A hybrid expert system, GIS and simulation
modeling
for environmental and technological
risk management
Fedra, K. and Winkelbauer,
L.
EnvironmentalSoftware &Services GmbH
A-2352 Gumpoldskirchen,AUSTRIA
info@ess,
co. at http:/ / www.ess,
co. at
From: AAAI Technical Report WS-99-07. Compilation copyright © 1999, AAAI (www.aaai.org). All rights reserved.
Abstract
Based on the results from the international research
project HITERMfunded under the European ESPRIT
technology programme for high-performance computing and networking (HPCN)for decision support, this
paper presents RTXPS,the integration of a real-time
forward chaining expert system and a backward chaining system as the DSS framework using simulation
models and GIS for environmental and technological
risk assessment and management. Application examples describe chemical emergency management cases
for fixed installations and mobile sources (transportation accidents), based on ongoing case studies in Italy,
Switzerland and Portugal.
¯
The HITERMproject
HITERM(http://www.ess.co.at/HITERM)
is an international research project under the European ESPR.IT technology programme on high-performance
computing and networking (HPCN) for decision support applications.
The project integrates highperformance computing on parallel machines and workstation clusters with a decision support approach based
on a hybrid expert systems approach. Application examples are drawn from the domainof technological risk
assessment and management, and particular chemical
emergencies in fixed installations or transportation accidents (Fedra 1998; Fedra and Weigkricht 1995).
integrate the various information resources in an operational decision support system, a flexible client-server
architecture is used (Figure 1), based on TCP/IP and
http. The central system, which runs the RTXPSexpert system as the overall framework is connected to
a number of (conceptual) servers that provide highperformance computing and data acquisition tasks, as
well as a numberof clients that include mobile clients
in the field.
The architecture features the two interlinked ES
strategies which draw upon an object data base of risk
objects and a GIS, as well as a set of simulation models
implementedin a distributed client-server environment
that includes links to real-time data acquisition, e.g.,
for meteorological data. Explicit treatment and propagation of uncertainty is made possible by the use of
Monte Carlo methods, in part implemented on parallel
compute servers.
The RTXPSframework maintains the dialogue with
the user, e.g., an operative in an incident command
center. The real-time expert system controls communication with the various actors involved in an emergency
situation, provides guidance and advice based on several data bases including Material Safety Data Sheets
for hazardous substances, and triggers various simulation models for the simulation of the evolution of an
emergency and the prediction of humanhealth and environmental impacts. The expert system compiles all
necessary input information for the models and performs checks for completeness, consistency, and plausibility. It then triggers, based on the available information and some simple screening and ranking methods,
the most appropriate model or set of models, interprets the results, and translates that into guidance and
advice for the operators. Embeddedsimulation models include a detailed source modelfor different release
types including pool evaporation, atmospheric dispersion using either a multi-puff, multi-layer Eulerian, or
a Lagrangian approach based on a 3D diagnostic wind
field model, fire and explosion models, and a stochastic soil contamination routine. Real-time control and
logging of data availability, user inputs and decisions,
model results, and communicationactivities provide an
opportunity to use the system for operational manage-
ment, training purposes, as well as for planning oriented risk assessment tasks.
Decision
support and
information
flow
From a conceptual point of view, the central object of
the approach is an emergency scenario. Once started
on the occasion of an incident or training session, the
RTXPS
frameworkqueries the user for the type of incident and selects the appropriate knowledge base. The
system, following a rule-based implementation of an operations manual or standard operating procedure, elicits relevant information from a number of information
sources. This can include asking the user, retrieving
data from the various data bases, prompting the user
to establish communicationchannels to field personnel,
or polling remote data acquisition systems.
Based on the developing context of the emergency
scenario, the expert system may trigger a number of
models that predict the likely evolution of the emergency and its impacts. The selection of the most appropriate model is based on the context or the results
of previous modeling steps. As an example, the source
model generates information on the total mass evaporated or directly escaping into the atmosphere and thus
available for atmospheric dispersion, the mass fraction
infiltrating into the soil, and the probabilities for fire
and explosion. Based on these results and their respective probability distributions, the models are triggered
in sequence with the most likely or dangerous impact
scenario simulated first.
