360DESIGN AND ANALYSIS OF PROPOSITIONAL-LOGIC RULE-BASED SYSTEMS

•g1 is also in C, as shown in Figure 10.22(a). An EV cycle exists in GRDp , violating (D2). Hence g1 cannot possibly be in C.

•g1 is not in C, as shown in Figure 10.22(b). The argument applied to r 1 also applies to g1. We conduct another sequence of reasoning, starting from g1. Another VM cycle C2 will be found. Then another sequence of reasoning will be initiated, starting from a subrule that enables a subrule in C2. We continue to apply the argument, and a sequence of VM cycles connected by ER edges will be found, since only a finite number of rules exist in p. Hence, an EV cycle consisting of edges from these VM cycles and ER edges connecting these VM cycles will be found, violating (D2).

Since both cases violate (D2), this situation will not occur either. Since none of the above cases will happen, r1 cannot possibly be fired infinitely often. Therefore, we conclude that if p is a Special Form D program, p always reaches a fixed point in a bounded number of rule firings.

10.13 HISTORICAL PERSPECTIVE AND RELATED WORK

Research in real-time rule-based systems has started attracting attention in the last few years, for example, [Benda, 1987], [Helly, 1984], [Koch et al., 1986], [O’Reilly and Cromarty, 1985], [Laffey et al., 1988], but very little work has been done on verifying performance guarantees. Our work complements the variable precision logic (VPL) approach of [Michalski and Winston, 1986] and [Haddawy, 1986; Haddawy, 1987]. VPL was introduced as a tool to vary the certainty of an inference to conform to a timing constraint. An inference system for VPL can be regarded as a flexible algorithm that can trade off the certainty of an inference for the time required to achieve it. Our emphasis, however, is on ensuring that before run-time the desired quality of the decisions made by a rule-based program can indeed be achieved within the time budget available to it. We note that a fixed point in EQL may correspond to an acceptable approximation of the system state and not necessarily the exact state. Our problem formulation is sufficiently general to allow for variable precision algorithms.

Several researchers have begun investigating real-time expert systems in the last few years. [Benda, 1987] and [Koch et al., 1986] described the requirements of realtime knowledge-based systems in the aerospace industry. [O’Reilly and Cromarty, 1985] were among the first to explain that increasing execution speed does not necessarily guarantee that an expert system can meet real-time performance constraints. [Helly, 1984] showed an optimized programmable-logic array implementation of an expert system for monitoring the hydrogen fuel system aboard the Space Shuttle. [Laffey et al., 1988] provided an overview of real-time expert systems and described techniques for ensuring real-time performance. For instance, the use of more deterministic controls, such as control variables, and more restricted conflict resolution

strategies is proposed as a way to reduce the variability in the actual execution time of expert systems. [Payton and Bihari, 1991] argued that different levels (planning, knowledge-base access, computation, sensing) of an intelligent control system must closely cooperate in order to achieve real-time performance and adaptivity.

Many researchers also study the impact of parallelism in optimizing the performance of expert systems but usually do not consider the satisfaction of hard realtime constraints. For instance, [Ishida, 1991] proposed a parallel OPS5 rule-firing model consisting of three components: an inference analysis tool for detecting cases in which parallel rule firing yields results different from sequential firing, a parallel firing algorithm for firing rules in parallel in a multiprocessor architecture, and a parallel programming environment for providing language facilities to enable programmers to exploit parallelism. [Gupta, 1987] presented a parallel Rete algorithm which exploits parallelism at a very fine grain to reduce variations in the processing cost of productions affected in each recognize–act cycle, and described a hardware task scheduler for scheduling fine-grained tasks. [Oshisanwo and Dasiewicz, 1987] argued that not all the effects of parallelism can be determined at compile time, and thus on-line techniques must be applied to extract a higher degree of parallelism from the production system at run-time. Simple checks are developed for run-time detection of interference due to parallel rule firings. [Schmolze, 1991] described techniques for guaranteeing serializable results in synchronous parallel production systems. [Cheng, 1993b] introduced techniques for the automated extraction of rule-level parallelism from rule-based programs based on the analysis methodology reported in this chapter.

