Informatica 18 (1994) 27-36 27
MFM BASED DIAGNOSIS OF TECHNICAL SYSTEMS
Alenka Znidarsic Jozef Stefan Institute
Department of Computer Automation and Control Jamova39, 61111 Ljubljana, Slovenia Phone; +386 61 1259 199 (int. 606); Fax: +386 61 1219 385 E-mail: alenka.znidarsic@ijs.si
Victor J. Terpstra, Henk B. Verbruggen Delft University of Technology
Department of Electrical Engineering, Control Laboratory P.O. Box 5031, 2600 GA Delft, The Netherlands
Keywords: multistrategy learning, advice taking, compilation, operationalization, genetic algorithms Edited by: Miroslav Kubat
Received: October 8, 1993 Revised: January 11, 1994 Accepted: February 15, 1994
Detection and diagnosis of iauiis (FDD) in technical systems represent an important segment of intelligent and fault-tolerant systems. In the article we present the qualitative FDD approach proposed by Larsson and based on Multilevel Flow Modelling representation of the process. The contribution of this article regards eva/uation of this method on a simulated water-level process controlled by feedback. The MFM diagnostic expert system, together with the continuous, simulation of the process, is implemented in a reai-time expert system tool G2. Based on results perspectives for further work will also be given.
1 Introduction
Since many industrial processes become more and more complex fault diagnosis plays an important role in maintenance and on-line monitoring for the purpose of fail-safe plant operation [7]. The techniques of fault detection and diagnosis can be classified to two general categories [4]:
—	the mathematical model and
-	the knowledge based approaches.
The former make use of the process model, usually in the form of differential equations, The related techniques are based on the concepts of dynamical redundancy and make use of state filtering and parameter estimation.
Since it may often be difficult and time consuming to develop a good mathematical model, knowledge based methods make use of heuristical knowledge derived from human experience and qualitative models. Hereof, two main directions
can be recognized [8]: the shallow-knowledge (heuristic) and the deep knowledge (model based) techniques.
In the shallow reasoning approach, diagnostic knowledge is represented mainly in terms of heuristic rules which perform mapping between symptoms and system malfunctions (faults). The rules typically reflect empirical associations derived from experience, rather than a theory of how the device under diagnosis actually works. The shallow diagnostic expert systems have advantages in cases where the expert knowledge in a small field of expertise is available. In this way, we can make this knowledge available to the user. But problems appear in the development of more complex systems, i.e.:
-	difficult knowledge acquisition,
-	unstructured knowledge requirements,
-	knowledge base is highly specialized to the individual process,
28 Informática 18 (1994) 27-36
A ten ka Znidarsic, V.J. Terpstra, H.D. Verbniggen
-	excessive number of rules: difficult to overview in building and updating,
-	diagnosability or knowledge - base completeness is not guaranteed: the expert system can diagnose only faults considered in the design of the rule base.
To overcome these disadvantages of the shallow approach the deep knowledge techniques can be used. Rather than assume the existence of an expert experienced in diagnosing the device, wc assume the existence of a system description (in qualitative terms): a complete and consistent theory of the correct behaviour of the device [5].
Once the model has been created, it could be used in either of two ways. One way would be to introduce every possible fault, run the model and observe the effects. These observations could be used to create rules linking symptoms to faults. Clearly, this procedure will be feasible in systems with small complexity since the number of possible faults can quickly grow, especially if there is more than one present at the same time. The other way to use a model is to describe how the process is intended to work and failures in the process can be found by noting differences between the intended model and the actual state.
In both cases, the process description (model) and the algorithms for fault detection and diagnosis are separated. It can be said that reasoning about faults is performed on the model. The apparent advantages of such'a system are:
-	given the device description, the program tic-signer is able to shorten the process of eliciting empirical associations from a human expert,
-	the diagnostic reasoning method employed is device independent and
-	the ability to reason about unforeseen faults and faults which have never occurred in the process before.