Using Monte Carlo methods based on a priory probability distributions for relevant input parameters, which
are adapted based on the. information compiled, individual models are run for a large number of parameter input samples so that output probability density
functions can be constructed. From these, the expert
system selects either a 95%"worst case" scenario for
further propagation, or the user can select a specific
result or probability range.
Following the computation of likely impacts, the expert system performs an assessment using the population data base by computing the number of people
exposed to concentrations, pressures, or radiative heat
fluxes above certain thresholds. On the basis of these
spatially and temporally distributed impacts, further
advise e.g., for evacuation or the definition of exclusion and safety zones is generated. In general, the expert system starts with a set of worst case assumptions,
videooonferendng
HPCN
MODEL
SERVER
""
@
remote
olkmt
(mobile)
Figure 1: The basic HITERM
client-server
architecture
which it evaluates and provides advice for; it then attempts to eliminate possible scenarios, starting with
the most dangerous ones, until the actual scenario can
be confirmed and eventually controlled.
However, in parallel to this internally driven approach, the system must at any time be ready to accept external information asynchronously to update the
emergencyscenario based on field information or realtime data acquisition, and re-evaluate its strategy at
this point.
The
RTXPS framework
Rule based expert systems can either be goal driven using backward chaining to test whether some hypothesis
is true, or data driven, using forward chaining to draw
new conclusions from existing data. Forward chaining
implies that upon assertion of new knowledge all relevant inductive rules are fired exhaustively, effectively
making all knowledgeabout the current state explicit
within the state. Forward chaining may be regarded as
progress from a knownstate (the original knowledge)
towards a goal state. Backwardchaining systems work
from a goal state back to the original state. This means
that no rules are fired upon assertion of new knowledge.
When an unknown predicate about a known piece of
knowledgeis detected all rules relevant to the knowledge in question are fired until the question is answered
or until quiescence.
DESCKIPTOR
exposed_area
TS
U ha
V none
[ O, O, O]
V very_small [ O, 2, 3]
V small
[ 3, 5, 8]
V considerable[8, I0, 20]
V large
[ 20, 50, 80]
V very_large[ 80,I00,300]
Q What is the total area affectedby this
Q accident,ie., above a no-effectsthreshold?
ENDDESCRIPTOR
Figure 2: Sample Descriptor definition
In the RTXPSenvironment forward chaining is used
for guiding the user from one state to the next state
based on the user’s inputs (= new knowledge). The
user’s input is obtained through various resources, one
of them being rule based backward chaining.
Several modifications to the general concept of forward chaining have been implemented in RTXPSto
overcome the inherent inefficiency of this approach.
The two most important modifications are that (a) rule
firing is immediately stopped when enough evidence
has been obtained to move on to the next state which
significantly improves the performance of the overall
system (very important in real time systems and to
keep the user alert) (b) states themselves are defined
and used as (action) objects directly in the forward
chaining rules, making the development of the knowledge base and the transitions between the states more
transparent for the user and the knowledge engineer.
RTXPSoperates in terms of ACTIONS,which are
triggered by the forward chaining Rules; these Rules
operate in a knowledge base domain that is shared
between for~vard and backward chaining strategies, so
that backwardchaining inference can affect the forward
chaining Rules and vice versa. The shared information is based on Descriptors, which are the variables
both inference strategies work with. Descriptors can
be purely symbolic (nominal or ordinal) or hybrid, the
latter combining a set of ordinal symbolic values with
a cardinal numerical representation in terms of ranges.
For a description of the backward chaining system see
Fedra and Winkelbauer, 1994.
ACTIONS
consist of a hypertext part that maintains
the user dialogue, and a number of functions that are
ACTION
Some_action
A alias_name
V ready / pending / ignored / done /
P 180 # timer set to 180 seconds
Q For an accident_typeyou have to specify
Q the total mass or spill volume involved.
F get_descriptor_value(spill_volume)
ENDACTION
Figure 3: Sample ACTIONdefinition
either triggered automatically or manually by the user.
