
specialised knowledge sources are thus easier to develop and can be hosted on dis-
tributed hardware.
The use of opportunistic problem-solving and highly specialised knowledge
sources allows a set of distributed knowledge sources to cooperate concurrently to
solve large, complex design problems. However, blackboard systems are not easily
developed, especially where a high degree of concurrent knowledge source execu-
tion must b e achieved while maintaining knowledge consistency on the blackboard.
In general, blackboard systems have not attained their apparent potential, because
there are no established tools or methods to analyse their performance.
The lack of a coherent set of p erformance analysis tools has in many cases re-
sulted in the revision of a poorly designed system to be ignored once the system
had been implemented. This lack of the appropriate performance analysis tools for
evaluating blackboard system design is one of the reasons why incorporating con-
currency into the blackboard problem-solving model has not generally been suc-
cessful. Consequently, a method for the validation of blackboard system design has
been developed (McManus 1991). This method has been applied to the AIB black-
board system for determining the integrity of process engineering design.
Knowledge source connectivity analysis is a method for evaluating blackboard
system performanceusing a formalised model for blackboard systems design. A de-
scription of the blackboard data structure, the function computedbyeach knowledge
source, and the knowledge source’sinput and output variablesare sufficient to create
a formalised model of a blackboard system (McManus 1992). Connectivity analy-
sis determines the data transfers between the knowledge sources and data migration
across the blackboard.
The attributes of specialisation, serialisation and interdependence are evaluated
for each knowledge source. This technique allows for the evaluation of a blackboard
design specification b efore the blackboardsystem is developed. This also allows the
designer to address knowledge source connectivity problems, feedback loops and
interdependence problems as a part of the initial design process. Knowledge source

connectivity analysis measures the output set overlap, functional connectivity,and
output to input connectivity between pairs of knowledge sources. Output set overlap
is a measure of the specialisation of pairs of knowledge sources, whereas functional
connectivity between pairs of knowledge sources is a measure of their serialisation,
and output to input connectivity is a measure of their interdependence.
5.4 Application Modelling of Safety and Risk in Engineering Design 779
a) The Formalised Model for Blackboard Systems Design
Knowledge source connectivity analysis requires a specification of the system de-
veloped using a formalised model for blackboard systems (McManus 1992). Black-
board systems can be modelled as a blackboard data structure containing shared
blackboard data objects, and a set of cooperating knowledge sources that can access
all of the blackboard data objects. These knowledge sources are processes that take
inputs from the blackboard, perform some computation, then place the results back
on the blackboard for other design teams in a collaborative design environment.
Blackboard data structure A blackboard data structure is a global data structure
consisting of a set of blackboard data objects, {d
1
, ,d
j
},usedtorepresentthe
problem domain.
Blackboard data object Each blackboard data object is a predefined data object
type with a point value or a range of values. A blackboard data object, d
j
, is thus an
object that h as a single value or multiple values.
Knowledge source A knowledge source, ks
j
, of a set of knowledge sources,
β

=
{ks
1
, ,ks
j
}, consists of the following:
• a set of input variables, IV = {iv
1
, ,iv
n
},
• a set of input conditions, IC = {ic
1
, ,ic
n
},
• a set of output variables, OV = {ov
1
, ,ov
m
},
• a description of the computation delivered by the knowledge source,
• a set of preconditions, PR = {pr
1
, ,pr
k
},
• a set of post-conditions, PT = {pt
1
, ,pt

k
} and
• an input queue, IQ.
A knowledge source’s input conditions are a set o f Boolean variables used to notify
a knowledgesource when one of its input variables has been updated. The precondi-
tions are a set of Boolean functions that all must b e TRUE for a knowledgesource to
be activated, and the post-conditions are a set of Boolean functions that all must be
TRUE for a knowledgesource to post the result of its computation to the blackboard.
If all of a knowledge source’s activation conditions are met while it is executing, the
input queue stores the knowledge source’s input variables.
There are two classes of input variables pertaining to knowledge sources: ex-
plicit input variables and generic input variables. An explicit input variable spec-
ifies a single, unique blackboard data object that is used as the input variable to
a knowledge source. A knowledge source can use only the blackboard data object
specified by the explicit input variable as a valid input. A generic input variable
specifies a class or type of blackboard data object that can be used as the input
variable to the knowledge source. The knowledge source can accept an instance
of a blackboard data object of the specified class as an input variable. The use of
generic input variables allows development of knowledge sources that function on
a class of blackboard data objects.
780 5 Safety and Risk in Engineering Design
Knowledge sources can be classified by their input variables:
• Explicit knowledge sources have only explicit input variables;
• Mixed knowledge sources have both explicit and generic input variables;
• Generic knowledge sources have only generic input variables.
Blackboard system A blackboard system is used to allow intercommunication of
knowledge sources, and acts as a shared memory that is visible to all of the knowl-
edge sources. A blackboard system, B, is a tuple X,P,
β
,Id,

