A real-time interface simulator for operator’s
training: a proposed architecture
Charles SANTONI1 and Jean-Marc MERCANTINI1
Maria F.Q.VIEIRA TURNELL2, Alexandre SCAICO2, José A. do N. NETO2
1
LSIS, Université Paul Cézanne (Aix-Marseille III)
2
LIHM –DEE – UFCG, Campina Grande, Brazil
charles.santoni@lsis.org, jean-marc.mercantini@lsis.org
fatima@dee.ufcg.edu.br, scaico@dee.ufcg.edu.br, alves@dee.ufcg.edu.br,
Abstract: Operator training systems are essential tools
for industrial systems, particularly for those where the
human error impacts on human and materials safety beyond
financial losses. The work presented here is part of major
research project concerned with the study of operator’s
behavior when facing safety critical situations. The
application case concerns the supervisory control of an
electricity distribution substation. This paper focuses in the
first step of this project which consists in developing a real-
time interface simulator of the supervisory control. It
proposes an operator training simulator (OTS) architecture.
The simulator’s purpose is to promote the operator’s
immersion into a working environment close to the real
one. This paper presents the simulator’s architecture, which
is based upon a set of formal models interconnected to form
the simulator engine. Those models were built using the
Colored Petri Nets (CPN) formalism. The modular
architecture allows for the remote interaction through the
web and offers two interfaces with the plant’s control
system: a virtual reality representation of the man machine
interface (MMI) and a supervisory system representation.
This paper discusses the architecture aspects relevant to the
simulation purposes.
Index Terms— Operator training systems (OTS),
simulation engine architecture, Virtual reality, Petri
nets, Human Interfaces, Industrial Automation.
I. INTRODUCTION
Human errors are often caused by time constraints
and performance demands, which in turn cause stress
and cognitive overload. Stress conditions aggravate
during critical situations such as the occurrence of
equipment failure and human error. Under those
conditions the operator must react quickly and
effectively in order to restore the system to its normal
operational state. An efficient recovery minimizes
financial losses and risks to humans and materials. A
well-designed man machine interface (MMI) can
reduce the human error rate and help the operator to
perform efficiently and within time constraints.
In the electrical sector, maintaining the service is a
critical task performed by the operators. To improve
their task knowledge and performance, training
programs are usually supported by simulation.
ISBN # 1-56555-316-0 460
Simulations can be as simple as verbally re-enacting
routine scenarios, without directly interacting with
the system, or may consist of reproducing complex
scenarios supported by realistic simulation tools.
Whichever supporting materials are used in the
process, these must ensure that the operator will
immerge into the scenario. The aim is to produce
adequate reactions in terms of decision-making time
and quality. The final goal is to improve operators’
skill, ensuring fast and correct reactions to system’s
events.
Typically training programs are conceived for a
system’s normal operation, although some can
account for equipment failure. In this context
simulator training plays an important role since it can
recreate operating conditions and thus provide the
information needed by the operator to perform a task.
The need for training is the focal point of any
discussion after the occurrence of system faults and
human errors. The industry expects operators to react
adequately, solving problems within the time limits,
and not being influenced by stress. Under this sort of
expectation it is assumed that better training can
minimize the occurrence of human errors. Higher
levels of skills are undoubtedly effective in reducing
human errors but it is also essential to improve the
design quality of the human interface component of
the control systems.
Whereas most OTS systems are built to reproduce
the installation’s entire configuration, our project
focuses on reproducing critical situations, considered
relevant by the industry. Thus, its main distinctive
feature in relation to other simulating tools is to be
conceived to support training under critical situations.
This work is part of major project related to the study
of the user behavior under critical situations in order
to capture and introduce this knowledge into the
process of the MMI ergonomic conception [8]. The
next step will consists in enhancing the simulator
with equipment failure modes as well as the
contextual elements which are implied in accident
scenarios to reproduce critical situations. Then we
will be able to analyze the behavior of human
SCSC 2007
operators when facing critical situations.
This paper is structured as follows. Section 2
presents a brief introduction to operator training
simulators. Section 3 presents the simulator
architectural design whereas and discusses this tool’s
interface component. Section 4 details the simulator
engine, describing the models that compose it.
