- •CONTENTS
- •PREFACE
- •LIST OF FIGURES
- •INTRODUCTION
- •1.1 WHAT IS TIME?
- •1.2 SIMULATION
- •1.3 TESTING
- •1.4 VERIFICATION
- •1.6 USEFUL RESOURCES
- •2.1 SYMBOLIC LOGIC
- •2.1.1 Propositional Logic
- •2.1.2 Predicate Logic
- •2.2 AUTOMATA AND LANGUAGES
- •2.2.1 Languages and Their Representations
- •2.2.2 Finite Automata
- •2.3 HISTORICAL PERSPECTIVE AND RELATED WORK
- •2.4 SUMMARY
- •EXERCISES
- •3.1 DETERMINING COMPUTATION TIME
- •3.2 UNIPROCESSOR SCHEDULING
- •3.2.1 Scheduling Preemptable and Independent Tasks
- •3.2.2 Scheduling Nonpreemptable Tasks
- •3.2.3 Nonpreemptable Tasks with Precedence Constraints
- •3.2.5 Periodic Tasks with Critical Sections: Kernelized Monitor Model
- •3.3 MULTIPROCESSOR SCHEDULING
- •3.3.1 Schedule Representations
- •3.3.3 Scheduling Periodic Tasks
- •3.4 AVAILABLE SCHEDULING TOOLS
- •3.4.2 PerfoRMAx
- •3.4.3 TimeWiz
- •3.6 HISTORICAL PERSPECTIVE AND RELATED WORK
- •3.7 SUMMARY
- •EXERCISES
- •4.1 SYSTEM SPECIFICATION
- •4.2.1 Analysis Complexity
- •4.3 EXTENSIONS TO CTL
- •4.4 APPLICATIONS
- •4.4.1 Analysis Example
- •4.5 COMPLETE CTL MODEL CHECKER IN C
- •4.6 SYMBOLIC MODEL CHECKING
- •4.6.1 Binary Decision Diagrams
- •4.6.2 Symbolic Model Checker
- •4.7.1 Minimum and Maximum Delays
- •4.7.2 Minimum and Maximum Number of Condition Occurrences
- •4.8 AVAILABLE TOOLS
- •4.9 HISTORICAL PERSPECTIVE AND RELATED WORK
- •4.10 SUMMARY
- •EXERCISES
- •VISUAL FORMALISM, STATECHARTS, AND STATEMATE
- •5.1 STATECHARTS
- •5.1.1 Basic Statecharts Features
- •5.1.2 Semantics
- •5.4 STATEMATE
- •5.4.1 Forms Language
- •5.4.2 Information Retrieval and Documentation
- •5.4.3 Code Executions and Analysis
- •5.5 AVAILABLE TOOLS
- •5.6 HISTORICAL PERSPECTIVE AND RELATED WORK
- •5.7 SUMMARY
- •EXERCISES
- •6.1 SPECIFICATION AND SAFETY ASSERTIONS
- •6.4 RESTRICTED RTL FORMULAS
- •6.4.1 Graph Construction
- •6.5 CHECKING FOR UNSATISFIABILITY
- •6.6 EFFICIENT UNSATISFIABILITY CHECK
- •6.6.1 Analysis Complexity and Optimization
- •6.7.2 Timing Properties
- •6.7.3 Timing and Safety Analysis Using RTL
- •6.7.5 RTL Representation Converted to Presburger Arithmetic
- •6.7.6 Constraint Graph Analysis
- •6.8 MODECHART SPECIFICATION LANGUAGE
- •6.8.1 Modes
- •6.8.2 Transitions
- •6.9.1 System Computations
- •6.9.2 Computation Graph
- •6.9.3 Timing Properties
- •6.9.4 Minimum and Maximum Distance Between Endpoints
- •6.9.5 Exclusion and Inclusion of Endpoint and Interval
- •6.10 AVAILABLE TOOLS
- •6.11 HISTORICAL PERSPECTIVE AND RELATED WORK
- •6.12 SUMMARY
- •EXERCISES
- •7.1.1 Timed Executions
- •7.1.2 Timed Traces
- •7.1.3 Composition of Timed Automata
- •7.1.4 MMT Automata
- •7.1.6 Proving Time Bounds with Simulations
- •7.2.1 Untimed Traces
- •7.2.2 Timed Traces
- •7.3.1 Clock Regions
- •7.3.2 Region Automaton
- •7.4 AVAILABLE TOOLS
- •7.5 HISTORICAL PERSPECTIVE AND RELATED WORK
- •7.6 SUMMARY
- •EXERCISES
- •TIMED PETRI NETS
- •8.1 UNTIMED PETRI NETS
- •8.2 PETRI NETS WITH TIME EXTENSIONS
- •8.2.1 Timed Petri Nets
- •8.2.2 Time Petri Nets
- •8.3 TIME ER NETS
- •8.3.1 Strong and Weak Time Models
- •8.5.1 Determining Fireability of Transitions from Classes
- •8.5.2 Deriving Reachable Classes
- •8.6 MILANO GROUP’S APPROACH TO HLTPN ANALYSIS
- •8.6.1 Facilitating Analysis with TRIO
- •8.7 PRACTICALITY: AVAILABLE TOOLS
