THE DESIGN OF FAULT TOLERANT SYSTEMS - PREVENTION IS BETTER THAN CURE

The largest threat to the efficient and safe operation of complex processes comes from erroneous actions by the humans in the system. The number of erroneous actions can be reduced and the consequences be mitigated in two principally different ways. The passive approach concentrates on how the system is designed, implemented and applied. The active approach concentrates on the system in use, as exemplified by automation in various forms, protection systems, computerised operator support, and various types of expert systems. A specific solution is to make the systems fault tolerant, i.e. forgiving of erroneous actions and able to limit the consequences through interlocks and automatic shut-down mechanisms. Yet practically all fault tolerant systems come into action after the erroneous action has occurred and has had a detectable effect. It would clearly be attractive to detect erroneous actions when they occur, possibly before they have had any effect, i.e. effectively to prevent them from happening. The paper describes the development and functioning of a system which provides an on-line detection of erroneous actions in a process domain. The system, which is called RESQ, is based on a combination of plan recognition, plan evaluation and error handling. It has been developed within the ESPRIT Project P857 'Graphical Dialogue Environment', and is presently implemented for a data network. RESQ is written in Common LISP and is, with the necessary exception of a plan library, completely domain independent.