There are several approaches to the qualitative modelling and qualitative reasoning available [3]. In this article we focus our attention on a qualitative FDD approach developed by Larsson [6] and based on the so-called Multilevel Flow Modelling representation (MFM) proposed by Lind (1991). The major part of this article regards evaluation
of this method on a simulated water-level process controlled by feedback. Properties of the approach, drawbacks and potentials will be presented and perspectives for further work will be given.
We also try to point out the design cycle of the related MFM diagnostic expert system which consists of the following steps:
-	understanding the principles of the process,
-	the diagnostic analysis,
-	an implementation of the diagnostic expert system using MFM Toolbox,
-	testing and validation of the system on the simulated process.
2 Test object: a controlled water column
In the lower part of the setup, there is a large container (sec Fig. 1), out of which water is pumped via pipes and valves into the water column. Three valves influence the water flows [1]:

- valve S3 is a control valve controlling the water input to the column. The valve is connected via an electropneumatic transducer to tlie control computer,
M FM BASED DIAGNOSIS OF TECHNICAL SYSTEMS
informatica 18 (1994) 27-36 29
-	valve S2 (by-pass valve) is necessary for the pump to prevent an over pressure when S3 is closed,
-	valve Si determines the water outflow from the column.
The water level in the column is measured using a pressure sensor at the bottom of the water column.
3 Review of MFM modelling and diagnostic reasoning
In Multilevel Flow Modelling, a system is modeled as an artifact, i.e. a man-made system constructed with some specific purposes in mind [6].
The three basic types of objects in MFM are:
-	goals,
-	functions and
-	physical components,
The physical components arc elements from which a process is constructed (pipes, valves, pumps, etc.). Every component can provide some functions like transport of mass, information or energy, storage of something. A set of interconnected functions serve to realize some goal. Goals in MFM represent what the process should do e.g.: keep the water at the certain level.
Goals, functions and components can be connected with achieve (achieve - by - control), condition and realize relations. An achieve (achieve-by - control) relation can be used to relate a set of flow functions to the corresponding goal. For example, a network of flow functions which describes the water flow through the process (see Fig. 2) is connected to the main goal by an achieve-to-control relation. It means, that the main goal can be achieved by controlling the water flow. Some physical component can provide functions only if some goals are fulfilled first, e.g. the water can be pumped from the container only if the pump works properly. A condition relation is used to connect those conditioned goals to a function. On the lowest level in the MFM graph physical components are in the realize relation with their corresponding functions, e.g. the pump can perform the function of transporting water and it is connected with a realize relation with it.
The MFM model describes how the process is intended to work by using mass or energy balance equations. Every deviation from the balance equation can be a sign that the flow function has error and corresponding alarm states a.re set-up for it. For describing the mass, energy or information flows of the process, several function types are available, Nearly all flow functions are characterized by one (or more) flow value, which correspond to the real flow of mass or energy.
Based on the MFM graphs, three types of diagnostic methods have been proposed [6]:
-	the measurement validation method,
-	the alarm analysis method and
-	the diagnosis method.
The main aim of the measurement validation algorithm is to find out whether there are inconsistencies among flow values (measurements) in the MFM model, Using available redundancy on the set of measured flow values the MFM model can be divided into internally consistent subgroups. If a flow function with one inconsistent value is discovered, it will be marked and corrected. In case of several conflicting values, the consistent subgroups of measurements will be marked but the flow values will not be corrected. The analysis of an alarm situation can be performed using the alarm analysis algorithm. Every flow function can be performed correctly or not. Its failure state can be defined with one of the following alarms: high flow, low flow, high volume, low volume, leak, etc. The algorithm provides a decision about which of the alarms are directly connected to the faults (primary alarms) and which ones are set up only as a consequence of the primary ones (secondary alarms).