θ
,where:
• X is a set of blackboard data objects, X = {d
1
, ,d
i
};
• P is the set of blackboard data object states, P = V
1
·V
2
· ·V
i
,whereV
i
is a set
of all valid values for blackboard data object d
i
;
•
β
is the set of knowledge sources,
β
= {ks
1
, ,ks
j
};
• each knowledge source’s domain is a subset of P, and its range is a subset of P;
• Id is an i-vector describing the i initial values of the blackboard data objects,

Id ∈ P;
•
θ
is a relation on
β
,where
θ
⊂
β
·
β
and ks
j
, ks
k
∈
θ
if and only if ∃d
j
∈ X
where: d
j
∈OV and (ks
j
) ∧d
j
∈ IV(ks
k
);
• If ks

j
, ks
k
∈
θ
,thenks
k
is a successor of ks
j
,andks
j
is a predecessor of ks
k
.
b) Performance Analysis of the Blackboard Systems Design
The performance of a blackboard system design can be analysed in the following
manner (McManus 1991): for each knowledge source ks
j
in
β
is an input set,
Ψ
j
,
containing all of the input variables of ks
j
and an output set,
Φ
j
, containing all of

the output variables of ks
j
Ψ
j
= {iv
1
,iv
2
, ,iv
n
} (5.118)
Φ
j
= {ov
1
,ov
2
, ,ov
m
}
Once
Ψ
j
and
Φ
j
have been established for all ks
j
in
β

,thesets
Γ
j,k
and
θ
j,k
can
be computed for all knowledge source pairs {ks
j
,ks
k
} in
β
(j = k)
Γ
j,k
=
Φ
j
∩
Φ
k
(5.119)
θ
j,k
=
Φ
j
∩
Ψ

k
As indicated, output set overlap is a measure of the specialisation of pairs of
knowledge sources, whereas functional connectivity between the pairs of knowl-
edge sources is a measure of their serialisation, and output to input connectivity is
a measure of their interdependence.
Specialisation value The output set overlap is a measure of the specialisation of
pairs of knowledge sources, whereby the set
Γ
j,k
is computed to assess functional
specialisation. The cardinality of the set
Γ
j,k
for each pair {ks
j
,ks
k
} in
β
is a mea-
sure of the output overlap for the pair {ks
j
,ks
k
} (i.e. a measure of the specialisation
5.4 Application Modelling of Safety and Risk in Engineering Design 781
of pairs of knowledge sources). Knowledge source pairs {ks
j
,ks
k

} with a large out-
put overlap imply that ks
j
and ks
k
share a large number of output variables and,
thus, have similar functions. Knowledge source pairs {ks
j
,ks
k
} with a low overlap
imply that ks
j
and ks
k
have different functions. A proposed heuristic to measure
knowledge source specialisation is to compute a specialisation value,
Ω
j,k
, for each
pair {ks
j
,ks
k
} in
β
. Specialisation values measure the output set overlap of a pair
of knowledge sources, {ks
j
,ks

k
}. The specialisation value is computed using the
following (McManus 1992):
Ω
j,k
=
card(
Γ
j,k
)
min(card(
Φ
j
),card(
Φ
k
))
(5.120)
The cardinality of th e set
Γ
j,k
divided by the minimum of the cardinalities of
the sets
Φ
j
and
Φ
k
computes a percentage of overlap between the set
Γ

j,k
and the
smaller of the sets
Φ
j
and
Φ
k
.As
Ω
j,k
approaches 1.0, the output overlap between
ks
j
and ks
k
increases.As
Ω
j,k
approaches 0.0, the output overlap between ks
j
and
ks
k
decreases. For the limiting cases, where
Φ
j
⊃
Φ
k