The functions include triggers for simulation models,
the backward chaining expert system, or external communication tasks such as data acquisition from monitoring systems or tasks such as automatic dialing for
phone connections, or sending automatically generated
fax messages. All ACTIONS
are logged with their time
stamp, together with all instantiations and assignments
of Descriptor values. Since ACTIONS
can depend on
external objects that may or may not be available at
any point in time (like a telephone connection), they
can be set pending. A timer is started, that will reactivate the ACTION
as soon as its timer has expired.
The built-in functions of an ACTIONcan include
the backward-chaining expert system. The trigger is a
request to provide the current value for a Descriptor.
This can be done by either direct editing or by starting the rule-based inference. The system then uses a
set of alternative methodsenumerated in the respective
Descriptor definition to obtain or update the Descriptor value in the current context. The inference engine
compiles all necessary information for the appropriate
Rules’ input conditions recursively, evaluates the Rules,
and eventually updates the target Descript0r. A typical
use of this inference process is to assist the user in specifying scenario parameters: here the system collects circumstantial evidence to derive an informed guess where
no hard data are available.
Other ACTIONfunctions trigger special editors to
obtain information on more complex risk objects (such
as trains, plants, etc.) which require specific dialogue
windowsfor consistent editing of the attributes of the
the risk objects and provide additional functionality
such as links to on-line databases. An example for this
kind of editors is the train editor (Figure 7) which
described in the application example below.
Coupling to GIS and models
Another set of functions in the ACTIONS
triggers the
GIS and the simulation models which are used to assess
the danger and the impact of the potential risk sources.
Currently the following models/model groups are
coupled to the RTXPS:
The PVMmodel group: Monte-Carlo implementation of the (parallel) spill and pool-evaporation model;
the main parameters (defined by external sensitivity
analysis) are sampled in a Monte-Carlo framework;
from the resulting distribution of solutions, the mean
and 95% level are used as input to the Lagrangian
model to generate two solutions.
The SOURCEmodel: computes the dynamic source
term for the atmospheric dispersion models, soil infiltration, and determines the probabilities for fire and
explosion with the respective input data values (available mass); the user can determine the level of uncertainty for the input parameters (expressed as a percentage around the mean, the type of a priory distribution
to be sampled, and the number of Monte-Carlo runs.
All. these values are provided as defaults, but can be
¯ modified on demand. By default, the system selects a
source term for the dispersion models from these reSults based on the 95alternatively, the user can select
an arbitrary class range from the mass distribution for
the Subsequent dispersion computations.
Probability of fire and explosion: Based on the temperature range versus the flashpoint of the substance
for fire, and the local concentration over the pool versus
the upper and lower ranges for explosivity the probability for fire and explosion, depending on the duration
of fire or explosion conditions, are calculated.
Groundwater simulation: Another example of the
direct representation of uncertainty in the simulation
models is implemented for the determination of response times for soil contamination. The simple screening model estimates the time a given substance will
need to reach the groundwater table, based on viscosity,
soil permeability, and the distance to the groundwater
table. For the simulation, the user can again override
the defaults for the uncertainty around the input parameters, soil permeability and viscosity.
All these models have their individual user interface and dialog functions but communicatetheir results
through the Descriptors to the RTXPSwhere the backward chaining mechanism then can be used together
with the GIS to classify complexsystems results (e.g.,
the results from a spatially distributed, dynamic,multiparameter model) into a simple and directly under-
4
Figure 4: Monte Carlo simulation
Figure 5: Atmospheric dispersion model resules
Another use of ei/e backward chaining capabilities
of the expert system is to provide a synthesis of large
model generated data volumes. The chain of models
used to simulate an accident scenario may easily generate data volumes in the order of Gigabytes. These
should, however, be summarized in a few simple variables such as the number of people exposed, the level
of exposure, the area contaminated, estimated material damageand a rough classification of the accident:
these classifications are needed to trigger the appropriate responses.
Starting from the dynamicmodel results, specific aggregate parameters are computed as a post-processing
step or while the model is running, updating values for
maximaof threshold related parameters.