- •8.8 HISTORICAL PERSPECTIVE AND RELATED WORK
- •8.9 SUMMARY
- •EXERCISES
- •PROCESS ALGEBRA
- •9.1 UNTIMED PROCESS ALGEBRAS
- •9.2 MILNER’S CALCULUS OF COMMUNICATING SYSTEMS
- •9.2.1 Direct Equivalence of Behavior Programs
- •9.2.2 Congruence of Behavior Programs
- •9.2.3 Equivalence Relations: Bisimulation
- •9.3 TIMED PROCESS ALGEBRAS
- •9.4 ALGEBRA OF COMMUNICATING SHARED RESOURCES
- •9.4.1 Syntax of ACSR
- •9.4.2 Semantics of ACSR: Operational Rules
- •9.4.3 Example Airport Radar System
- •9.5 ANALYSIS AND VERIFICATION
- •9.5.1 Analysis Example
- •9.5.2 Using VERSA
- •9.5.3 Practicality
- •9.6 RELATIONSHIPS TO OTHER APPROACHES
- •9.7 AVAILABLE TOOLS
- •9.8 HISTORICAL PERSPECTIVE AND RELATED WORK
- •9.9 SUMMARY
- •EXERCISES
- •10.3.1 The Declaration Section
- •10.3.2 The CONST Declaration
- •10.3.3 The VAR Declaration
- •10.3.4 The INPUTVAR Declaration
- •10.3.5 The Initialization Section INIT and INPUT
- •10.3.6 The RULES Section
- •10.3.7 The Output Section
- •10.5.1 Analysis Example
- •10.6 THE ANALYSIS PROBLEM
- •10.6.1 Finite Domains
- •10.6.2 Special Form: Compatible Assignment to Constants,
- •10.6.3 The General Analysis Strategy
- •10.8 THE SYNTHESIS PROBLEM
- •10.8.1 Time Complexity of Scheduling Equational
- •10.8.2 The Method of Lagrange Multipliers for Solving the
- •10.9 SPECIFYING TERMINATION CONDITIONS IN ESTELLA
- •10.9.1 Overview of the Analysis Methodology
- •10.9.2 Facility for Specifying Behavioral Constraint Assertions
- •10.10 TWO INDUSTRIAL EXAMPLES
- •10.10.2 Specifying Assertions for Analyzing the FCE Expert System
- •Meta Rules of the Fuel Cell Expert System
- •10.11.1 General Analysis Algorithm
- •10.11.2 Selecting Independent Rule Sets
- •10.11.3 Checking Compatibility Conditions
- •10.12 QUANTITATIVE TIMING ANALYSIS ALGORITHMS
- •10.12.1 Overview
- •10.12.2 The Equational Logic Language
- •10.12.3 Mutual Exclusiveness and Compatibility
- •10.12.5 Program Execution and Response Time
- •10.12.8 Special Form A and Algorithm A
- •10.12.9 Special Form A
- •10.12.10 Special Form D and Algorithm D
- •10.12.11 The General Analysis Algorithm
- •10.12.12 Proofs
- •10.13 HISTORICAL PERSPECTIVE AND RELATED WORK
- •10.14 SUMMARY
- •EXERCISES
- •11.1 THE OPS5 LANGUAGE
- •11.1.1 Overview
- •11.1.2 The Rete Network
- •11.2.1 Static Analysis of Control Paths in OPS5
- •11.2.2 Termination Analysis
- •11.2.3 Timing Analysis
- •11.2.4 Static Analysis
- •11.2.5 WM Generation
- •11.2.6 Implementation and Experiment
- •11.3.1 Introduction
- •11.3.3 Response Time of OPS5 Systems
- •11.3.4 List of Symbols
- •11.3.5 Experimental Results
- •11.3.6 Removing Cycles with the Help of the Programmer
- •11.4 HISTORICAL PERSPECTIVE AND RELATED WORK
- •11.5 SUMMARY
- •EXERCISES
- •12.1 INTRODUCTION
- •12.2 BACKGROUND
- •12.3 BASIC DEFINITIONS
- •12.3.1 EQL Program
- •12.3.4 Derivation of Fixed Points
- •12.4 OPTIMIZATION ALGORITHM
- •12.5 EXPERIMENTAL EVALUATION
- •12.6 COMMENTS ON OPTIMIZATION METHODS
- •12.6.1 Qualitative Comparison of Optimization Methods
- •12.7 HISTORICAL PERSPECTIVE AND RELATED WORK
- •12.8 SUMMARY
- •EXERCISES
- •BIBLIOGRAPHY
- •INDEX
EXERCISES 365
state-space graphs checked in most cases have been effectively reduced, resulting in an obvious reduction in the time spent in analyzing real-time rule-based systems.