In the terminology of MFM, when one of the goals from the model fails, the fault in the process occurs. The fault diagnosis algorithm provides an explanation for malfunctioning. It is implemented as a search in the MFM graph from the failed goal to the connected networks of functions. When it reaches a single (low function, it uses questions answered by the operator, results of tests performed on measurements or fault propagation rules to find out its failure state. Based on information about states of the flow functions the explanation about a failure situation and remedies are given.
30 
Informática 18 (1994) 27-36
A ten ka Znidarsic, V.J. Terpstra, H.D. Verbniggen
The proposed methods based on MFM are not aimed for diagnosing sensor faults.
4 MFM model of the water-level process
The MFM model of a process is shown in Fig. 2.
Information flow ---
PF11 PF12 PF13
aHAKr
T 02 J
G3 •
Figure 2: The MFM model of the process
The main goal (G1) is: "Keep the level of the water in the water column at the determined position."
The topmost goal can be achieved by a network of mass flow functions (a water flow). This flow is controlled by a manager function (Ml), in this case a PI controller (PF12) acting on the control valve.
The primary flow circuit starts at the source PF1 (water container), continues through the transport function PF2 (pressure source), a balance function PF3, a transport function PF4 (control valve) into the storage PF5 (water column) and through the transport function PF6
(manual valve) back to the sink PF7 (water container),
The water can be pumped from the container if the pressure source works properly. In the MFM model, the transport function PF2 (pump the water) is conditioned (Cl) by the subgoal G2: "Keep the pump running." If the subgoal is fulfilled then the transport function is available. An electrical energy needed for the pump running is described as an energy flow from a source PF8 (power supply), via transport PF9, power switch, and to the sink PF10, motor of the pump.
The implementation of the control task (Ml) is described as an information flow circuit. Measurements of the water level in the column are provided using an observer function PF11 (sensor). The decision about control action is made by PI control algorithm (PF12) and control output is proceeded to the control valve through the actor function (PF13). The controller works, if the electrical energy is provided for it. Therefore, the subgoal for the controller is: "Keep the controller running." (G3). It is also achieved by a network of flow functions describing energy flow from the source PF14 (power supply), via transport PF15, power switch, and to the sink PF16, the controller.
Some functions are directly connected to the physical components which provide the functions working: PF1 to the water container, PF2 to the pressure source, PF4 to the control valve, PF5 to the water column, PF6 to the manual valve and PF7 to the water container, etc. In the water flow circuit there is also additional balance function (PF3). It is not connected to any of the physical components, but it has to be present because of the syntax reasons.
The MFM model is simplified representation of the real process. The simplification depends on the purpose of the model. We have to be aware that a diagnostic system using a simplified model can not recognize faults in the un mo deled parts of the system.
5 Realization of the diagnostic expert system in G2
G2 is a real-time expert system tool developed at Gensym Corporation. It can be seen as a general programming environment that combines three
Achieve by control
j > AC -
M FM BASED DIAGNOSIS OF TECHNICAL SYSTEMS
informatica 18 (1994) 27-36 31
paradigms:
-	rule - base inference,
-	object - oriented programming and
-	procedural programming.
It also has a very strong graphical orientation. It consists of several main parts: a knowledge database, a real-time inference engine, a procedure language interpreter, a simulator, a development environment, an operator interface and optional interfaces to external on-line data service [10].
As a support for developing an expert-system for diagnosis based on the MFM methodology, an MFM Toolbox has been developed in G2 [6]. It has two parts:
-	a module for developing an MFM model of a process (definition of data structures and graphic elements for building MFM graph),
-	a module with a rule base that perform diagnostic reasoning task. Several groups of rules and procedures were implemented: a rule base for syntax control of an MFM models, measurement validation, alarm analysis, consequence propagation and fault diagnosis.
The Toolbox has ben developed by Larsson as part of his thesis work and made available to the Control Laboratory at Delft as part of a mutual research exchange between the Lund and Delft Control Laboratories.
