334 DESIGN AND ANALYSIS OF PROPOSITIONAL-LOGIC RULE-BASED SYSTEMS
10.12.1 Overview
We have described a set of preliminary tools for analyzing EQL programs that was reported in [Browne, Cheng, and Mok, 1988]. The function of this set of tools is to check whether or not the execution of a given EQL program always terminates in a bounded number of rule firings. Several real-life real-time rule-based programs have been rewritten in EQL and analyzed by this set of tools (e.g., the Cryogenic Hydrogen Pressure Malfunction Procedure of the Space Shuttle Vehicle Pressure Control System [Helly, 1984], the Integrated Status Assessment Expert System [Marsh, 1988], the Fuel Cell Expert System).
To avoid exhaustive state and path exploration when determining the responsetime upper bounds for the programs in which we are interested, we have introduced sets of syntactic and semantic constraint assertions such that if the EQL program p satisfies any of them, then the execution of p always terminates in bounded time. Each of these sets is called a special form. A facility called Estella with which the programmer can specify special forms and application-specific knowledge has been developed and integrated into analysis tools [Cheng and Wang, 1990; Cheng et al., 1993]. Cheng and Chen [Cheng, 1992b] report a response-time bound analysis based on the concept of special form.
Here, we prove the existence of two special forms and present algorithms for determining the response-time upper bounds of EQL programs satisfying a known special form. We employ a static method that performs an a priori syntactic and semantic check to see if the imposed timing constraints are met. We describe two quantitative algorithms, Algorithm A and Algorithm D, used to calculate the maximal response time of EQL programs satisfying a known special form.
To enhance the applicability of the presented algorithms and further reduce the time needed in analyzing EQL programs, the general analysis algorithm [Cheng and Wang, 1990] is used to partition this program such that only a small part of the given program is checked at one time. The general analysis algorithm partitions a program p into a hierarchy of sets of rules and takes advantage of the fact that the execution of a higher-level set is independent of that of a lower-level set. Hence, the execution of the program p can be regarded as the sequential execution of a series of subsets of rules of p. For each subset S, a syntactic and semantic check on S is conducted to see if S is in a known special form. If S is in a known special form, the corresponding algorithm is used to determine an upper bound on the number of rule firings by S during the execution of p; otherwise, the aforementioned temporallogic model checker and timing analyzer are used to conduct an exhaustive check on the state-space graph of S to obtain an upper bound on the number of rule firings by S. If S does not have a finite upper bound on the number of rule firings, neither does p. Then, the general analysis algorithm will report this situation and stop at this point. If p is found not to have a finite upper bound on the number of rule firings, an optimization method reported in [Zupan and Cheng, 1994b; Zupan and Cheng, 1998] can be applied to transform p into a program with a bounded response time.
Since our method in most cases does not require checking the entire state-space graph of the system at hand, it makes the analysis of systems with a large num-
QUANTITATIVE TIMING ANALYSIS ALGORITHMS |
335 |
ber of rules and variables feasible. A suite of computer-aided software engineering tools based on this analysis approach has been implemented. It has been successfully used to analyze the aforementioned real-time rule-based expert systems developed by Mitre and NASA for the Space Shuttle and the planned Space Station [Cheng and Wang, 1990; Cheng et al., 1993]. These analysis tools show a dramatic improvement in terms of time and space over the other suite of tools that primarily relies on exhaustive state-space graph checks, as evidenced by the two seconds of time the former took in comparison with the two weeks of time the latter took when these two suites of tools were separately applied to analyze the aforementioned Cryogenic Hydrogen Pressure Malfunction Procedure of the Space Shuttle Vehicle Pressure Control System [Browne, Cheng, and Mok, 1988].
We briefly review the syntax and semantics of EQL and the concept of special forms. Then we prove the existence of two special forms. Two algorithms used to obtain response-time upper bounds for programs satisfying these special forms are presented. We discuss how the general analysis algorithm can be used to enhance the applicability of the presented algorithms.