[Wang, Mok, and Emerson, 1992] claimed that few attempts have been made to formally address the response-time analysis problem. [Lark et al., 1990] considered the design and implementation issues in the development of Lockheed Pilot’s Associate system. They advocated using experimentation and analysis to guarantee timeliness by requiring the application programmer to set an upper bound on process duration by extensive experimentation but did not show how to verify that the system will satisfy this upper bound. [Aiken, Widom, and Hellerstein, 1992] presented a static analysis method for determining whether arbitrary sets of database production rules satisfy certain properties, including termination. A directed graph demonstrating the triggering relationship among rules is checked to see if the execution of the corresponding set of rules is guaranteed to terminate. Some conditions that guarantee the property of termination are introduced. However, they do not provide an algorithm for obtaining an execution time (or execution time upper bound) for a set of rules that is found to have the property of termination. [Abiteboul and Simon, 1991] discussed, among other properties, the property of termination in the context of Datalog and its extensions and showed that this property is in general undecidable. Although they addressed the issue of whether a given language possesses the property of termination, the issue of determining whether an arbitrary program possesses the property of termination was not addressed.

Instead of addressing the response-time analysis problem, a great deal of effort has been focused on improving the speed of execution. [Ceri and Widom, 1991]

362 DESIGN AND ANALYSIS OF PROPOSITIONAL-LOGIC RULE-BASED SYSTEMS

developed a method to automatically derive efficient view-maintenance production rules exploiting the technique of incremental maintenance in the context of database systems. [Brant et al., 1991] studied the effects of the size of state space on the performance of the inference mechanism of a rule system. They claimed that it is possible to eliminate some states while improving performance by using lazy matching algorithms instead of evaluating all active rules.

Furthermore, extensive discussion has taken place on the exploitation of parallelism, and several parallel processing techniques have been proposed and applied to enhance the performance of rule-based systems [Ishida, 1991; Ishida and S. Stolfo, 1985; Kuo and Moldovan, 1991; Schmolze, 1991; Stoyenko, Hamacher, and Holt, 1991]. For example, [Ishida, 1991] proposed a parallel OPS5 rule firing model in which techniques based on a data dependency analysis for detecting interference among multiple rule firings are given. A parallel firing algorithm for firing rules in parallel in a multiprocessor architecture is also given. [Stoyenko, Hamacher, and Holt, 1991] proposed a parallel rule-based language, PARULEL, which is based on an inherently parallel execution semantics. They argued that sequential rule languages “hide” much of the parallelism inherent in the task to be solved by the rule program. [Kuo and Moldovan, 1991] identified the compatibility problem, caused by interfering rules, and the convergency problem, caused by violation of the problemsolving strategy, associated with a multiple rule firing system. They claimed that, to resolve these problems, it is not sufficient to just view a program as a collection of rules and concurrently fire compatible rules. It is also necessary to consider the effect of multiple rule firings on the problem-solving strategy.

However, rather than fast execution, the most important property of a real-time system should be the fulfillment of timing constraints. Fast execution helps to meet stringent timing constraints, but fast execution alone does not guarantee the fulfillment of timing constraints.

In this chapter, the time a rule-based program takes to converge to a fixed point is measured in terms of the number of rules fired. A more accurate measure would take into account the actual execution of each rule fired and the actual evaluation (match) time to determine which rule(s) can be fired next. We addressed some of these issues and proposed an efficient match algorithm in [Wang, Mok, and Cheng, 1990]. This new match algorithm lends itself to compile-time analysis of time bounds for the match part of expert-system execution, and it is more amenable to a number of optimization techniques on space-versus-time tradeoff. To further control the response of an expert system, we limit the size of the working memory by setting some criteria for accepting new working memory elements. This can be accomplished by means of a filter which may be dynamically adjusted to keep the size of the working memory manageable by throwing out less reliable data from a noisy sensor.

[Cheng et al., 1991] first proposed the Estella language for specifying special forms and application-specific knowledge. Estella is then refined and an analysis facility is described in [Cheng et al., 1993]. [Zupan, Cheng, and Bohanec, 1995a; Zupan, Cheng, and Bohanec, 1995b] described a static stability analysis method for fuzzy rule-chaining real-time systems.

SUMMARY 363

10.14 SUMMARY

The main focus of this chapter is to address the question of whether a real-time decision system is sufficiently fast to meet stringent response-time requirements. We have provided a formal framework for investigating this question for propositional-logic rule-based programs. Our formulation makes use of the state-space representation of rule-based programs and relates the response time of a system to the length of paths to fixed points in the state-space graph. The analysis problem is to determine if a given program can always reach a fixed point within a bounded number of rule firings. The synthesis problem is how to make programs that are not fast enough meet response-time constraints.