By using the MFM Toolbox it is possible to develop an expert system, which performs diagnostic reasoning for the specific process, in our case for the water-level process. It is assumed that the algorithms for diagnosis are independent of the process description. Therefore, the developer of the expert system needs only to construct an MFM model for his process using the Toolbox.
The MFM graph structure is defined graphically using graphical objects for MFM functions and connections among them. The graphical representation of the MFM model for the water level process is based on the MFM model description (Fig. 2). The construction of the MFM model uses G2's possibilities of graphical creation, cloning and editing of those predefined objects.
In order to enable a diagnostic reasoning, also the values for attributes of flow functions have to be prescribed:
-	with a set of rules that transfer the values from a simulated process to the corresponding flow function (on - line) or,
-	the user defines the values for each flow function from the model directly using editing of graphical objects (off-line).
As soon as the MFM graph structure is defined, together with the corresponding values for flow function attributes, diagnostic questions and remedies, the diagnostic algorithms are ready to be used,
6 Continuous process simulation
When we talk about purposes of the simulation model, we have to mention the definition of a simulation environment. We must take into account that the main aim of our simulation model is diagnostic system testing. It should be possible to simulate different failure behaviours and to provide data from observable variables. The simulation environment (Fig.3) consists of three different and independent modules inside G2:
-	a simulated process module,
-	an alarm definition module and
-	a fault module.
SIMULATED ENVIRONMENT
Simulated process					
	Object definition		■ Process■. H	Color rules	
					
' ¡ET
Figure 3: The process simulation environment
The "Simulated process" module represents the behaviour of the water-level process under normal
32 Informática 18 (1994) 27-36
A ten ka Znidarsic, V.J. Terpstra, H.D. Verbniggen
working conditions in a closed control loop. A physical-structural model, which includes the important physical structure of the system, is used. The process is described in terms of their components and relations that exist between them.
Each component of the system is modelled separately as an object inside G2 with its own behaviour and attributes. The way in which a component behaves, is described by physical equations. Using the components behaviour description, the operation of the whole system is generated by analysing how the components are connected and how they interact within the system.
Measurements of process variables constitute the basic information for diagnosis. The diagnostic methods developed on the MFM models need as an input a set of measured flow signals. But measurements do not always relate directly to the level of process representation (the flow values of the MFM functions), therefore also other types of information must be used. They can be obtained with one of the following methods: sensors, estimation using data transformation (parameter or state estimation methods, statistical methods) or evaluation based on human observations.
Independently from a simulated process module, the alarm definition module has been developed. A procedure for each modelled component have been defined, which prescribes the way for obtaining the data from its observable variables. From the reason, that on the real process only one sensor is available, it is possible to introduce new sensors in the simulation. We refer those sensors as "simulated sensors".
The alarm definition module performs also a detection function. Rules with "crisp alarm limits" - a fixed value where each alarm condition is activated for every modelled physical component - have been used.
The simulated process has been used to test how efficiently the diagnostic system can recognize the possible causes for its malfunctioning. From this point of view it is possible to simulate different failure behaviours of the process.
All possible faults on the physical components are known from the diagnostic analysis of the process. The prescription of boundaries on observable variables, when the components are treated as faulty, derived from experimentation with a process, process simulation and students experi-
ences working with it. For every possible fault a procedure, which introduces this fault into the corresponding physical component, is implemented in the "Fault module". For some faults, it is also possible to define how big a fault is. With activating the procedure the corresponding fault is injected in the simulated process.
7 Experimental results
In order to evaluate the diagnostic system based on MFM for the water-level process (Fig.4), a series of experiments is performed using the simulated process running in parallel with the MFM diagnostic expert system inside G2 [9].
SIMULATED PROCESS
Yref
C1		C2		C3
I				|
C4		CS		ca
Alarm analysis
Fault dlagnoMi
Figure 4: Evaluation of the MFM diagnostic system
The following assumptions have been made:
-	all possible faults on the components are known and modelled,
-	every physical component may or may not be connected to the real or simulated sensor,
-	sensors are functioning correctly and
M FM BASED DIAGNOSIS OF TECHNICAL SYSTEMS
informatica 18 (1994) 27-36 33
— process operates in the steady state.
