Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
University of Southern California Dissertations and Theses
/
00001.tif
(USC Thesis Other)
00001.tif
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
COM POSITIONAL MODEL-BASED DESIGN: A GENERATIVE A PPROA CH TO TH E CO N CEPTU A L DESIGN OF PHYSICAL SYSTEMS by P rasanta Bose A D issertation Presented to the FACULTY OF TH E GRADUATE SCHOOL UNIVERSITY O F SOUTHERN CALIFORNIA In P artial Fulfillment of the Requirem ents for the Degree D O C TO R O F PHILOSOPHY (Com puter Science) December 1993 Copyright 1993 P rasanta Bose UMI Number: D P 22859 All rights reserved INFORMATION TO ALL U SE R S The quality of this reproduction is d ep en d en t upon the quality of the copy subm itted. In the unlikely even t that the author did not sen d a com plete manuscript and there are m issing p a g es, th e se will be noted. Also, if material had to b e rem oved, a note will indicate the deletion. Dissertation Publishing UMI D P 22859 Published by ProQ uest LLC (2014). Copyright in the Dissertation held by th e Author. Microform Edition © ProQ uest LLC. All rights reserved. This work is protected against unauthorized copying under Title 17, United S ta tes C ode P roQ uest LLC. 78 9 E ast E isenhow er Parkway P.O. Box 1346 Ann Arbor, Ml 4 8 1 0 6 - 1346 UNIVERSITY OF SOUTHERN CALIFORNIA THE GRADUATE SCHOOL UNIVERSITY PARK LOS ANGELES, CALIFORNIA 90007 This dissertation, w ritten by Prasanta Bose under the direction of h i.? ........ Dissertation Committee, and approved b y all its members, has been presented to and accepted by The Graduate School, in partial fulfillm ent of re quirem ents for the degree of D O C TO R OF PH ILO SOPH Y ....................... Dean o f Graduate Studies Date .December..3.,..1993 DISSERTATION COMMITTEE Chairperson Acknowledgements I thank: My thesis advisor, Shankar Rajamoney, for his guidance, keeping m e constantly focused on my research and teaching me how to clarify my ideas using examples and clear writing. He gave me the freedom and encouragem ent to develop and pursue my ideas. He provided me w ith a wealth of advice on this research and painstakingly read and commented on the entire docum ent. Paul Rosenbloom for serving on my dissertation com m ittee. Paul has improved this thesis considerably through his sharp criticism s, detailed and insightful comments and suggestions. He has been a source of ideas and has taught m e how to ask the right questions in doing research and evaluating research results. Chris W agner for serving on my dissertation com m ittee, and George Bekey and Ari Requicha for serving on my qualifying exam com m ittee, and for many helpful suggestions, criticism and advice on the thesis. B arry Boehm for providing me support and inspiration to finish this thesis. Hee-Youn Lee, Sang Hoe Koo and Nicolas R ouquette, the m em bers of the qualitative reasoning group, for useful discussions and helpful suggestions on this research. V ibhu M ittal, Steve Chien, Richard Doyle, M artin Feather, and others for their m any interesting discussions and encouragement. My parents, for their love and encouragement. Oishee, my daughter, for her patience and wonderful company. Finally, Sutapa, my wife, for her love, sup port and understanding during the long course leading to this dissertation. She was always there to listen to my ramblings and to help me forget them . ___________________________________________________________________________ ii. Contents A cknow ledgem ents ii List O f Tables vi List O f Figures vii A bstract ix 1 Introduction 1 1.1 An E x a m p le ........................................................................................................... 2 1.2 Complexity in Model-Based D e s ig n .............................................................. 4 1.3 Compositional Model-Based D e s ig n .............................................................. 11 1.4 Thesis C o n trib u tio n s .......................................................................................... 14 1.5 Road M a p .............................................................................................................. 15 2 R elated W ork 17 2.1 Related Work in Design .................................................................................. 17 2.1.1 Model-based Design ............................................................................. 17 2.1.2 Case-based Design ................................................................................ 22 2.1.3 Library-based D e s ig n ............................................................................. 23 2.2 Related Work in P l a n n i n g ............................................................................... 25 2.3 Modeling of Physical S y s te m s ........................................................................ 26 3 R epresentation 29 3.1 Domain M o d e ls .................................................................................................... 29 3.2 B e h a v io r.................................................................................................................. 33 3.3 Physical Designs ................................................................................................ 34 3.4 Design F ra g m e n ts................................................................................................ 35 3.5 S u m m a r y ....................... 39 4 Behavioral A xiom s, Failure C onditions and R evision O perators 41 4.1 Behavioral Correctness C riteria for Design F ra g m e n ts ............................... 43 4.1.1 Axioms for Q ualitative Q uantity C h a n g e ...................................... 43 _________________________________________________________________________________ iii. 4.1.2 Axioms for Inequality C o n d itio n s .................................................... 45 4.2 The Qualification and Persistence Problem in D e s i g n ............................ 50 4.3 Failure Conditions and Revision O p e ra to rs ................................................. 53 4.3.1 Establishm ent Failure C o n d itio n s .................................................... 53 4.3.2 Consistency Failure Conditions ........................................................ 55 4.3.3 Derivation of the Revision O perators for q = i n c ........................ 56 4.4 S u m m a r y ............................................................................................................... 58 5 C o n s tru c tio n o f B asic D esig n F ra g m e n ts 60 5.1 Construct O peration C o n stra in ts..................................................................... 60 5.2 Steps of The Construct O p e r a tio n .................................................................. 61 5.3 Design Fragment Construction: An E x a m p le ............................................... 66 5.4 S u m m a r y ............................................................................................................... 68 6 C o m p o s itio n o f D e sig n F ra g m e n ts 70 6.1 Steps of the Compose O p e ra tio n ..................................................................... 71 6.2 Design Fragment Composition: An E x a m p le ............................................... 76 6.3 S u m m a r y ............................................................................................................... 78 7 R e g io n M a in te n a n c e a n d T ra n s itio n o f D e sig n F ra g m e n ts 80 7.1 M aintaining a R e g io n .......................................................................................... 80 7.1.1 Example of M aintaining a R e g io n .................................................... 83 7.2 Design for T ra n s itio n .......................................................................................... 84 7.3 Design Fragment R efinem ent............................................................................ 87 7.3.1 G enerating C andidate R e fin e m e n ts ................................................ 88 7.3.2 Verify and Revise Refinements .............................. 90 7.4 An Exam ple of Inequality S h i f t ..................................................................... 93 7.5 Sum m ary ............................................................................................................... 95 8 CMD M e th o d 97 8.1 CMD Steps ............................................................. 