Section 5 follows to discuss how critical scenarios are
represented in the simulator. Finally, section 6
presents the conclusions and proposes future
directions for the work.
II. OPERATOR TRAINING SIMULATOR
Operator training simulators (OTS) reproduce a
working environment. These provide operators with
the opportunity to immerge into special working
contexts, otherwise impossible due to risks and
operational costs. According to Neuman et al [10],
OTS can be classified according to the level of
realism provided:
• Complete simulation: when the training occurs with
the real plant installation. In this case the process is
left vulnerable to the operator’s mistakes.
• Partial simulation: when the process is emulated by
a simulator engine that represents the plant coupled
with a man-machine interface (MMI) identical to
the one offered by the control system.
• Full simulation: in this case, the whole system is
emulated (process and control system) and must
provide the degree of realism needed by the
operator to immerge in a real situation. This
simulation can be achieved with the use of
Supervisory Control And Data Acquisition
(SCADA) software.
Automation systems are often taken to their
operation limits thus the operating problems rapidly
propagate before the operators can find and
implement the appropriate solutions. Particularly, in
the case of electric systems, service interruption
means unacceptable losses for clients and penalties
for the industry [13], excluding the possibility of
operators’ training with a complete simulation.
In this context, training situations should include
regular situations as well as system operation in the
occurrence of failures caused by equipment
malfunction or human errors. Although in both cases
the operator is expected to present an effective
response, when facing a critical situation the demands
on the operator are higher. The system must be
brought back into normal operational conditions in
the least possible time [5] [10].
A partial simulation would also be possible in this
context, but it would impose the use of specific
SCADA software. This imposition would restrict the
SCSC 2007
MMI design alternatives to the ones supported by the
specific software hindering the study of alternatives.
When choosing the kind of simulation the following
considerations were taken into account:
• Provide a real time simulation to support the
training of operators, improving their skills
(situation perception and diagnosis, action
scheduling and performing) to deal with real
situations according to time constraints.
• Respect the ergonomic aspect of the system. Thus,
the human-computer interface has to be as realistic
as possible.
• Reproduce the system behavior as accurately as
possible, to enable operators to create relevant
mental models of the system.
Plant Model MMI Model
VRML
Report Simulation
engine
SCADA
As a result it was decided for a full simulation with
the architecture shown in Figure 1.
Figure 1: Simulator architecture
The simulation engine is performed by DESIGN-
CPN tool which makes it possible to realize real-time
simulations. In this architecture the simulation engine
is responsible for the plant and the Man Machine
Interface behaviors. The plant MMI interface has two
representations which allow the operator to build
relevant mental models as well from behavior point
of view as ergonomic one. One consists in a virtual
world built with VRML and the other uses a
supervisory software (SCADA) interface style. The
simulator engine communicates with the interface
modules through messages. For both research and
auditory purposes events and actions are recorded in
a simulation report.
III. A Model based OTS
The simulator’s engine approach is based on the use
of formal models. Model verification can ensure that
the reality is represented according to a set of rules
that in turn correspond to a set of model properties.
To be feasible, this approach relies on model
modularity. That is, to represent different scenarios
and plant installations within a company, designers
will need to access readily available libraries with
461 ISBN # 1-56555-316-0
models and components thus easing the process of
model adaptation to specific contexts.
III.1. The simulator engine’s architecture
The simulator’s engine models are organized in two
layers (Figure 2):
• The first layer consists of a set of models that
represent the plant’s behavior and that of the human
interface used to control it (HI model). The HI
model itself is composed of two other models: a
navigation model and a model to represent the
behavior of the interaction objects used in the MMI.
• The second layer is the simulator’s visualization
layer. It consists of the resources needed by the
operators to interact with the simulator in a virtual
reality representation. This virtual representation
encompasses both the MMI with the control panels
and the supervisory system interface. The simulator
also offers an alternative interface that reproduces a
real supervisory software (SCADA) interface.
All those models were built using the formalism
Colored Petri Nets (CPN) [7]. This formalism was
chosen because some of the models had been built in
previous steps of this research (the navigation model).