Every experiment consists of the following steps:
1.	A set of modeled physical components which are connected with the simulated sensors must be defined before the simulation starts,
2.	The process simulation is started with defining the reference value for the water level in the column. Wait until the process is in a steady - state.
3.	One single fault or a combination of faults is introduced in the simulated water-level pror cess,
4.	MFM diagnostic expert system, which runs in parallel with the simulated process, is used to diagnose the malfunctioning behaviour of the simulated process.
5.	The analysis of the diagnostic results is made by comparison of the diagnostic explanation of the diagnostic system and our assumption about possible causes for malfunctioning.
In order to illustrate how the diagnostic expert system responds to the situation in the process let us take the case where a fault is injected into the water container (leak). The measurable (observable) quantities are the water quantity in the container, the flow through the control valve and the water level in the column.
When the main goal was violated (water level is not at the reference value), the diagnostic system starts searching for faults in the connected water flow circuit. The simulated process produces the following symptoms: not enough water in the water container, the flow through the control valve is too low and the water level in the column is below the desired reference value.
Information about the symptoms is transferred to the MFM model as a set of alarms (Fig. 5): the LOCAP on the source function PF1, the low flow (LOFLOW) on the transfer function PF4 and the low volume (LOVOL) on the storage function. The alarm propagation algorithm guesses the alarm states low flow (LOFLOW) for the transport functions PF2 and PF6.
LOCAP | LOFLOW	LOFLOW LOVOL LOFLOW
+ f i
PF1 PF2 PF3 PF4 PF5 PF6 PF7
Figure 5: An alarm simulation in the MFM model
Explanation symbols:
arrows show detected/measured symptoms
Uased on the described alarm situation, the diagnostic algorithm concludes that only one primary failed function exists (PF1) and that all the others are only consequences of it. The cause for the malfunctioning can be assumption that the fault is present on the water container and the diagnosis is: "The water container is leaking."
In this case the alarm on the transport function PF2 is only consequence of the fault on the source PF1. If wc assume, that the operator notices, that the pump is not running because there is no power supply for it, the alarm LOFLOW is set up for the transport function PF9. Based on this additional information, the alarm propagation algorithm can guess, that also the transport function has an alarm LOFLOW, which is then primary-failed. The diagnostic system can find two different faults in the process: "The water container is leaking." and "The fault on the power supply for the pump",
The overview of experimental results is given in a table (Tabic 1).
8 Discussion
The MFM diagnostic expert system results in only one possible explanation for the process malfunctioning. It does not provide suggestions about all possible faults in the system. Diagnostic precision with which a fault can be identified depends on the number of measurements available from the physical components. If there exists only one sensor in the process, the diagnose is correct; only in the case when the physical componen! attached to this sensor failed. If the number
34 
Informática 18 (1994) 27-36
A ten ka Znidarsic, V.J. Terpstra, H.D. Verbniggen
of measured flow functions in the MFM model increases then the diagnostic accuracy increases as well. Multiple faults can be diagnosed when the alarm situation can not be explained with only one fault.
Another problem encountered in our experiments is referred to the balance function. Even though, theoretically, the fault can propagate through it, the corresponding rules are not included in the MFM Toolbox. Also the balance functions with more than one input or output can not be used.
The treatment of the alarms on the flow function depends on the time interval in which they are transferred to the MFM model. As soon as the symptom in the simulated process is recognised, the corresponding alarm is transferred to the MFM model. The alarm on the flow function should be assigned as a primary failed. Later on another new alarm is discovered in the model. In this case, the fault propagation algorithm guesses also the failure state of the first one only as a consequence of this new alarm. Because the primary failed flow function is covered with a secondary failed as a result of propagation rules, some information about the faults can be lost. The problem is referred as a "loss of diagnostic discrimination". When this problem appears, the diagnosis of malfunctioning is correct but it is not complete.