97 8.2 An Exam ple T r a c e ................................................................................................100 8.3 Im p le m e n ta tio n .......................................................................................................101 8.3.1 Steam Engine D e s ig n ...............................................................................103 8.3.2 Liquid-level Regulator D e s ig n ............................................................. 108 8.4 Sum m ary ................................................................................................................. 110 9 D isc u ssio n 111 9.1 Sum m ary of C M D ................................................................................................... I l l 9.2 C o n trib u tio n s .......................................................................................................... 113 9.3 M ain Lim itations of CMD ..................................................................................115 9.3.1 Conjunctive Transitions ........................................................................115 9.3.2 Aggregate B eh a v io r.......................... 115 _____________________________________________________________________________________ iv 9.3.3 Expressive R epresentations...................................................................... 116 9.4 Future W o rk ..............................................................................................................116 9.4.1 Control Heuristics for CMD ...................................................................116 9.4.2 Domain Model Simplifications in Conceptual D esig n ......................117 9.4.3 Formal and Em pirical Properties of C M D ..........................................117 9.5 Significance of this Thesis ..................................................................................118 A p pend ix A Behavioral A x io m s ........................................................................................................... 120 A .l Q ualitative c h a n g e ................................................................................................120 A .2 Inequality c o n d itio n s ............................................................................................121 A p pend ix B Trace of CMD Program .................................................................................................124 B .l In tro d u c tio n ............................................................................................................. 124 B.2 The Domain M o d e l............................................................................................... 124 B.3 The Desired Behavior I n p u t .............................................................................. 124 B.4 The Initial Design C o n s tra in ts ...........................................................................125 B.5 CMD Program B e h a v io r ..................................................................................... 125 List Of Tables 3.1 Definitions for model fragm ent existence, activity and effects.................. 30 3.2 A portion of the design solution for the boiler control problem speci fying the components and connection links between th em 35 4.1 Behavioral axioms for a qualitative change, < 7 = in c..................................... 44 4.2 Axioms for inequality conditions p > c and p = c , to hold in a region. 46 5.1 Steps for DF construct operation......................................................................... 62 6.1 Steps for DF compose operation......................................................................... 72 7.1 Steps of Extend operation for m aintaining inequality conditions over a region....................................................................................................................... 81 7.2 Steps for refine operation........................................................................................... 88 8.1 The CMD M e t h o d ............................................................................................... 98 _ y i. List Of Figures the two fragments to achieve the combined behavior. In this case, if the drum serves as a w ater source for the boiler, the water level in the drum will change, violating the previously established behav ior. e) The composite design fragm ent is revised by introducing a com pensating inflow of w ater.............................................................................. 3 1.2 Examples illustrating the sources of complexity in model-based design from: a) component model complexity, b) side-effects, and, c) m ultiple uses of com ponent................................................................................................... 5 1.3 Examples illustrating the problems in model-based design of m ulti- operating region devices: a) region persistence, and, b) region transition. 8 1.4 A schem atic block-diagram of CMD m ethod.................................................. 13 3.1 R epresentation of (a portion of) the domain model for the boiler con trol exam ple.............................................................................................................. 31 3.2 Region behavior specification for the boiler control exam ple....................... 34 3.3 A design fragm ent for establishing steady steam pressure in the drum for boiler control exam ple.................................................................................... 36 4.1 An example of the co-occurrence constraint on liquid-inflow rate and liquid-level for region transition in the liquid-level control device. . . . 48 5.1 Ram ification update, failure condition derivation and revision opera tor choices for design fragm ent verification analysis and revision. . . . 65 5.2 An example of design fragm ent construction for the boiler control exam ple...................................................................................................................... 67 6.1 An abstract example of influence closure inconsistencies arising in composition of design fragm ents........................................................................ 75 6.2 An example showing the composition of design-fragments establishing Lj, — std and PSb — std for region R i of the boiler control system. . 77 _____________________________________________________________________________ vii. 7.1 An exam ple showing region m aintenance in the boiler control example. 83 7.2 a) A region diagram for a steam engine, b) A schem atic design of a double-acting com pound steam-engine, c) A design which under dif ferent operating assum ptions establishes the device behavior in each region, but does not autom atically transition between regions, d) A revised design th a t includes mechanisms for explicitly effecting the transitions........................................................................... 85 7.3 G eneration of design fragm ent refinements and their revisions to es tablish the inequality Vp = 0 in the steam-engine exam ple........................... 89 7.4 An exam ple showing the increm ental refinement of design fragments for establishing velocity — o f — piston = 0 at top of cylinder starting from an initial region with velocity > 0 when piston is below top and moving upw ard......................................................................................................... 94 8.1 A trace of the CMD m ethod for the design of a portion of the boiler control system .............................................................................................................102 8.2 A lternative Steam engine design based on use of liquid pressure and steam pressure under choice of large capacity source and sink model fragm ents...................................................................................................................... 104 8.3 A lternative steam engine design based on use of liquid pressure and steam pressure using finite capacity source and sink model fragm ents 106 8.4 (a) An exam ple of design th at is consistent w ith CMD logic but will not work, (b) Examples of double acting steam engines generated when considering a closed cylinder...................................................................... 