Eg., in the case of the atmospheric dispersion models,
the critical parameters are the extent of the area covered, the population exposed in this area, and time factors such as the time until the first houses are reached
by the cloud, and the duration of the exposure.
Starting with the model result and a (default or
substance specific) concentration threshold, the system
computes the area of the plume that exceeds the threshold, the populated area, and the intersection. Based on
the knownor estimated population density, two key parameters, namely the area exposed and the population
exposed are computed and indicated.
In addition, to the model derived values (which are
setting the corresponding Descriptors in the expert system), a user-defined threshold value is used in this evaluation. This can either be derived from a set of rules,
or from the hazardous chemicals data base (e.g., based
on the Seveso II classification).
In the simplest case,
the user can directly set that threshold value with the
expert system’s editing functions.
In the next step, the expert system attempts a classification of the emergency in terms of public health
effects, environmental damages, and material damages.
In terms of the backward chaining inference procedure,
these three Descriptors are Target Descriptors i.e., the
are at the top of the respective inference trees. Each of
them has a set of associated Rules, that use Descriptors
as their inputs. The Descriptor values are set by the
model output in the step above, but can, in principle,
be overwritten by the user interactively if he repeats
the (automatically triggered) inference procedure.
all the necessary data (Descriptor values) to reach
conclusion are available, the expert system will directly
arrive at, and display in a symbolic format, the results
in the accident summarydisplay.
RTxD9
[~Y~tLOOp
,,.
Figure 6: Dialog windows
An application
example
A typical application example is the managementof a
train accident involving hazardous cargo. The user is
an officer at an incident commandcenter operated by
the railway system. After receiving an external alarm
by phone, usually from the police, the user selects the
appropriate option in the system, i.e., emergencymanagement: RTXPSnow provides all prompts in the form
of hypertext messages on the main console dialog window (Figure 6). As a first step, the user is asked
verify the nature of the emergency (train accident).
He then is prompted to record the contact details of
the caller for verification. The corresponding ACTION
pops up the necessary editors, and logs the answers.
Based on the source of the alarm, a communicationprotocol is initiated that involves relaying the information
gathered to various groups such as local fire brigades,
railway operation centers, etc.
With the approximaSe location of the accident (obtained from the initial call) and the time, the railway
operation center is queried for a train identification. In
parallel, the system will zoom in on its map display
to the area of the accident location. With the train
identification, obtained by phone, the Rules now trigger an automatic download of train cargo information
from an on-line database. If no hazardous material is
on the train, the incident is logged and closed. If there
is hazardous information on the train, the information
is relayed to the field team, and a new branch of fire
fighters specialized in chemicalspills is alerted.
Figure 7: The train editor
With the detailed information of the train location
(from the train operators) and its cargo (from the cargo
information database), the system now constructs
representation of the train and all potential sources of
risk (Figure 7). This is based on substance specific
data, obtained from the embedded hazardous chemical
data base and the On-line cargo information data base.
The ’expert system now scans all railway cars and
performs an initial risk assessment. The car with the
highest potential risk is selected for detailed analysis.
If, however, more detailed information about the state
of the accident (e.g., cars damaged,visibly leaking, or
burning) becomesavailable from the intervention forces
in the field, this information is entered in the knowledge
base through the corresponding Descriptors, and the
risk ranking of the cars is ¯revised accordingly.
For a given railway car selected automatically based
on the risk ranking or manually by the user, the next
ACTIONthen triggers
a SOURCEmodel that estimates the nature and amount of a hazardous material release. Since the necessary input parameters include the local meteorological conditions, an automatic
download of local meteorological data is attempted;
should this fail, the user is prompted to obtain this
information from the intervention forces by radio.
Dependingon the physical and chemical properties of
a substance, and its transport conditions (temperature,
pressure), the release characteristics (gaseous and/or
liquid, flow over time) are then estimated. With
pool evaporation model where appropriate, the total
mass spilled is partitioned into an atmospheric release
Figure 8: Expert system dialog and editor
and a liquid fraction that mayinfiltrate into the soil.