Furthermore, the concept of goals in the MFM syntax is questionable in case of feedback systems, e.g. if leak on the column is not big, the goal Gl will be maintained by feedback (the controller will force the pump to provide more water). Malfunctioning can be recognized from the control voltage changes, but the diagnostic system does not use this additional information. It will react too late. The MFM diagnostic expert system can be used as an independent system. If a human operator recognizes a process malfunctioning he starts the diagnostic system with defining the goal, which is failed. As an independent module it can be integrated in a supervisory system which performs monitoring of the process. In this case the diagnose is started automatically as a request from the supervisory system without human intervention. Concerning that a system which performs process diagnosis as a combination of automatic tests on measurements and human judgements about the observable states (where measuring is difficult or
expensive) might be a solution. It can be a valuable support for the human operator for decision making in managing with fault diagnosis. We can add the diagnostic questions for every flow function. The operator has to concentrate on every physical component systematically and give an answer using observations and experience.
9 Proposed improvements
Based on the results of MFM diagnostic expert system evaluation, the following proposals how to enhance the MFM approach (and also Toolbox) are given:
1.	Make the goals of the MFM model active
In the implemented MFM Toolbox, goals of the MFM model do not have immediate use, except as starting points for the diagnostic search and as a connection point between the different layers of functions networks. From this point of view they can be seen as "passive objects". We propose to make goals "active" by defining the list of goal constraints. The constraints can be given as an analytical equations, qualitative equations or heuristical rules.
2.	Add "time attribute" to the flow functions
The "loss of diagnostic resolution" problem may be reduced by including the time interval, when the alarms were transferred in the MFM model in the reasoning about faults.
3.	Dynamic fault diagnosis
To overcome the disadvantage of being able to diagnose only static problems, a dynamic fault diagnosis by analysing subsequent snapshots is proposed. The process behaviour can be extracted using a pattern recognition approach on the measurement vector. The following process features can be observed using qualitative values: the output response time delay, the curve peaks and time interval between peaks. From those features, middle facts like damping, overshoot, oscillation can be inferred. Various decision rules can be applied to the feature vector to classify the process behaviour into different classes.
4.	MFM supervisory layer
Managing with a developed MFM diagnostic system is a human task. It can be started as a request of human operator by indicating a failed
M FM BASED DIAGNOSIS OF TECHNICAL SYSTEMS
informatica 18 (1994) 27-36 35
goal. To provide a system more independent, a supervisory system can be developed on the top of the existing MFM diagnostic system. The main tasks of supervisory layer are concerned with:
-	analysis of process behaviour,
-	testing of goals requirements,
—	fault detection in dynamic states and
—	activating the diagnose process.
In addition, it can perform communication with the user in form of reports about the process be-' haviour or demands for additional inforrnation from the operator.
10 Conclusions
The diagnostic reasoning based on the Multilevel Flow Models (MFM) is an example of a deep reasoning approach. MFM provides a way of qualitative description of goals, functions and physical components of the process. Because managing with faults concerns also a lot of reasoning about goals, functions and components, the MFM representation of the process can be very suitable for solving diagnostic problems.
The major contribution of the paper regards evaluation of the MFM diagnostic system implemented using MFM Toolbox for a water-level process. For the testing purposes the simulated environment has been developed inside G2 with three independent modules: the simulated process in the closed-loop under n.ormal conditions, the alarm definition module and the fault module which can simulate different types of faults in the process. The proposed diagnostic methods are not aimed for diagnosing sensor faults. The diagnostic experiments have been performed with running a simulated process in parallel with the MFM diagnostic system, which provided diagnostic explanation. The system can diagnose faults in the system correctly if there is enough measured information (sensors) available.