107 8.5 a) and b) Input region diagram and initial design constraints for liquid-level regulation in a container, c) and d) Design solutions for the required behavior................................................................................................109 8.6 Liquid level regulator exam ple when the height of th e source of liquid- inflow to the destination container is supply is less than the height of the destination container.........................................................................................110 .viii. Abstract One of th e hallm arks of hum an intelligence is the ability to design. An early stage in design, called conceptual design, is concerned with the generation of prelim inary designs. In this stage, the designer focuses only on the gross structure of the artifact to be designed. To facilitate th e differential analysis perform ed in the stages following conceptual design, approaches to conceptual design th a t system atically define and explore the space of candidate designs are needed. This thesis describes a com putational m ethod for generative design, called Com positional Model-based Design (CMD), which uses a dom ain model describing the com ponents and their interactions to design complex physical devices having desired behaviors. G enerative model-based approaches for the conceptual design of physical devices face challenging problems specifically when devices with conjunctive behaviors in a region or devices w ith m ultiple operating regions are to be designed. For th e design of devices w ith conjunctive behavior in a region, the design process m ust confront problems due to interaction between the causal mechanisms th a t establish the in dividual behaviors. For the design of devices w ith m ultiple operating regions, the design process m ust confront the problem of dynam ically shifting the causal mech anisms th a t establish behaviors in one region to those th at establish the behaviors in the succeeding region when transition conditions are m et. To system atically handle the design of such complex devices, CMD makes use of: i) design fragm ent representation, an abstract qualitative representation of how a physical design establishes its behavior, and ii) verification criteria, a declara tive specification of the conditions th a t the design fragm ent m ust satisfy for the qualitative correctness of the design solutions obtained from the representation. CMD restricts the search by constructing approxim ately correct design fragm ents th a t satisfy the desired behavior based on simplifications of the verification criteria. I Such simplifications are then potential sources of incorrectness when the fragm ents ,ix, are composed or extended. CMD focuses the search for design fragm ent revisions by making use of inform ation obtained from verification analysis to pinpoint the sources of incorrectness and focus on the necessary revisions. T he overall search strategy adopted in CMD for generative design of devices is based on divide-and-conquer and increm ental revision. The m ethod divides the spec ified behavior into separate fragments and constructs approxim ately correct design fragm ents for each. The design fragm ents are then increm entally composed until a design for th e entire specified behavior is obtained. The composition of indepen dently designed fragm ents may result in a design which, due to adverse interactions between the fragm ents, violates the behavior established by one or m ore of them . CMD detects such interactions by perform ing verification analysis and deriving fail ure conditions th a t specify the reasons for the incorrectness of a design fragm ent. Such failure conditions are then used to guide the search for design fragm ent revisions th a t lead to re-establishm ent of the desired behavior. CMD has been im plem ented in a program and has been dem onstrated for the conceptual design of liquid-level regulation system s, early steam engines and boiler control systems. Chapter 1 Introduction The Proper Study o f M ankind is the Science o f Design. - Herbert Sim on One of the hallm arks of hum an intelligence is the ability to design: to compose fam iliar components to accomplish desired behavior or function. The first stage of design, called conceptual design, is the process of generating prelim inary designs, in which the designer focuses only on the gross structure of the artifact to be designed. T he designer typically ignores quantitative constraints and exact solutions and, in stead, seeks to obtain a prelim inary design th a t meets the behavior constraints at a qualitative level [45, 54, 35]. Conceptual design is followed by stages in which the prelim inary designs are analyzed differentially, selected and refined to m eet opti m ality, realizability, fault tolerance, efficiency, economy, and other such constraints. Conceptual design is a critical step in the overall design process since (a) design innovation crucial to the success of a product occurs at this stage and (b) errors in this stage, if not corrected, will propagate to later stages of design and m anufacture w ith devastating consequences. To facilitate the differential analysis performed by the design stages following con ceptual design, approaches to conceptual design should (a) outline the space of can didate designs under consideration, and (b) explicate the design choices underlying each design both at a gross level where decisions about the technologies (mechanical, hydraulic, electronic) are m ade and at finer levels where decisions about individual com ponents and their structural connections (function sharing) are made. Accord ingly, generative approaches which system atically define and explore the space of candidate designs are needed for conceptual design. 1. This thesis describes a com putational m ethod for generative design, called Com positional M odel-based Design (CMD), which uses a dom ain m odel describing the com ponents and their interactions to design physical devices having desired behav iors. The CMD m ethod is based on two insights: 1. In conceptual design, the designer makes use of a qualitative understanding of how the design works over tim e [44, 54]. 2. The process of generating complex designs involves composing locally correct partial designs and using the inform ation obtained from failures to focus on design modifications [36, 14]. The m ethod divides the specified behavior into separate fragm ents and constructs locally correct design fragm ents for each. The design fragm ents are then increm en tally composed until a design for the entire specified behavior is obtained. The com position of independently designed fragm ents may result in a design which, due to adverse interactions between the fragm ents, violates the behavior established by one or m ore of them . The m ethod detects such interactions and uses the failure inform ation to guide revisions of the composite design to re-establish the desired behavior. 1.1 An Example Consider the design of a boiler control system for a steam plant th a t is required to supply steam at a steady, fixed pressure despite variations in th e dem and of steam at th e load. Figure 1.1a shows a candidate design from [2] which establishes this regulatory behavior as follows: Fluctuations in the load are sensed by a governor control mechanism which adjusts the outflow valve to maintain the steam flow rate to the load steady. To maintain steady pressure at the drum, the change in the outflow rate is sensed and used to adjust the flow rate of the fuel/air mixture to the furnace. Consequently, the steam generation rate and the rate of steam flow from the boiler to the drum change to compensate for the outflow rate change, thereby, maintaining the steam pressures at the boiler and the drum steady. 2 steam-controller flow-transducer > pressure-sensor uel/air ratio feedwater-tank sensor drum(d) boiier(b) feed control furnace speed - J generator turbine feed-regulating pump vaive FRSd j|_ jn c LWd = std LWd = std feedwater-tank steam_path(p1) = dec boiler container(?tank) (c) heater(h) Figure 1.1: a) A boiler control system in a steam plant, b) Behavior specifications input to CMD. c) Independent design fragm ents for m aintaining the w ater level and steam pressure in the drum steady, d) Composing the two fragm ents to achieve the combined behavior. In this case, if the drum serves as a w ater source for the boiler, the w ater level in the drum will change, violating the previously established behavior, e) The composite design fragm ent is revised by introducing a com pensating inflow of water. To design such a device, compositional model-based design, given the basic input behavior specifications of m aintaining the steam pressure and the w ater level in the drum steady (Figure 1.1b), follows two m ain steps: 1. It constructs independent design fragm ents (Figure 1.1c) to establish behav ior fragm ents such as: a) M aintaining steady steam pressure in the drum. This is established through an increase in the rate of steam generation in the boiler and an increase in the rate of steam flow from the boiler to the drum which com pensates for the increase in the rate of steam outflow to the load _3J 1. b) M aintaining the w ater level in the drum steady. This is established by assum ing it is uninfluenced. 