10.12.2 The Equational Logic Language
An EQL program has a set of rules for updating variables that denote the state of the physical system under control. The firing of a rule assigns a new value to at least one variable to reflect changes in the external environment as detected by sensors. Sensor readings are sampled periodically. Every time sensor readings are taken, the variables are recomputed iteratively by a number of rule firings until no further change in the variables can result from the firing of a rule. The EQL program is then said to have reached a fixed point. Intuitively, the rules in an EQL program are used to express the constraints on and the goals of the system. If a fixed point is reached, the variables have settled down to a set of values that are consistent with the constraints and goals as expressed by the rules.
Let p denote an EQL program. p consists of a finite set of rules and a finite set of variables denoting the state of the system. The set of variables is called the state variable, ξ, which consists of two parts: the input variables and the non-input variables. That is,
ξ= [X, Y ]
= [x1, x2, . . . , xn , y1, y2, . . . , ym ],
where for each i, xi is the ith input variable, and for each j, y j is the jth non-input variable. The values of input variables are obtained through sensor readings sampled periodically and cannot be changed throughout the execution of p, whereas the noninput variables may be changed as the system progresses.
The set of rules is used to modify the state variable to reflect the progress of the system. For each rule r in p, r, consisting of a set of assignments and an enabling
336 DESIGN AND ANALYSIS OF PROPOSITIONAL-LOGIC RULE-BASED SYSTEMS
condition, is of this form
e1 | · · · | ed IF EC,
where d ≥ 1 and the symbol | stands for parallel AND, which means these assignments are simultaneously carried out. For each i, 1 ≤ i ≤ d, ei denotes an assignment of this form: ai := bi . ai is a non-input variable that is assigned the value of the arithmetic/Boolean expression bi if the rule r is fired. EC is a predicate on the variables in the program and is called the enabling condition, which can be viewed as a mapping from V to {true, false}, where V denotes the set of possible values of the state variable. There is a subset Vr V such that, for each s Vr , the value of the EC of r is true with respect to s. Also, for each variable x, a set Vr,x exists such that the number z is contained in Vr,x if and only if an s Vr exists whose x-component is equal to the value of z.
r is a single-assignment rule if it contains only one assignment expression; otherwise, it is a multiple-assignment rule. To facilitate the explanation later, the rule r is referred to by:
•LHS: the left-hand side(s) of the assignment expression(s),
•RHS: the right-hand side(s) of the assignment expression(s), and
•EC: the enabling condition.
The variables appearing in r are usually classified into three sets (similar definitions are used to define L p , Rp, and Tp for the program p):
•Lr = {v | v appears in the LHS of r},
•Rr = {v | v appears in the RHS of r}, and
•Tr = {v | v appears in the EC of r}.
The rule r is enabled if and only if its enabling condition is evaluated to be true; otherwise, it is disabled. r is fireable if and only if (1) it is enabled and (2) the firing of r changes the value of a variable in Lr . If r is selected (scheduled) to be executed, then it is fired. The firing of r consists of evaluating all of the RHS expressions of r in a parallel manner, followed by updating the LHS variables of r in a parallel manner with the values of corresponding RHS expressions. Note that the fact that r is fireable does not mean that r must be fired during the execution. It may be that the firing of another rule disables r before r is selected to be fired. Furthermore, a rule could be fired multiple times during execution.
The ith subrule of r, denoted ri of this form: ai := bi IF EC, is a singleassignment rule consisting of the ith assignment expression and the enabling condition of r. Hence, the rule r can be regarded as being composed of one or more subrules with the same enabling condition. For each subrule ri , if a new value is assigned to the variable in Lri when r is fired, we say that ri is fired. There may be more than one subrule being fired when r is fired.
QUANTITATIVE TIMING ANALYSIS ALGORITHMS |
337 |
10.12.3 Mutual Exclusiveness and Compatibility
If r and r cannot be enabled simultaneously, then they are mutually exclusive (in terms of enabledness) to each other. The mutual exclusion graph is used to demonstrate the property of mutual exclusiveness among rules.