The analysis problem is in general undecidable and is PSPACE-complete for programs with finite domains. We have developed a general strategy for tackling the analysis problem which combines exhaustive state-space search and the recognition of special forms of subsets of rules by textual analysis. The synthesis problem is in general NP-hard and is related to the time-budgeting problem. We have proposed a novel approach for solving the synthesis problem, using the method of Lagrange multipliers.

To support the development of real-time decision systems with stringent timing and integrity constraints, we have developed a suite of tools for prototyping programs for an equational rule-based language called EQL. Implementation of tools has been completed for (1) translating an EQL program into a C program, (2) transforming an EQL program into its state-space graph, (3) verifying assertions stated in temporal logic (Computation Tree Logic) about the EQL program, and (4) determining the maximum number of iterations and the sequence of rules that must be fired for an EQL program to reach a safe fixed point. We have used these tools to analyze a large subset of the Cryogenic Hydrogen Pressure Malfunction Procedure in the Pressure Control System of the Space Shuttle Vehicle. Chapter 12 describes algorithms to synthesize programs from ones that do not meet their response-time constraints.

Then we describe a specification facility called Estella, for specifying behavioral constraint assertions about real-time EQL programs. This facility allows customization of the analysis tools so that they can be applied to the analysis of applicationspecific rule-based systems. The Estella facility allows the programmer to specify information about the rule-based program that is too hard to be detected by the general analyzer. The development of the Estella–General Analysis Tool as a computer-aided software engineering tool is a significant step for aiding the rapid prototyping and development of expert systems with guaranteed response time. In particular, the programmer uses the analysis tool to focuse on the sets of rules that potentially cause the timing violations so that he/she can apply application-specific knowledge to further analyze the rule-based program. Considering the complexity and unpredictability of rule-based programs, this tool is extremely useful in aiding the debugging of the detected timing violations. The techniques proposed and implemented in this chapter constitute an important contribution to the timing analysis of real-time rule-based

364 DESIGN AND ANALYSIS OF PROPOSITIONAL-LOGIC RULE-BASED SYSTEMS

systems, given the fact that fully automated analysis and synthesis of such systems are notoriously difficult to develop.

Up to this point, the time a rule-based program takes to converge to a fixed point is measured in terms of the number of rules fired. A more accurate measure would take into account the actual execution time of each rule fired and the actual evaluation (match) time to determine which rule(s) can be fired next. We address some of these issues and propose an efficient match algorithm in [Wang, Mok, and Cheng, 1990]. This new match algorithm lends itself to compile-time analysis of time bounds for the match part of expert system execution, and it is more amenable to a number of optimization techniques on space versus time tradeoff.

Traditionally, real-time rule-based systems have been designed and built using ad hoc techniques, resulting in tremendous difficulties in formally verifying the response times of resulting systems. Formal analysis of timing requirements is often ignored. Instead, a lot of research has focused on improving the response time of systems. However, it is true that fast computing alone is not enough for real-time systems. The fulfillment of imposed timing constraints should be the most important goal in designing real-time rule-based systems.

The emphasis of this chapter is on determining response-time upper bounds for real-time rule-based systems. A static method employing a priori syntactic and semantic checks is proposed.

Although some classes of real-time decision systems do exist whose response times are predictable, the amount of time needed to analyze these systems to predict their response time is usually large. However, the authors have observed that the use of simple syntactic and semantic checks of programs, coupled with other techniques such as state-space graph checks, can dramatically reduce the time needed to analyze these systems. It has been found that sets of syntactic and semantic constraint assertions exist such that if p satisfies any of them, the execution of p always terminates in bounded time. Each set of syntactic and semantic constraint assertions is called a special form. The set of programs satisfying a particular special form is thus a subclass of the class of all programs.

The existence of two special forms, namely Special Form A and Special Form D, for EQL programs has been proved. For each of these two special forms, an algorithm has been developed to obtain response-time upper bounds for programs satisfying the special form. Each algorithm takes advantage of the characteristics of the subclass for which it is intended to be used. Hence, although the subclass of programs in Special Form A is actually a subset of the subclass of programs in Special Form D, the former is isolated as a subclass to be handled by Algorithm A so that better upper bounds can be obtained. Another advantage of having Special Form A is that a program with acyclic variable dependency can be checked to determine whether it has a bounded response time without using exhaustive state-space graph checks [Cheng, 1993b].

To enhance the applicability of the proposed algorithms, the general analysis algorithm is employed so that the proposed algorithms can be collectively used to analyze a program that as a whole is not in a known special form. Although the general analysis algorithm uses an exhaustive state-space graph check in some cases, the sizes of