Applying our approach to the three systems (i.e., the SSV program, the ISA program, and the FCE program), we found that the programs can be partitioned into subsets, most of which are in known special forms. The subset of rules not in special form actually contains rules which lead to unbounded rule firings. So far, we do not have statistical data to show the percentage of programs that can be analyzed by the special form approach. However, from the limited experience we have, it is our view that this is a feasible approach to reducing the time needed to conduct analysis.
Chapter 11 describes the time analysis of more expressive, predicate-logic rulebased languages such as OPS5 [Forgy, 1981] and MRL [Wang, 1990a], both of which allow the use of structured variables.
EXERCISES
1.Why is the timing analysis of rule-based systems more difficult than that of sequential programs?
2.Describe the system represented by the rule-based program in example 2 (object detection) in terms of the real-time decision system model shown in Figure 10.1.
3.Construct the state-space graph corresponding to the rule-based program in example 2.
4.How can a model-checking algorithm such as the one for the computation tree logic be used to analyze the response time of EQL rule-based systems with finitedomain variables?
5.Consider the following EQL program:
arbiter := b ! wake_up = false |
IF (error = a) |
|
[] object_detected := true |
|
|
IF (sensor_a = 1) |
AND (arbiter = a) AND (wake_up = true) |
|
[] object_detected := false |
|
|
IF (sensor_a = 0) |
AND (arbiter = a) AND (wake_up = true) |
|
[] arbiter := a ! wake_up = |
false |
IF (error = b) |
[] object_detected := true |
|
|
IF (sensor_b = 1) |
AND (arbiter = b) AND (wake_up = true) |
|
[] object_detected := false |
|
|
IF (sensor_b = 0) |
AND (arbiter = b) AND (wake_up = true) |
Use the general analysis strategy to analyze this program and report the analysis results.
6.Construct the enable-rule graph for the following rules and identify the simple cycles, if any.
366 |
DESIGN AND ANALYSIS OF PROPOSITIONAL-LOGIC RULE-BASED SYSTEMS |
|
state3 := failed IF find_bad_things = true AND |
|
state3 = suspect AND |
|
NOT (rel1_state = suspect AND rel1_mode = on AND |
|
rel1_type = direct) |
[] |
state4 := nominal ! reconfig4 := true |
|
IF state4 = failed AND mode4 <> off AND config4 = bad |
[] |
state3 := nominal ! reconfig3 := true |
|
IF state3 = failed AND mode3 <> off AND config3 = bad |
[] |
sensor3 := bad ! state3 := suspect IF state1 = suspect AND |
|
rel1_mode = on AND rel1_type = direct AND |
|
state3 = nominal AND rel3_mode = on AND |
|
rel3_type = direct AND state4 = suspect AND |
|
find_bad_things = true |
7.Specify Special Form D in the Estella specification language.
8.Explain the difficulty in checking whether two enabling conditions are mutually exclusive. Describe how the approximation algorithm presented tackles this analysis complexity.
9.Why is the response-time analysis of EQL programs that assign expressions containing variables to left-side variables much more difficult than those with only constant assignments?
10.Determine an upper bound on the execution time in terms of the number of rule firings for the following EQL program:
PROGRAM Example 1
INPUTVAR
a,b : INTEGER;
VAR
c,d,e,f,g,h:INTEGER;
INIT
c:=0,d:=0,e:=0,f:=0,g:=0,h:=0
RULES |
|
(*r1*) |
c:=1 IF a>0 and b>0 |
(*r2*)[] |
c:=2 IF a>0 and b<=0 |
(*r3*)[] |
d:=2 IF a<=0 |
(*r4*)[] |
d:=c IF a>0 |
(*r5*)[] |
e:=c+1 IF c<=1 and b>0 |
(*r6*)[] |
f:=c+1!e:=c-1 IF c<=1 and b<=0 |
(*r7*)[] |
f:=c-1 IF c>=0 |
(*r8*)[] |
g:=1!h:=1 IF f>1 and d>1 |
(*r9*)[] g:=2!h:=2 IF f<=1 and e>1
END.