2. It composes these two design fragm ents to establish th e combined behavior. During composition, it may decide th a t the w ater supplied to the boiler for steam generation is from the drum (Figure l.ld ). In this case, the composite design is incorrect since it does not m aintain the water level in the drum steady; instead, the water level decreases as the w ater is used to generate steam in th e boiler. The CMD m ethod detects this violation and revises the com posite design to introduce an inflow of w ater into the drum from a tank to com pensate for this loss (Figure l.le ). 1.2 Complexity in Model-Based Design A naive generative approach to conceptual design may generate candidate de signs by system atically assembling increasingly larger collections of com ponents and testing w hether each candidate design meets the desired behavior specifications by model-based sim ulation. However, for m ost real-world domains and realistic arti facts, such an approach is quickly overwhelmed by the space of candidate designs and the com plexity of testing each one. Consequently, generative design m ust ex ploit constraints to lim it the space of candidate designs and focus the search for design solutions. M odel-based approaches may restrict the space of designs by using an inter m ediate search space representation th at makes explicit the com ponents used in a design, the causal relations the components support and how such relations get used to achieve behaviors. One such candidate interm ediate representation is one th at makes explicit the causal relations imposed by elem ents of the dom ain model. Gen erative approaches based on such a representation can exploit the required behavior constraints and th e design verification constraints th a t specify th e conditions th at the interm ediate representation m ust satisfy, to focus the search for design choices th r o u g h o u t the thesis, we will use a simple notation for describing quantities: the first few letters describe the quantity, the last letter describes the object, and the subscript describes the container or the path. For exam ple, FRSd,t denotes the flow rate of steam from the drum to the load, and LW d denotes the level of water in the drum. __________________________________________________________________________________ 4. temp-of-liq=inc level-of-liq=std B level-of-liqCX vol-of-liq B H Level-of-liq=jnc level-of-liqOC mass-of-liq mass-of-liq=inc B level-of-liq=std | | temp-of-liqOC heat-flow temp-of-liq=inc mass-of-liq OCcondensation-rat ^ Interaction from y N . m ass -of-ii qX liq-inflowrat© side-effect of inflow hot-ltq-inflow>0 mass=inc (a) liq-inflowrate>0 level-of-liq=inc mass-of-liq=inc hot-liq-inflow>0 1 liq-outflow>0 liq-outflow: hot-liq-inflow>0 hot-liq-inflow>0 (b) Id-water-inflow 1. upward-mofion <- forca-up <--steam-pressure=inc <— ...steam-generation 2. downward-motion ...<-- steam-pressure-drop condensation <-cold-water-inflow (c) Figure 1.2: Examples illustrating the sources of complexity in model-based design from: a) com ponent model complexity, b) side-effects, and, c) m ultiple uses of com ponent. .5 . and thus restrict th e candidate space. The sources of com plexity in model-based generative approaches based on such an interm ediate representation are: • Component model complexity: Com ponents introduce causal relations between quantities. For exam ple, interactions between height, pressure-at-top, pressure- at-bottom , gravity, volume-of-container, density-of-liquid, specific-gravity are im posed by liquid in a container. For producing a specific behavior of a quan tity, each such relation may define a design choice point. For example, to increase th e pressure at the bottom of a container, the relation between pres sure and mass of liquid in the container, and the relation between pressure and volume of gas in th e container define alternative choice points. Moreover, the relation specifying the desired behavior may not be the same as the relations producible by individual components. Hence producing a specific behavior may require not one such relation but m any such relations, each of which de fine alternative choice points. For example, to establish an increase in the level of liquid in a container when the level falls below a certain level, there are no directly available components which can establish such a relation. In establishing the increase in liquid level, as shown in Figure 1.2a, the relation between level and mass of liquid, and the relation between level and volume of container define alternative choice points. Choosing the relation between level and mass of liquid, the mass of the liquid can be increased by using the causal relation between liquid-flow and mass or using th e causal relation be tween mass of liquid and liquid-condensation and other such alternatives. For complex behavior, though the num ber of com ponents in the design m ay be small, individual com ponent model com plexity makes the search difficult since all chains of causal relations may have to be explored for completeness. • Side-effects o f causal relations: Each causal relation can have a parasitic ef fect on the overall behavior. For example, as shown in Figure 1.2b, a causal relation between therm al liquid-flow and tem perature used to establish an in crease in the tem perature of a contained liquid has the parasitic effects of increasing the level of the liquid, increasing the pressure at the bottom of the container, and decreasing the am ount of the contained gas. W hen designing devices w ith m any desired quantity changes and causal relations in a state, 6. th e design choices can conflict because of such side-effects, leading to a search for alternative choices or a search for additional constraints th a t would re solve such conflicts. In the above example, if the level of the liquid is to be f m aintained steady then the source of the conflict has to be counteracted, for exam ple, by introducing liquid-outflow from the bottom -port of the container or liquid-outflow from th e top-port of a container, leading to additional search. • Multiple use o f a component: The same com ponent can be used to serve m ulti ple functions. For exam ple, in a steam engine, the steam in the lower com part m ent m ay be used to establish the upward piston m otion by boiling w ater to increase th e steam pressure and to establish the downward m otion by cooling th e steam to decrease the steam pressure. The steam pressure required to cause th e upward piston m otion in a cylinder can be obtained by boiling w ater in the bottom com partm ent of the cylinder and the downward m otion of the piston can be obtained by cooling the steam in the same com partm ent (Figure 1.2c). Such function sharing m ay lead to additional interactions betw een quantities th a t m ay be otherwise independent. In the above case, if it is required to m aintain the tem perature of the cylinder steady, such function sharing would lead to changes in tem peratures as a result of boiling and cooling. From th e above analysis of the sources of complexity, we make the observation th at th e com plexity from side-effects and the complexity from m ultiple uses of a compo nent occur predom inantly in model-based design of devices w ith conjunctive behavior in a region. For designs w ith m ultiple operating regions, where an operating region is defined by intervals of one or m ore quantities and consists of a set of behaviors distinct from another non-overlapping operating region, there are additional sources of complexity. 1. Region persistence. Behaviors in a region m ay have side-effects th a t affect the persistence of the region leading to prem ature transition from the region. Preventing such unw anted transitions may require establishing additional be havior which compounds w ith the other sources of complexity. In th e boiler exam ple (Figure 1.3(a)) steam supply from the boiler to the drum by means of steam generation leads to depletion in the am ount of w ater and may lead to prem ature transition to a region where the steam flow is disrupted. Preventing . 