or
Φ
k
⊃
Φ
j
, we know that
Ω
j,k
= 1.0, and ks
j
and ks
k
compute the same outputs—thus, the knowledge sources
are not specialised. However, if
Γ
j,k
=
φ
(where
φ
is the null value), then
Ω
j,k
= 0.0,
and the two knowledge sources have no common outputs and are highly specialised
in relation to each other.
Serialisation value The functional connectivity between pairs of knowledge
sources is a measure of their serialisation, whereby the set
θ

j,k
is computed to
assess serialisation. The cardinality of the set
θ
j,k
for each pair {ks
j
,ks
k
} in
β
,
compared to the cardinality of the set
Ψ
k
, is a measure of the input overlap for the
pair {ks
j
,ks
k
} (i.e. a measure of the serialisation of pairs of knowledge sources).
Knowledge source pairs {ks
j
,ks
k
} with a large input overlap imply that ks
j
and ks
k
share a large number of output to input variables and, thus, form serialised execu-

tion. Knowledge source pairs {ks
j
,ks
k
} with a low input overlap imply that ks
j
and
ks
k
can execute separately. A serialisation value measures the functional connectiv-
ity between a pair of knowledge sources where the functional connectivity is the
relative output to input ratio. A proposed heuristic, therefore, to measure knowledge
source serialisation is to com pute a serialisation value,
Σ
j,k
, for each pair {ks
j
,ks
k
}
in
β
. Serialisation values measure the functional connectivity of a pair of knowledge
sources, {ks
j
,ks
k
}.
The serialisation value is computed using (McManus 1992):
Σ

j,k
=
(card
θ
j,k
)
(card
Ψ
k
)
(5.121)
This heuristic computes the percentage of the input data objects for knowledge
source ks
k
that are provided by knowledge source ks
j
. The cardinality of the set
θ
j,k
divided by the cardinality of the set
Ψ
k
computes a percentage of input overlap
between
θ
j,k
and
Ψ
k
.

782 5 Safety and Risk in Engineering Design
As
Σ
j,k
approaches 1.0, the percentage of overlap between
θ
j,k
and
Ψ
k
is greater,
and the serialisation between ks
j
and ks
k
strengthens. As
Σ
j,k
approaches 0.0, the
serialisation between ks
j
and ks
k
weakens. For the limiting cases, if
Ψ
k
⊃
Φ
j
,

Π
j,k
= 1.0, and ks
j
and ks
k
have direct serialisation. If
θ
j,k
=
φ
(where
φ
is the
null value), then
Σ
j,k
= 0.0, and the two knowledge sources are independent and
can execute concurrently.
Strongly connected knowledge sources have high serialisation values. These
knowledgesources form serialised execution pipelines, with each knowledge source
blocking completion of any computation for the same input data objects by other
knowledge sources. Unless multiple copies of the serialised knowledge sources are
developed, the serial pipelines reduce the blackboard’s capability for concurrent
execution. Weakly connected knowledge sources reduce knowledge source serial-
isation and increase the opportunity for concurrent knowledge source execution.
Knowledge source pairs that have high serialisation values are best suited for knowl-
edge source integration whereby the first knowledge source provides all of the in-
puts to the second knowledge source. Such a serially connected pair of knowledge
sources can be reduced to a single knowledge source that combines the functionality

of the two.
Interdependence value The output to input connectivity between pairs of knowl-
edge sources is a measure of their interdependence, whereby the set
θ
j,k
is computed
to assess interdependence. The cardinality of the set
θ
j,k
for each pair {ks
j
,ks
k
} in
β
is a measure of the output to input connectivity for the pair {ks
j
,ks
k
}.Knowl-
edge source pairs {ks
j
,ks
k
} with a high output to input connectivity imply that ks
k
is highly dependent on ks
j
for its input variables. Knowledge source pairs {ks
j

,ks
k
}
with a low output to input connectivity imply that ks
k
’s inputs are independent of
ks
j
’s outputs.
A proposed heuristic to measure knowledge source interdependence is to com-
pute an interdependence value,
Π
j,k
, for each pair {ks
j
,ks
k
} in
β
. Interdepen-
dence values measure the output to input connectivity between knowledge sources,
{ks
j
,ks
k
}. The interdependence value is computed using the following (McManus
1992):
Π
j,k
=