CHAPTER 11
TIMING ANALYSIS
OF PREDICATE-LOGIC
RULE-BASED SYSTEMS
As rule-based expert systems become widely adopted in new application domains such as real-time systems, ensuring that they meet stringent timing constraints in these safety-critical and time-critical environments emerges as a challenging problem. As described in detail in chapter 10, in these systems, a change in the environment may trigger a number of rule firings to compute an appropriate response. If the computation takes too long, the expert system may not have sufficient time to respond to the ongoing changes in the environment, making the result of the computation useless or even harmful to the system being monitored or controlled. To evaluate and control the performance of a real-time expert system, it is necessary to relate the quality of a response computed by the expert system to the time available to compute it.
Even in a case where response time is not a major concern or a deadline is not imposed, the predictability is still a desired quality which may improve the resource utilization or the user productivity. For example, if the programmer has a tool to measure an upper bound on the maximal program response time, he/she will not have to guess whether the program runs into an infinite loop or the program just takes a long time to complete execution, thus avoiding unnecessary waiting for the program to complete execution or undesirable interrupting of program execution. This is particularly true for production systems whose rule firing patterns depend on initial working memory contents.
Unfortunately, rule-based expert systems are computationally expensive and slow. Moreover, they are considered less predictable and analyzable because of their context-sensitive control flow and possible nondeterminism. To remedy this problem, two solutions are proposed in the literature. The first is to reduce the execution time via parallelism in the matching phase and/or firing phase of the MRA [Brownston et al., 1986] cycle. Several approaches [Cheng, 1993b; Ishida, 1994; Kuo and
367
368 TIMING ANALYSIS OF PREDICATE-LOGIC RULE-BASED SYSTEMS
Moldovan, 1991; Pasik, 1992; Schmolze, 1991] have been provided to achieve this goal. The other solution is to optimize the expert system by modifying or resynthesizing the rule base if the response time is found to be inadequate [Zupan and Cheng, 1994a; Zupan and Cheng, 1998].
In this chapter, we present more approaches for the response-time analysis of rule-based systems. In particular, we study the timing properties of programs written in the predicate-logic-based OPS5 language [Forgy, 1981] (and other OPS5-style languages), which is not designed for real-time purposes although it has been widely adopted in practice. In chapter 10, we introduced the propositional-logic-based rulebased language EQL (equational rule-based language), for real-time applications. EQL is a simple, rule-based language with well-defined semantics. It has been used to program a number of practical real-time applications.
OPS5 exhibits an incremental increase in expressiveness over MRL [Wang, Mok, and Cheng, 1990; Wang, 1990a] but it is not as complex as more recent objectoriented rule-based languages. OPS5 has been successfully used in a variety of applications [Forgy, 1985]. MRL is designed to be an extension of EQL. It includes set variables (working memories) and logical quantifiers over set variables. However, MRL does not include the timing tags in its working memory, so many conflict resolution strategies, such as LEX and MEA, cannot be applied to MRL programs. It is entirely the programmer’s responsibility to guarantee that any firing sequence is a normal execution flow. Under this situation, the programmer usually needs to avoid interference among rules; otherwise, the program may be hard to debug and maintain.
OPS5 has been used to implement several industrial expert systems, including MILEX (The Mitsui Real Time Expert System) and XCON/R1, which is generally considered the first commercially successful expert system [Forgy, 1985].
Our goal is to obtain a tighter bound on the execution time that is close to the real upper bound. We consider the case where an OPS5 expert-system program forms the decision module of a real-time monitoring and controlling system [Payton and Bihari, 1991]. This real-time system takes sensor input readings periodically, and the embedded expert system must produce, based on these input values and state values from previous invocations of the expert system, an output decision that ensures the safety and progress of the real-time system and its environment prior to the taking of the next sensor input values. Thus, the upper bound on the expert system’s execution time cannot exceed the length of the period between two consecutive sensor input readings [Cheng et al., 1993; Chen and Cheng, 1995b]. Therefore, our goal is to determine, before run-time, a tight upper bound on the execution time of the expert system in every invocation following each reading of sensor input values.
To analyze the timing behavior of an OPS5 program, we first formalize a graphical representation of rule-based programs. This high-level data-dependency graph captures all possible logical control paths in a program. Based on this graph, we design a termination detection algorithm to determine whether an OPS5 program always terminates in bounded time. If an OPS5 program is not detected to terminate for all initial program states, then the “culprit” conditions that cause nontermination are extracted to assist programmers in correcting the program. They then modify