Some diagnostic mistakes are caused because of the balance function, which is not included in the fault propagation rules. In case of multiple faults, problems occur concerning the "loss of the diagnostic resolution".
Furthermore, concept of goals in the MFM syntax is questionable in case of feedback systems.
A small fault can be compensated with the controller and reaction of the diagnostic system will be too late.
In order to provide, a diagnosis in time a portion of quantitative knowledge should be included in the FDD system, which is a subject for further research.
Acknowledgement
The first author wishes to acknowledge financial support for this research from KFA Jiilich and TEMP US Office Brussels. Authors also acknowledge dr. Larsson from Control laboratory Lund for providing them with software support for MFM methodology.
References
[1]	BUTLER, H. (1990): "Model reference Adaptive Control: Bridging the gap between theory and practice." Doctor's thesis: Delft University of Technology, Department of Electrical Engineering (Control Laboratory) Delft, The Netherlands
[2]	HIMMELBLAU, D.M. (1987): "Fault Detection and Diagnosis in Chemical and Petrochemical Processes." Elsevier Scientific Publishing Company Amsterdam - Oxford - New York.
[3]	HUNT, J.E., M.H.LEE and C.J.PRICE (1992): "An Introduction to Qualitative Model-Based
Reasoning." Proceedings of the IFAC/ IFIP/ IMACS International Symposium on Artificial Intelligence in Real-Time Control, Delft University of Technology, Delft, The Netherlands, pp.439 - 454.
[4]	ISSERMANN, R. (1984): Process fault detection based on modelling and estimation methods: A survey. Automatica, 20, 387 -404.
[5]	JACKSON, P. (1990):"Introduction to expert systems" (second edition). Addison -Wesley Publishing Company England.
[6]	LARSSON,J.E.( 1992):"Knowledge - Based Methods for Control Systems". Doctor's the-
36 Informática 18 (1994) 27-36	A ten ka Znidarsic, V.J. Terpstra, H.D. Verbniggen
INJECTED FAULTS	"OBSERVABLE" QUANTITIES	DIAGNOSED FAULTS
	water ccnt*h*r	pump	pump	whM	water cofcjmrt	manu* vahrt	COTtrotier	waier container	pump	pump	control valve	eortroötf	w«* column	manual V*«	wafer container	pump	pump	controller	water cofcmn	manual valve
			powor «Willy				power wpehf	water quarrtly	pressure	pDHf nrttfi (onfoff)	water flow	pourar MA Left	IMI	water DON			powr supply	power •Upply		
1	•												•						•	
					•								•						•	
2											•		•							
					•						•		•							
3	•								•	X	•		•			•				
			•						•	X	•		•				•			
		•			•				•		•		•			•				
			•		•				•	X	•		•				•			
4			•						•				•			•			•	
		•			•				•				•			•			•	
5	•							•			•		•		•					
	•				•			• .			•		•		•					
	•		•					•		X	•		•		•		•			
6					•			•	•				•						•	
7				•																
8						•							•	•						•
9				•							•	X	•							
10							•				•	X	•					•		
Table 1: The experimental evaluation of the MFM diagnostic expert system
sis: Department of Automatic Control, Lund Institute of Technology, Lund.
[7]	PATTON, R. (1993) Robustness issues in fault-tolerant control. Prepr, Int. Conference on Fault Diagnosis TOOLDIAG93, Toulouse, suppl. vol 3..
[8]	TZAFESTAS, S.G. (1989): "System fault diagnosis using the knowledge-based methodology". Chapter 15 from: R.Patton et al.(Ed)Fault Diagnosis in Dynamic Systems :Theory and Applications. Prentice Hall, London, pp. 509 -594.
[9] ZNIDARSIC A. (1993): Model-based diagnosis using MFM models for a water-level process. Working Report, Delft University of Technology, Department of Electrical Engineering (Control Laboratory) Delft, The Netherlands.
[10] G2 Manual (1989), GenSym Co.