7 . steam-outflowrate=0 steam-outflowrale>0 r or ] steam-gen-rate=0 Transition steam-gen-rate>0 H / S / j heat-flow-rate>0 heat-flow-rate>0 Revision steam-outflowrate>0 steam-gen-rate>0 heat-flow-rate>0 water-inflowrate>0 (a) level-of-liq=inc Transition: mass=inc level=hr jL liq-infiow>0 level-of-liq a mass-of-liq & mass-of-liq a liq-inflowrate level-of-liq=std hr liq-infiow=0 level-of-liq a mass-of-liq & mass-of-liq 06 liq-inflowrate (b) uninfluenced level-of-liq & uninfluenced mass-of-liquid Figure 1.3: Examples illustrating the problems in model-based design of m ulti- operating region devices: a) region persistence, and, b) region transition. .8, such transition requires the establishing an increase in the am ount of w ater to balance th e w ater lost due to steam generation. 2. Region Transition. Devices w ith m ultiple operating regions m ay require differ ent causal networks for each region. Therefore, establishing region transitions will require searching for a chain of explicit causal m echanisms th a t bring about synchronized transform ation of the networks. For exam ple, as shown in Figure 1.3(b), a liquid-level control system has two operating regions, one in which th e level is increasing if the level is below the desired level and the other in which it is steady when the level is at the desired level. T he causal relations th a t establish an increase in the level, based on an inflow of liquid into the container, are different from th e causal relations th a t establish the level steady, which can be based on the assum ption th a t the level of the liquid is uninfluenced. For region transition to occur, such differences in networks of causal relations for the two regions have to be dynam ically reduced and synchronized appropriately. In th e above example, one solution is to use a m echanism composed of float, link and valves to steadily reduce the flow as th e level reaches the desired level. Two im portant insights from previous work in AI for dealing w ith search complexity are: • A pproxim ating the search space. A solution can be constructed quickly in an approxim ate search space and then revised. The search space is m ade to capture only the m ost critical solution requirem ents and ignores th e rest. The approxim ation simplifies the search since the requirem ents on the solution are relaxed. • Least-com m itm ent solution construction and constraint posting. P artial solu tions can be constructed by increm entally posting constraints th a t the solution m ust satisfy and propagating ram ifications of the constraints from one portion i of the solution to other portions of the solution to restrict the search space [46, 4, 53], Each of these insights provides an im portant starting point. To date, research in model-based design has prim arily been lim ited to design of devices w ith desired .9 . behavior of a single quantity, expressed in an relational form [51, 54]. For the design of such devices, th e m ajor problem is determ ining a p ath of causal relations between quantities th a t can potentially establish th e relation between quantities specified by th e input relation. The m ajor source of com plexity in finding such a p ath results from com ponent model com plexity and m ism atch of the causal relations im posed by a com ponent model w ith the causal relation specified in a behavior. It is difficult to find such a p ath independent of how th e quantities are related2 and w hat behaviors they produce. Approxim ations of the dom ain model th a t captures only w hat quantities interact and ignores how they interact, are appropriate for handling such difficulty. Such a representation can be quickly searched to generate a com plete candidate design whose components impose relations th a t link the quantities in the desired behavior. The approxim ations lead to restricting the candidates to be verified in a typical generate and test design m ethod to only those which can support the required relation between quantities. Approaches for handling a wider class of problems th a t involve conjunctive be havior in a region and region transitions m ust confront the additional sources of complexity, as discussed earlier, arising from side-effects, structure sharing, region persistence and region transitions. The type of approxim ations used for single con junct behavior does not capture inform ation th a t provides com putational focus for dealing w ith such sources of complexity. Since the representation does not represent how quantities are related and w hat behaviors they produce, it cannot distinguish if th e causal relations used in establishing a specific behavior have any side-effects th a t counteract another required behavior. Such a representation also fails to distinguish if the side-effects affect the persistence of the region. In the following, we outline our CMD approach th a t builds on the above insights and uses approxim ations th a t are more suited to handling th e com plexity arising from considering th e wider class of design problems and doing design verification when generating a design. The approxim ations used in CMD are not on specific aspects of the individual causal relations3 but rath er on possible influence relations 2Some of the possible relations between two quantities x and y are: x may be directly propor tional to y, and x may be indirectly proportional to y. 3A causal relation between two quantities captures three types of information: i) types of quantities causally interacting, ii) how the quantities are causally related - the directionality of the 10_ th a t affect a quantity and persistence of quantitative relations betw een quantities in a region. Such approxim ations are more appropriate when obtaining designs for conjunctive behaviors by constructing and composing partial designs, because of the p artial nature of the inform ation available at any stage of th e process. We provide detailed argum ents for use of such approxim ations in CMD in C hapter 4. 1.3 Compositional Model-Based Design Com positional model-based design addresses the sources of com plexity identified in the previous section by using the notion of the design process as incrementally com posing locally correct partial design solutions, called design fragm ents, and making use o f the failure inform ation obtained from verification analysis to focus the search fo r design modifications. The key elem ents of such a process are: 1. Search based on design fragm ents: A design fragm ent is a design representa tion th a t makes explicit the design, the qualitative causal relations between quantities imposed by the design and the different types of approxim ating as sum ptions under which the design correctly produces desired behaviors. The assum ptions correspond to simplifications m ade in satisfying the design cor rectness requirem ents. The fragm ents are approxim ately correct since they produce desired behaviors only when the approxim ating assum ptions hold. CMD uses the representation to: (a) R estrict search. T he search space de fined by design fragm ents are an approxim ation of the search space defined by com plete design fragm ents since the fragm ents are based on approxim at ing th e requirem ents for solution correctness. The design fragm ent simplifies the search since potential interactions and corresponding design decisions are deferred. In the boiler control system example, a design fragm ent for estab lishing the pressure of steam in th e drum to be constant is constructed based on the assum ptions th at there are no causal relations affecting the quantity. causal relation and nature of the relation between the quantities which in turn specify the behavior o f the influenced quantity that result from the relation and the behavior of the influencing quantity, and, iii) the temporal nature of the relation - whether the relation holds or not under changes of operating conditions or is static. The representation used to design for single quantity specific desired behaviors approximates the last two aspects of a causal relation. ) l l J Such a fragm ent is based on checking for the sim plest requirem ent for a quan tity to hold steady and ignores other possible causal relations th a t m ay exist. The simplifications reduce search, since interactions arising from steam-flow, evaporation, water-flow etc are not checked, (b) Focus Search. The explicit representation of the working of the design and the underlying assum ptions for its correctness, facilitates determ ining the ram ifications of design decisions on th e working of th e design and its correctness. T he ram ifications get used in CMD to localize sources of incorrectness and focus on relevant revisions. 