Yet another reason is that the CPN formalisms
accounts on tools to perform model verification.
Through model verification, given a set of model
properties it is possible to investigate the
corresponding interface ergonomics properties.
VRML
Simulator visualization
representation
layer
TCP/IP COMMS/CPN
TCP/IP
MMI Model
(Supervisory)
TCP/IP
Simulator engine
COMMS/CPN
layer
TCP/IP
Plant Model
Figure 2: Model organization
In the simulator’s architecture, the interconnection
between models, both within and between layers, is
based on message exchange using the TCP-IP
protocol [2].
This protocol gives more flexibility when building
and running the simulator model components. It also
allows for a distributed configuration where model
ISBN # 1-56555-316-0
components may run on different machines, under
different Operating Systems, or even be located
geographically distant and interconnected through the
Web. Model communication is supported by the
library COMMS/CPN [2] that connects a CPN model
to an external process through TCP/IP. The external
process can be any process capable of transmitting
and receiving TCP/IP messages, including other CPN
models. Figure 3 illustrates this library’s architecture
and its relationship with the CPN models through the
TCP/IP protocol.
Petri Net Model
Message Layer
Connection Management Layer
Communication Layer
TCP/IP Protocol
Figure 3: COMMS/CPN Library Architecture
The COMMS/CPN library consists itself of three
modules arranged in layers [2]:
• The communication layer has the TCP/IP basic
transport mechanisms, along with all the primitive
functions related to sockets.
• The message layer is responsible for converting the
Supervisory data into a flow of bytes that compose the message.
software
Messages are exchanged between the model and
external applications.
TCP/IP
• The connection management layer allows for an
TCP/IP
external process to open, close, send and receive
multiple connections. This layer communicates
MMI Model directly with the CPN models. Each connection has:
(Control panels) a unique identification, the TCP port identification
TCP/IP
and the IP address of the destination process.
III.2. The simulator’s human interface
The human interface is a very important component
in the simulator’s design since it is responsible for the
level of realism presented to the trainees. Typically,
in an electrical substation, there are different levels of
interaction between the operator and the plant
equipment. In the plant control room the operator
interacts indirectly with the equipment by means of
control panels or though SCADA software interface.
The installation equipment can also be controlled
remotely from a control centre, through
telecommunication links.
Figure 4 illustrates a substation control room, with
control panels and workstations for supervisory
462 SCSC 2007
control.
This project offers two alternatives for the
operator’s interface, as alr5eady mentioned. The first
one is identical to the workstation interface provided
by the supervisory control software. An alternative
interface consists of a virtual reality representation,
built in VRML [12], for the control panels and the
supervisory software screen.
Figure 4: A perspective view of a substation control room
1) Trainee’s Interface with control panels
To create the virtual world interface between the
operator and the simulator, VRML was used. VRML
is a programming language, developed to support the
building of virtual reality (Figure 5). It allows
representing tri-dimensional (3-D) objects and
building tri-dimensional environments. The 3-D
objects are represented as files similar to HTML, and
thus are platform independent. The 3-D environment
allows for navigation, object visualization and
interaction from different angles.
Figure 5: VRML representation of the substation control
room
Amongst other features, VRML is script executable,
platform independent and supports multi-user
SCSC 2007
environment and data transmission. Given those
features VRML is becoming a standard language in
the development of virtual reality multi-user
applications [1]. In this project the software used for
visualization is FreeWRL [12]. This is an open code
that runs under the Linux operating system.
JAVA classes are employed to communicate the
VRML model and the COMMS/CPN library. These
treat the messages received from the COMMS/CPN,
as well as messages sent by the VRML model to the
COMMS/CPN. The communication between the
JAVA classes and the COMMS/CPN library is
detailed in [2] and [11].
2) Trainee’s interface with the supervisory software
To increase the level of realism during the
interaction with the simulator, a SCADA interface
has also been proposed (cf. figure 6). This interface
replicates the workstation interface found in the
plant’s control room. The purpose of offering two
interface styles in the simulator is to be able to study
the influence of the level of realism on the training
results. The authors anticipate a marginal influence of
the realism on the training results. But this will only
be clarified with the studies to be conducted with the
simulator in a real training environment.