(card
θ
j,k
)
min(card(
Φ
j
),card(
Ψ
k
))
(5.122)
This heuristic computes the percentage of overlap between the sets
Φ
j
and
Ψ
k
,or
the percentage of output data objects of ks
j
that are used as input data objects by ks
k
.
The cardinality of the set
θ
j,k
divided by the minimum of the cardinalities of the sets
Φ
j

and
Ψ
k
computes a percentage of overlap between the set
θ
j,k
and the smaller of
the sets
Φ
j
and
Ψ
k
.As
Π
j,k
approaches 1.0, the output to input connectivity between
ks
j
and ks
k
strengthensand the knowledge sources become more interdependent.As
Π
j,k
approaches 0.0, the output to input connectivity between ks
j
and ks
k
weakens
and the knowledge sources become independent. For the limiting cases, if

Φ
j
⊃
Ψ
k
,
Π
j,k
= 1.0, and ks
j
and ks
k
have direct output to input connectivity and are interde-
pendent. If the set
θ
j,k
=
φ
(where
φ
is the null value), then
Π
j,k
= 0.0, and the two
knowledge sources have no output to input connectivity and are independent.
5.4 Application Modelling of Safety and Risk in Engineering Design 783
c) Evaluation of the AIB Blackboard Model for Determining the Integrity
of Engineering Design
The AIB blackboard model for determining the integrity of engineering design in-
cludes subsets of the knowledge sources and b lackboard data objects that are used

by the knowledge-based expert system section. This knowledge-based expert sys-
tem section allows for the development of various expert systems, and is structured
into facts, functions, conditions, constraints, rules and goals related to the subsets of
the knowledge sources and blackboard data objects of process analysis, plant analy-
sis and operations analysis sections. The primary subsets of the knowledge sources
for the process analysis and plant analysis sections are d escribed below in accor-
dance with Fig. 5.82 illustrating the AIB blackboard model for engineering design
integrity.
Process analysis section
• Let Ks
1
be the process definition module. This knowledge source makes use of
six global data object inputs—d
i1
, d
i2
, d
i3
, d
i4
, d
i5
and d
i6
, which can be repre-
sented by the set of input variables IV
6
= {iv
1
, ,iv

n
}—aswellasaprocess
description input, and computes five data object outputs that can be represented
by the set of output variables OV
5
= {iv
1
, ,iv
n
}, for the data object outputs d
o1
to d
o5
.
The data object inputs d
i1
to d
i6
and data object outputs d
o1
to d
o5
:
d
i1
= Plant/facility d
i7
= Process description
d
i2

= Operation/area d
o1
= Process sequence
d
i3
= Section/building d
o2
= Mass balance
d
i4
= System/process d
o3
= Heat balance
d
i5
= Assembly/unit d
o4
= Energy balance
d
i6
= Component/item d
o5
= Utilities balance.
• Let Ks
2
be the performance assessment module. This knowledge source makes
use of the six global data object inputs d
i1
, d
i2

, d
i3
, d
i4
, d
i5
and d
i6
,aswellas
a performance specification set, d
i8
, and computes a performance output variable
set, d
o6
.
The performance specification set d
i8
can be represented by the set of input vari-
ables IV
8
= {iv
1
, ,iv
n
},whered
i8
=performancespecification data object with
IV
8
= {efficiency, flow, precipitation, throughput, output, pressure, viscosity, ab-

sorption, temperature, losses, etc.}.
The performance output variable set d
o6
can be represented by the set of output
variables O V
6
= {ov
1
, ,ov
m
},whered
o6
is the performance output data ob-
ject with OV
6
= {efficiency rating, flow rating, throughput rating, output rating,
yield, pressure rating, consistency, temperature rating, productivity, etc.}.
• Let Ks
3
be the RAM assessment module.This knowledge source makes use of the
six global data object inputs d
i1
, d
i2
, d
i3
, d
i4
, d
i5

and d
i6
,aswellasaconditions
description set, d
i9
, and computes a conditions failu re output variable set, d
o7
.