The probabilities of fire and explosion are monitored
based on flammability and explosion limits of temperature and concentrations. Interventions can be simulated explicitly by specifying a cut-off time for the
release and the evaporation. The SOURCEmodel is
run in a Monte Carlo framework so that PDFs for the
source terms for the consequence models are generated
(Figure 4).
The results are summarizedand reported to the user,
who mayrelay them to the intervention team. Based on
the release characteristics, the next set of Rules selects
the most appropriate consequence model: atmospheric
dispersion, fire, explosion, soil infiltration. Wherenecessary to obtain the required much-better-than-realtime performance, a high-performance compute server
is used in client-server mode(Unge.r et al., 1998). The
expert system checks, for each model, whether all the
required input data are available, and within plausible
ranges. If not, an appropriate messageis issued and an
editor with the possibility to start a rule-based deduction for parameter estimation is provided. Once the
input is complete, consistent, and plausible, the model
is triggered. Its result are displayed to the user in a
graphical and spatially distributed, and dynamic (animated) display, depending on the dimensionality of the
underlying model (Figure 5).
Model results are then combined with the population data base to estimate casualties. These, together
with the area exposed and above of no-effects thresholds, are used to update the risk assessment for a given
hybrid expert systems approach with powerful simulation models, GIS, and multi-media display formats, it
becomes possible to bring together advanced analytical
tools with an easy to use decision support framework
for complex and mission critical application domains.
Acknowledgements
The project HITERMis supported by the European
Commission under the auspicies of the specific programmefor research and technical development in the
filed of information technologies¯
RTXl),~
EV~nl
Loop
,.
References
Figure 9: Explain and rule ~race function
source. The system then returns to the train display,
ready to accept new information from the user, or to
evaluate the next source according to the updated risk
ranking. Where the estimated consequences of a potential or observed source involve casualties or the necessity for evacuation, the system provides the necessary information to the operator who in turn informs
the intervention forces in the field. This communication process can be simplified by using mobile clients
that connect the field teams directly to the expert system. The communication, in addition to the hypertext
prompts, includes various editor tools (Figure 8) and
the option to explain the expert systems reasoning step
by step (Figure 9).
The expert system keeps moving between gathering
scenario information, updating the status description
and ranking of potential or actual risk sources, and
evaluating their impact, and providing advice on this
basis until there is no more possible source, i.e., all
is save and the incident is under control. A final set
of Rules will then prepare the required reports, and
distribute them over appropriate communication channels.
Discussion
The combination Of forward chaining, to implement a
context sensitive operations protocol with real-time elements, and backward chaining to provide support for
data compilation and estimation has proven very effective for the implementation of a real-time environ-
Fedra, K. 1998 Integrated Risk Assessment and Management: Overview and State-of-the-Art.
Journal
of Hazardous Materials, 61 (1998) 5-22.
Fedra, K. and E. Weigkricht 1995 Integrated Information Systems for Technological Risk Assessment.
In G.E.G. Beroggi and W.A. Wallace [Eds.] Computer Supported Risk Management. Kluwer Academic Publishers. Dordrecht. The Netherlands.
pp. 213-232.
Fedra, K. 1995 Chemicals in the Environment: GIS,
Models, and Expert Systems. In James Devillers
[Ed.] Toxicology Modeling. Vol. 1, No. 1. Carfax
Publishing Company, UK. pp. 43-55.
Fedra, K. and Winkelbauer, L. 1994 Environmental Assessment, Management, and Reporting. In
Robert Trappl [ed.] Cybernetics and Systems ’94
- VolumeI. Proceedings of the Twelfth European
Meeting on Cybernetics and Systems Research
(EMCSl~’94), organized by the Austrian Society
for Cybernetic Studies. Vienna, Austria. April
5-8, 1994. World Scientific. pp. 927-934.
Unger, S., Gerharz, I., Mieth, P., and Wottrich. S
1998 HITERM- High Performance Computing
for Technological Risk Management.Transactions
of the Society for Computer Simulation International, Volume15, Number3, pp. 109-114.