Figure 6: Interface with the supervisory software in the
Simulator
The communication between the simulator and the
SCADA human interface module will happen through
message exchange using the TCP/IP driver, native to
the supervisory software. In this mode, each
interaction object, such as switches and buttons, is
related to a message that will be sent to the plant
model in the simulating engine. In response to the
message, the plant model will change its status and
return a message confirming that the requested action
has been performed. On the arrival of this
463 ISBN # 1-56555-316-0
confirmation, the interface will change its status and
propagate this change to the visualization layer
updating the object representation.
The simulator architecture allows for the
communication with different supervisory software,
Figure 7: Interface model for the supervisory software
3) Instructor’s Interface
In the simulator project an interface will also be
available to the instructor. With it the instructor will
be able to edit and configure critical scenarios to be
run during a training session. It is also being
considered the possibility of introducing real-time
disturbances into the system representation, in order
to simulate equipment failure or malfunctioning. This
interface module will also be used for monitoring the
trainee’s performance during a training session.
IV. SIMULATOR’S ENGINE
The simulator’s engine is performed by the tool
DESIGN-CPN. It is based on three CPN models that
represent respectively the behavior of: the plant
(substation), the control panel user interface and the
supervisory software interface. These formal models
were developed, and later verified, with the aim of
studying the plant and its interface behavior from the
ergonomic point of view [6] [9].
The communication within the engine layer and
between the layers (visualization and simulating
engine) in the simulator’s architecture (cf. Figure 2)
happens as follows:
• The operator can interact either with the VRML
representation or with the supervisory software.
This interaction results in sending a message to the
corresponding CPN model (control panel or
supervisory software).
• The corresponding interface model changes state
and sends a message to the plant model requesting a
command execution. Under normal conditions, the
plant model performs this command. Otherwise (in
the presence of an equipment failure) a message
will be returned to the corresponding interface
model.
• Both interface models evolve according to the
ISBN # 1-56555-316-0
provided that it offers a TCP/IP driver. In this study
the interface was built for the supervisory software:
Elipse Scada [3], and Indusoft [4], both with support
for TCP/IP communication.
received message and in turn send a message to the
corresponding interface representation.
• The interface representation is then updated
according to the messages received, ending the
operation
IV.1. Model of the supervisory software interface
Figure 7 illustrates the model hierarchy for the
trainee interface with the supervisory software. As
illustrated, the behavior of the various interface
objects is modeled in individual sub models. The
objective of this modular structure was to simplify the
adaptation of the simulation engine in order to
represent different installations (substations) in the
same company. The sub-model IHM Industrial is this
model framework built to integrate all its sub models.
Amongst other sub models, the Navigation model,
which is illustrated in figure 8, represents the user
navigation between the interface windows. This
model only represents the main windows of the
supervisory software interface: synoptic, trend graph,
alarms and help. The windows are modeled with
interaction objects needed to navigate between them
as well as the objects needed by the operator to
perform the tasks.
464 SCSC 2007
 Figure 8: The navigation model
The first scenario represented by the simulator
involves three switchgear devices used to control the
energy flow on three output lines of an electric power
substation. In this scenario the substation operator
performs a correct action on the wrong device. This
kind of mistake is the most frequent among the
human errors documented by the CHESF electricity
Company, located in Brazil.

Figure 9: CPN model for the switch break command through the supervisory software

Figure 10 : CPN model of the substation

Given the chosen scenario, the corresponding
simulation engine was built to represent the following
interaction objects: switchgears, a local-remote toggle
switch, transfer switch breakers and bypass
switchgears. The choice of devices as well as the
number of devices represented in the models results
from the choice of the incident scenario to be
simulated as a case study.
Figure 9 illustrates the switch break model. In this
model, a switch break can be either open (no current
flow) or closed (current flow). In order to change its
status, the operator must select the specific device
(transition: Open_CB) and confirm its selection
(transition: Conf_Open). At this point, a message will
be sent to the plant model, which returns another
message acknowledging the request for status change.