Mutual-Exclusion Graph: Let S denote a set of rules. The mutual-exclusion (ME) graph G SM E = (V, E) is a labeled graph. V is a set of vertices representing rules such that there is a vertex labeled r in V if and only if there is a rule r in S. E is a set of edges representing the property of mutual exclusiveness such that E contains the edge (r, r ) connecting the vertex r and the vertex r if and only if the rule r and the rule r are mutually exclusive to each other.
r and r are compatible in terms of modifying the variables if and only if at least one of the following conditions holds (in the remainder of this chapter, two rules being compatible refers to two rules being compatible in terms of modifying the variables):
CR1. r and r are mutually exclusive (in terms of enabledness) to each other. CR2. Lr ∩ Lr = .
CR3. For each variable x in Lr ∩ Lr , r and r agree on the expression assigned to x.
To check the property of compatibility among a set of n rules, it takes O(n2)- time for checking (CR2) and (CR3), and, in the worst case, exponential time for checking (CR1) (and constructing the ME graph). In our analysis tools, this mutual- exclusion-checking procedure is implemented by using an approximation algorithm that takes quadratic time for checking (CR1). It produces correct results for all of our test programs. The section on Estella provides details.
10.12.4 High-Level Dependency Graph
The high-level dependency (HLD) graph of a program shows the dependencies among subsets of rules in this program and is used as the basis to assign priorities to rules. Each of the vertices in the HLD graph represents a subset of rules and is called a forward-independent set.
The fireability of r (and the result of the firing of r) is not affected by the firing of r , if Lr ∩ Tr = and Lr ∩ (Lr Rr ) = . The first condition ensures that the firing of r has nothing to do with the enabledness of r, whereas the other means that, for each variable x Lr , the firing of r has nothing to do with the value of x. If the fireability of r (and the result of the firing of r) is not affected by the firing of r during the execution of p, we say r is independent of r .
Assume S and S are two sets of rules. If, for each pair of rules r S and r S , r is independent of r , we say the set S is independent of the set S . Hence, the set S is independent of the set S if L S ∩ (TS L S RS ) = [Cheng et al., 1993], which
338 DESIGN AND ANALYSIS OF PROPOSITIONAL-LOGIC RULE-BASED SYSTEMS
Input A set, p, of EQL rules.
Output The high-level dependency graph G p .
1. For each rule r p, create a vertex labeled r.
2. Let S contain rule i and let S contain rule j, i = j. If the condition L S ∩(TS L S RS ) =
is not satisfied, create a directed edge from the vertex i to the vertex j.
3.Find every strongly connected component in the dependency graph G(V, E) constructed
by step 1 and step 2. Let C1, C2, . . . , Cm be the strongly connected components of
G(V, E).
4.Define G p (V , E) as follows:
V = {C1, C2, . . . , Cm }
E = {(Ci , C j ) | i = j, (x, y) E, x Ci , and y C j }
Figure 10.11 The high-level dependency graph construction procedure.
constitutes a sufficient but not necessary condition for independence. If S and S do not satisfy the above condition for independence, the corresponding HLD graph contains a directed edge from the vertex representing S to the vertex representing S , and the rules in S are assigned lower priorities than the rules in S . Rules in the same forward-independent set are assigned the same priority.
[Cheng et al., 1993] report an HLD graph construction procedure, shown in Figure 10.11. This procedure requires O(n2)-time to construct the HLD graph for an n-rule program. For more details about the HLD graph, the reader is referred to [Cheng et al., 1993].
Example 9. The following is a sample EQL program, where the symbol [] serves as a delimiter between two rules.
PROGRAM Program 1 VAR
c, d, e, f, g, h : integer; x, y, z : boolean;
INPUTVAR
a, b : integer; INIT
c:= 0, d := 0, e := 0, f := 0, g := 0, h := 0, x := true, y := true, z := true
INPUT read(a, b)
RULES
(*1*) c := 1 IF a > 0 and b > 0 (*2*) [] c := 2 IF a > 0 and b ≤ 0 (*3*) [] d := 2 IF a ≤ 0