2. Behavioral Axiom s: A declarative specification of th e qualitative requirem ents th a t m ust be m et in order for a design to correctly produce the desired be havior. The requirem ents specify necessary causal relations and constraints on them for basic behaviors to be produced. Since the design fragm ent captures th e working of a design, the behavioral axioms are then a specification of the verification criteria for the fragm ents to establish behaviors in region. 3. Failure conditions and revision operators: T he approxim ations m ade in a de sign fragm ent are potential sources of incorrectness when the fragm ent gets composed w ith other fragm ents and analyzed for satisfaction of verification criteria. CMD derives failure conditions from verification analysis and exploits them to focus the search for necessary revisions of the design fragm ent. Failure conditions are specifications of constraints th at m ust be m et in order to ensure the local correctness of behavior. Revision operators are then operators th at modify design fragm ents to satisfy such constraints. For exam ple, analyzing the correctness requirem ents for steady pressure in the drum in th e context of the steam-outflow from the drum , yields the failure condition: the set of com plete causal relations on the steam pressure in the drum does not specify the existence of two causal influence relations, one of which is constrained to be steam-outflow, th a t cancel each other. T he revision operator introduces an additional steam-inflow into the drum and makes a new assum ption. 4. Search Strategy. CMD adopts a divide-and-conquer, least-com m itm ent and in crem ental search strategy. Figure 1.4 shows a schem atic block diagram of the 12J Domain Model * Desired B ehavior(B) - Construct Design Fragments PSd =inc M S d ^ C * :{P S d“«+M S‘ ‘} / ^ S F R p >0 Aic2:{MSd a I+ SFRp,} O p. boiler-drDm(d) rtean1 Compose DFs SPd=std LLd=std * SPd ~ inc infl(MSd, OFd,neg) c o n ta in e rs) DF ubsum es B? / D e s i g n Solution No OFd>0 Extend DF Figure 1.4: A schem atic block-diagram of CMD m ethod. CMD m ethod. The figure shows the inputs and the m ain operations th a t de fine the core of the m ethod: construct, compose and extend design fragments. These operations lead to a divide-and-conquer search strategy. A pproxim ate design fragm ents th at establish pieces of the desired behavior are constructed by the construct operation in a least-com m itted m anner: the com ponents re quired to establish a causal relation alone are constrained to exist and the decision to use other existing components for the same relation is deferred. They are then increm entally composed and extended until the entire speci fied behavior is achieved. The individual operations of the m ethod perform generation, propagation of necessary ramifications of other design fragm ent constraints, verification analysis, and derivation of failure conditions th a t lead to design fragm ent revisions. T he com bination of divide-and-conquer w ith in crem ental construction and revision focuses the search for correct solutions. T he strategy defers decision m aking until additional inform ation is available on those choice points which provide more constraints th a t focus th e search. .13J 1.4 Thesis Contributions This thesis presents a generative m odel-based approach to the design of physical devices. Im portant contributions are: • Design fo r conjunctive behaviors in a region. It presents an approach for solving the class of design problems th a t involve conjunctive behaviors in a region. This is a difficult problem due to side-effects and stru ctu re sharing. Previous approaches [54, 51] have been prim arily restricted to single conjunct behavior, and can be extended to handle the m ulti-conjunct design problem only by perform ing brute force search. • Design fo r region transitions. It presents an approach for solving design prob lems th a t involve m ultiple operating regions and transition betw een those re gions. This is a difficult problem because the design fragm ent for a region has to be transform ed to the fragm ent for the next region. Previous approaches [54] have considered design of sim ple devices which have autom atic region transitions or whose transitions can be captured in a single equation. • Design-fragment-based search space. It introduces the representation of de sign fragm ents — an approxim ate representation of how the elem ents in the design work to achieve its behavior and th e different types of approxim ation assum ptions th a t underlie the correctness of its behavior. T he representation facilitates exploring the design space by exploitation of solution constraints to focus search for design solutions and by using approxim ations to restrict the search. • Design verification interleaved with design generation. The approach addresses th e problem of qualitatively verifying th a t a design obtained from a design fragm ent achieves its behavior at any stage of a design fragm ent construc tion process. To address such a problem , it form ulates verification criteria fo r design fragm ents, a declarative specification of the criteria for evaluating the qualitative correctness of design fragm ents to satisfy desired behavior frag m ents. It uses such criteria constructively to increm entally generate design fragm ents and design solutions from those fragm ents. 14. • Approxim ately verified design fragm ents, failures and focused revision. It m a nipulates approxim ately verified design fragm ents. In order to system atically handle incorrectness th a t result from the approxim ations, it defines design- fragm ent failure conditions and revision operators: it uses th e verification criteria to derive th e set of design fragm ent failure conditions which are spec ifications of necessary constraints on a design fragm ent to rem ain consistent and a set of operators th a t satisfy such constraints. The failure conditions are im portant - they pinpoint the inconsistencies and provide constraints on the search for revisions th a t remove th e inconsistencies. • Compositional model-based design. It form ulates an increm ental and least- com m itm ent design m ethod for obtaining designs of continuous devices w ith m ultiple behaviors in a region and m ulti-operating regions. The m ethod uses th e design fragm ent representation, failure conditions and revision operators to restrict and focus the search for design solutions. • It describes an im plem ented system based on th e CMD m ethod th a t has been dem onstrated on several examples including the design of boiler control sys tem s, steam engines and liquid-level regulation systems. 1.5 Road Map The rem ainder of the thesis is organized as follows. • C hapter 2 describes th e related work in the areas of design, planning and m odeling of physical systems. • C hapter 3 describes the representation of the input dom ain models and behav ior, the representation of the output design solution and the representation of design fragm ents th a t defines the search space for CMD. • C hapter 4 describes axioms for different types of behavioral fragm ents to hold, and shows how, based on their analysis, a set of revision operators to revise incorrect design fragm ents is derived. 15J C hapters 5, 6 and 7 describe the basic operations on design fragm ents th at are used for constructing, composing and extending design fragm ents. C hapter 8 presents the algorithm for com positional model-based design and illustrates how it works w ith an example. It also describes a program th a t im plem ents the CMD m ethod and gives several examples th a t have been used to dem onstrate the m ethod. In C hapter 9 we sum m arize the key aspects of th e CMD m ethod, sum m arize the contributions m ade in this thesis, discuss some of its lim itations and present directions for future work. A ppendix A gives the list of the axioms th at form the basis for the verification criteria for design fragments. A ppendix B gives a partial trace of the CMD program . .16. Chapter 2 Related Work This chapter discusses previous work in th e areas of design, planning and qualitative physics related to th e thesis. 