SCSC 2007 465 ISBN # 1-56555-316-0

Then it fires the transition CB_Acted1, causing the
interface model to update the representation of the
switch break.
IV.2. Control panel interface Model
This model is very similar to the supervisory
software interface model in respect to the represented
behavior, but it differs considerably from the
operator’s interaction point of view. During the
interaction with the supervisory software the
operator’s actions can be blocked if these are out of a
predefined sequence. In contrast, during the
interaction with the control panel, the operator is free
to choose the task sequence as well as devices and
panels where to perform it.
IV.3. Plant model
Figure 10 illustrates the plant model that represents
the behavior of the elements controlled by the
interface. Currently this model represents switch
breaks and switchgears associated to a voltage line in
a substation.
This model behavior evolves as a consequence of
the transition Act_Circuitbreaker firing, whenever it
receives a message from one of the two interface
models described above. It then returns a new status
to the two models (firing the transition
Return_Status_CB), ensuring that both will correctly
represent the current status of the system. As a result
of this communication between the plant model and
the interface models, the interface representation is
updated giving the user a feedback on the effect of
his actions. One of the requisites to be fulfilled by the
simulator’s project is the facility to adapt the models
in order to represent different plants and scenarios.
For this purpose libraries are being built with a
variety of device models.
V. SIMULATING SCENARIOS
The objective of this simulator is to confront plant
operators with critical situations in order to improve
their reactions during urgency procedures.
The scenarios to be employed during training result
from a previous study that proposed a conceptual
model of incident scenarios related to operators’
errors [14]. This model is at the basis of the
simulator, and enables it to reproduce realistic critical
situations when operating the system.
The conceptual model was obtained through a
cognitive approach from the application of the
method KOD (Knowledge Oriented Design). From
this conceptual model the studied incidents were
classified into scenarios types to be represented by
the simulator. Another result of this study was the
categorization of the human error and an accident
typology for the analyzed corpus. The scenario types
are at the basis of this simulator, making explicit the
list of objects that must be represented in the
ISBN # 1-56555-316-0
simulator to reproduce the situations.
To be able to represent scenarios in the simulator,
it is necessary to adapt the models to represent the
required objects. The instructor must then edit a
scenario by adjusting the model’s state to represent
the plant status at the beginning of the incident; and
bind its behavior through a set of rules.
VI. CONCLUSION
This work is part of a project, which aims to reduce
the occurrence of human errors during industrial
system operation. The proposed strategy is to
improve the human interface design removing the
sources of human error and supporting the user
throughout critical situations. A complimentary
measure is to help improving operator’s skill by
providing tools to support training programs, such as
the simulator here described.
Under the premise that the improvement in
interface design should contribute to the overall task
efficiency, it is necessary to identify task bottlenecks,
which slow down the operator’s performance and
reduce recovery time after incidents. For this purpose
the major research project aims to analyze the
operator’s behavior when dealing with incidents in
order to understand the reasons that lead him into
performing the wrong actions. This understanding
will allow conceiving systems that empower the user,
and mitigate new occurrences of errors.
Having built the simulator engine based on the
formal models has proven to be a more flexible
approach then coding rules in a programming
language and also allowed for model verification. The
engine’s modularity made possible to run the models
on different machines connected through the web.
This feature ensured model independency that in turn
made simpler the adaptation to different installations
and scenarios.
Currently, the simulator engine and the interface
visualizations have been built. On the other hand the
plant model is still being completed to represent
specific scenarios. The idea is to offer means to edit
the CPN models, to represent a variety of plants,
objects and statuses, through a graphical interface.
The next step in this project consists on developing
the tutor module and preparing an experimental
protocol to support the observation of the simulator’s
use and thus perform its validation.
Although the simulator has not yet been completed,
laboratory tests with the first prototype have been
satisfactory.