2.1 Related Work in Design We divide the work on design into three broad categories: (i) M odel-based design, (ii) Case-based design, and (iii) Library-based design. 2.1.1 M o d el-b a sed D esig n A num ber of approaches have em phasized th e im portance of using dom ain models to im prove robustness. We call these approaches model-based design. Such approaches make use of the dom ain model to search a space of interm ediate representations th a t link structure/form and behavior to compose a design th a t m eets th e desired behavior requirem ents or abstractions of such requirem ents. They take a bottom -up approach to design as opposed to hierarchical refinement. In [3], Barstow highlights the im portance of capturing knowledge about program s and their differences as a sequence of increm ental refinements. Roylance [40] takes a sim ilar approach for the design of analog ram p generators. The structures in his library correspond to abstractions of prim itive circuit elem ents, such as resistors and capacitors. Roylance also relaxes restrictions on how these structures are com posed. R ather than using a hierarchical decom position, structures are composed by backward chaining on an equation specifying the desired behavior. This type __________________________________________________________________________________________ I I . of com position is sim ilar to the generation phase of th e C onstruct-D F operation in CMD. B ut the robustness in Roylance’s approach is lim ited due to the use of a dom ain model which presum es the function of the prim itive elem ents. More recent work in m odel-based design, th a t of K arl Ulrich [51] and Brian W illiams [54], address th e issue of robustness in generative design. Ulrich addresses the conceptual or preparam etric design of single-input, single-output devices con structed by connecting together lum ped elements. The goal of th e design is to relate two variables. T he behavior of the relation is not specified. In this approach, each com ponent is modeled as an n-port device (drawn as a bond-graph [39]) and the design goal is satisfied if there exists a p ath through the n port devices between the two variables; th a t is, there is a sequence of bonds connecting the two variables. The behavior produced by the sequence of bonds (i.e. the relationship between the variable values) is not considered. All possible paths correspond to candidate design solutions. U lrich’s m ethod differs from the CMD m ethod in several respects. Ulrich ignores behavior at all stages of design — his end solution is thus only an approxim ate solution and need not necessarily satisfy a behavior between the quantities related. This approxim ation suppresses some of the critical issues th a t m ake m odel-based de sign difficult: reasoning about interactions, transitions and conjunctions of behavior fragm ents. The IBIS [54] m ethod is another model-based design approach. IBIS addresses th e task of designing devices th a t have quantity-shifting behavior (e.g. m aintaining th e level of liquid in a container at a specified level). The central idea in IBIS is th a t the design process involves constructing a design representation th a t makes explicit the structural aspects of a design and how they work to produce the desired behaviors. To this end, IBIS makes use of an approxim ate representation of the search space defined by th e domain model. This approxim ate representation, called the topology of interaction networks, ignores w hat behaviors the causal relations produce and captures w hat quantities are potentially related by design com ponent models in the dom ain model. T he approach synthesizes devices in five steps: 1) M aps th e input behavior into an equational form. For exam ple, in the vat and bowl design problem ([54]), which involves finding a design solution having the following behavior: i) if level of liquid in the bowl is less than the level in the vat, th e level 18. in th e bowl increases and, ii) if the levels of the liquid in the two containers are same, then th e level in the bowl rem ains steady. This desired behavior is m apped to th e equation: Hb - H v = Ds[Hb\ 1 2) It searches the network to find a p ath th a t links th e variables in the input equation. For the vat and bowl problem , it searches for a p ath th a t links the variables H v, Hb and Ds[Hb]- 3) A candidate design is constructed by selecting and assembling com ponents such th a t th e final assembly generates this causal interaction path. 4) T he candidate design is used to specify an equation in sem i-qualitative algebra (M inim a) which then is tested for subsum ption of the equation defining the desired behavior. 5) Failures result in either going back to step 1 to generate another candidate or the heuristic refinem ent of th e candidate design. Interaction-netw ork based design offers several advantages. F irst, by tracing the causal p ath taken through the causal-interactions network, it produces an abstract causal explanation of how the designed device works. Secondly, by choosing alter native paths, it m ay enum erate innovative designs where the basis for innovation can be explained in term s of differences in causal paths. These advantages are also offered by CMD. T he approaches differ in several im portant respects. • Input behavior T he type of behavior handled by IBIS is a single conjunct be havior - desired behavior of a single quantity. In the vat and bowl exam ple, the desired behavior is relative to the level of liquid. CMD addresses a wider class of design problems, not handled by IBIS, th a t have conjunctive behavior in a region and have transitions betw een them . The difference in the class of prob lems handled by th e two m ethods determ ines the nature of the approxim ations used by them . • Search space. The type of search space and their approxim ation differ in the two approaches. IBIS searches a space defined by interaction network topol ogy which is an approxim ate representation of the search space defined by the causal relations in the dom ain model; approxim ate in the sense th a t it ignores w hat behaviors the causal interaction produces. Such a representation is best 1The function £>s[g] denotes the qualitative derivative of q. If Ds[q] > 0 then q = inc, IXsfg] = 0 then q=std, and if Ds[q] < 0 then q = dec. 19. suited for the quick generation of com plete candidate solutions for single con ju n ct behavior specifications th a t specify a desired relation between two or m ore quantities. In designing for such behavior th e m ajor source of complex ity is in determ ining w hat quantities interact independent of th e behaviors the interactions produce. T he types of quantities related by each interaction sub stantially constrain w hether th at interaction is part of a solution to a design problem. CMD searches the design fragm ent space, an approxim ate represen tation of the design and the causal relations th e design uses to qualitatively achieve its behavior. Such a representation is well suited to CMD which designs for conjunctive behavior in a region and region transitions. For conjunctive behavior, the m ajor source of com plexity is in the side-effects of the causal relations th a t in establishing required behaviors have adverse effects on other behaviors in the region. By constructing partial design fragm ents, CMD defers design decisions until more inform ation is available in m aking a m ore informed decision. The simplifications lead to first cut approxim ate solutions th a t sat isfy some necessary requirem ents and abstract out others. The generation of design fragm ents is thus lim ited and focused by necessary requirem ents. Such piecewise approxim ate design construction, com position and revision is useful for design of devices having m ultiple behaviors in a region which are beyond the scope of IBIS. IBIS can be extended to handle such problems but then IBIS would have to perform b ru te force search leading to scalability problems [34]. • Focused search for design modification. The interaction network representa tion used by IBIS ignores w hat behaviors get produced due to a causal relation between two quantities. The representation is based on only w hat quantities interact. The behavior constraints are only exam ined at the verification stage. Since the interaction network representations does not capture any aspect of behavior, inform ation obtained from failures at the verification stage cannot be exploited in IBIS to search for design refinements. The design fragm