Given that the simulator will fulfill its requirements
in the real training environment, it is envisaged as
future work the expansion of the object model
libraries to represent other objects needed to represent
new scenarios. It is also intended as future work to
introduce material (equipment and devices) failure in
the plant model. Another feature currently under
466 SCSC 2007
development is the possibility of showing on the Proccedings of INTERACT 2003 Workshop,
same screen the virtual worlds related to panels and Zürich, Switzerland, 2003
the supervisory software. The idea is to allow the [10] P. Neuman, M. Pokorny•, L. Varcop, W.
trainee to interact with either of them through a Weiglhofer, “Engineering and Operator Training
change of focus. Simulator of Coal-Fired Steam Boiler”.
Among the criteria to evaluate the simulator’s Proceedings of the 10th International Conference
adequacy for training purposes is the response time. MATLAB02, Prague, Czech Republic, 2002.
This time can be critical considering that the models [11] R. C. Freitas, M. F. Q. V. Turnell, A. Perkusich,
could be running in different hosts. C. S. L. Xavier, “Representando a IHM de uma
Finally, to ease model editing, it is proposed to Subestação através de Modelos Formais e
create a repository of the simulator’s components and Realidade Virtual”, SBSE 2006, Campina
to associate a technique of model reuse as the one Grande, Brasil, 2006.
proposed in [15]. [12] T. J. Lukka, “FreeWRL – VRML/Browser”.
Harvard Society Fellows.
http://www.perl.org/tpc/1998/User_Applications/
FreeWRL/. 1998.
ACKNOWLEDGMENT [13] U. Spanel, M. Kreutz, C. Roggatz, “Simulator
Based Operator Training − Ensuring Quality of
The authors would like to thank the engineers who Power System Operation”. DUtrain GmbH,
work for the Companhia Hidro Elétrica do São Germany. 2006. url:
Francisco (CHESF) for their support during the www.dutrain.de/en_publikationen.html
development of this research. [14] C. V. S. Guerrero, M. F. Q. V Turnell, , J. M
Mercantini, , E Chouraqui, F. A. Q Vieira, M. R.
REFERENCES B Pereira “Modelling Incident Scenarios to
[1] A. V. Netto et. al. “Realidade Virtual – enrich User Interface Development” In: Human
Fundamentos e Aplicações”, Ed. Visual Books, Error, Safety, and Systems Development ed.:
pp 45-65, 2002. Kluwer Acad. Publ.p. 77-92, 2004.
[2] G. Gsallasch, L. M. Kristensen, “Comms/CPN: A [15] Silva, L. D, Perkusich, A. “Modelagem
Communication Infrastructure for External Sistemática de Sistemas Flexíveis de
Communication with Design/CPN”, Proc. of the Manufatura”. Anais do XIV CBA – Congresso
3rd Workshop on Practical Use of Coloured Petri Brasileiro de Automática, , pp 227- 232, Natal,
Nets and the CPN Tools (CPN’01), pp 79–93, Brasil, 2002.
2001.
[3] Elipse Software. url: www.elipse.com.br
[4] Indusoft – Tools for Automation. url:
www.indusoft.com.br
[5] J. Bartak, P. Chaumès, S. Gissinger, J. Houard, U.
Van Houte, “Operator Training Tools for the
Competitive Market”. IEEE Computer
Applicarions in Power, pp. 25-31, July, 2000.
[6] J-P. Jacquot, D. Quesnot, “Early Specification of
User-Interfaces: Toward a Formal Approach”.
Proceedings of the 19th International Conference
on Software Engineering, May 17 - 23, 1997,
Boston, Massachusetts.
[7] K. Jensen, “Coloured Petri Nets. Basic Concepts,
Analysis Methods and Practical Use, Volume 1”.
Monographs in Theoretical Computer Science,
Springer-Verlag, 1992.
[8] Turnell, Maria de Fatima Queiroz Vieira,
“Accounting for Human Errors in a Method for
the Conception of User Interfaces”. In:
International Mediterranean Modeling
Multiconference - I3M'04, 2004, Genoa, Italy.
Proceedings of I3M'04. 2004.
[9] P. Girard, M. Baron, F. Jambon, “Integrating
Formal Approaches in Human-Computer
Interaction Methods and Tools: an Experience”,

SCSC 2007 467 ISBN # 1-56555-316-0