ent representation in CMD makes explicit both the causal basis of a behavior as well as the assum ptions under which the design correctly produces the behav ior. Such explicit representation of the approxim ation assum ptions pinpoints sources of design failures. In CMD, the inform ation obtained from verification analysis in the form of failure conditions, focuses the search for revisions by specifying w hat the revision m ust accomplish. • Design Verification. IBIS constructs com plete candidate solutions and then tests them for correctness. CMD interleaves generate and test. Interleaved gen eration and testing allows CMD to prune out partial design fragm ents which do not satisfy th e verification criteria and thus reduce the search space. T he veri fication techniques differ significantly in IBIS and CMD. A candidate solution generated by IBIS defines a set of equations (in a sem i-quantitative algebra) th a t specify causal interaction relation between quantities. IBIS verifies the correctness of the design by testing the consistency of th e equations using symbolic equation solving approaches. CMD form ulates the criteria for design fragm ents to achieve basic behaviors and undergo basic region shifts. T he cri teria are based on general laws of quantity change and inequality conditions to hold in a region. It uses the criteria to derive a set of revision operators which are used constructively to search for correct design fragm ents. • Design of multi-operating region devices and reasoning about region transi tions. In IBIS, the region transition behavior is im plicit in the equations and are handled indirectly. The generation step in IBIS, of first generating all di rect paths (w ithout branches) and then augm enting those paths by considering branching paths th a t start from some interm ediate quantity and term inate on some desired variable, leads to indirectly considering designs w ith feedback loops which are required for region transitions. Such an approach will work for designs having autom atic transition and single feedback loop. B ut for designs which require more th an one feedback loop to handle the different re gion transitions (e.g. upward m otion to downward m otion in a steam engine), IBIS does not provide any solution other then resorting to bru te force search. CMD addresses th e region transition behavior problem by determ ining how th e constructed design fragm ents for each region differ in term s of th e oper ating assum ptions m ade and extends the design fragm ent w ith appropriate behaviors which when established achieve dynam ic transform ation of th e de sign fragm ent consistent w ith region transition requirem ents. Thus CMD does 21. focused search for augm entations to the designs for regions, in order to achieve region transition behavior. 2 .1 .2 C a se-b a sed D e sig n A num ber of design approaches have recently been advanced th a t m ake use of experi ential knowledge [12, 19, 23, 31, 29, 18, 32]. These approaches solve design problems by retrieving and adapting the designs encountered in the past. As new designs are created, they are stored in memory for potential reuse. The key problem s are the organization of the case library for retrieval of a relevant case and th e adaptation of the retrieved case to the design task at hand. These systems are intended to improve their robustness through acquisition of cases. Case-based design approaches are ap propriate for dom ains for which a rich source of experiential knowledge exists. Like library-based approaches, the case-based approaches trade-off com pleteness at the cost of efficiency. Such approaches can be integrated w ith generative m odel-based approaches like CMD to exploit the efficiency of case-based design and th e robust ness of m odel-based design. The generative design approach can be used to build the experiential knowledge base. In BO G A RT [29], the case library consists of design plans. Each design plan corresponds to the recorded steps taken to refine a functional specification of a design. B oth design-plan storage (which plan to store) and selection are user guided. In a case retrieved by BOGART, some steps m ay apply to current problem while others m ay not. Replay of the design plan is used to determ ine which steps apply. ARGO [19] uses analogical reasoning for solving design problem s in the VLSI circuit dom ain. In ARGO, design problem-solving experience is represented by a rule-dependency graph which defines the design plan. ARGO generates abstractions of such graphs and stores them as rules ( “m acrorules”), which explicitly contain the precise conditions for reuse. Such conditions determ ine the applicability of the stored cases. ARGO uses a heuristic to restrict retrieval to m axim ally specific cases. Case reuse is based on m atching the applicability conditions to th e current design problem. CADET[32] and K R ITIK [18] are two case-based design system s for design of physical devices. CA D ET focuses on the case retrieval problem. Cases are provided 22. by user and represented as influence graphs which are qualitative representations | of device behaviors. In CA D ET, if no cases directly m atch the desired device b e -: i havior specification, behavior correctness preserving transform ations are applied t o : th e behavior specification until m atching cases are found. It is to be noted th a t j transform ation process m ay result in sub-specifications each of which correspond to a different case. In such situations the cases have to be composed. CA D ET does I not provide a solution to this problem. K R ITIK [18] explores the use of design-debugging in the context of experience- based design of physical devices. Initial designs are generated by retrieving cases from a case library and adapted to the current task. A daptation is done based o n , m ism atches between the desired function and the function provided by the retriev ed , design case. Design debugging involves th e application of a set of heuristic design- m odification plans. As w ith the CMD m ethod, both CA DET and K R ITIK reason about the causal i mechanisms underlying device behavior and function at a qualitative level. The CA D ET approach of transform ing a given behavior specification until a case can be retrieved has sim ilarities to the bottom -up construction of partial design fragm ents. T he transform ation process based on hypothesizing influences and finding cases th a t m atch them is sim ilar to the use of failure conditions th a t specify necessary influence constraints for quantity changes and the use of revision operators to satisfy such constraints using model fragm ents. CMD addresses the com position problem which is not dealt w ith by CA DET. The transform ations in CA D ET are based on a set of heuristic design rules, whereas the design fragm ent revisions in CMD are based on axioms of qualitative physics. 2 .1 .3 L ib rary-b ased D esig n Library-based design approaches [25, 26, 40, 28, 27, 47, 30, 50] use design knowledge organized as a set of schemas describing th e structure of modules in term s of sub- modules and their connections. Designs are constructed by starting from an abstract function specification and perform ing a series of hierarchical refinements followed by constraint satisfaction. Each refinement step selects a schem a im plem enting a m od ule and instantiates its submodules and connections. This process is repeated until ! the refinem ent tree hierarchy has leaves which correspond to prim itive elem ents in the domain. I l Such approaches provide increased efficiency at the cost of flexibility. Since' com posite behavior is compiled into the schemas, the problem of correctness of designs is also simplified. The burden of ensuring correctness of designs rests on the u s e r.. These approaches differ from CMD in the following ways. Library-based approaches are restricted in th a t the only ways of composing structures, considered, by the design approach, are those explicitly defined by the m odules. For a given i i set of prim itive com ponents, the solution space of candidate com positions is a priori biased by th e modules defined in th e library. Such a restriction provides efficiency1 a t the cost of completeness. For routine design tasks such a strategy seems to work, since the solution space is defined. In conceptual design tasks, failure of the user to anticipate required behaviors m ay lead to missing schem a and hence m ay cause th e system to fail - th e system lacks the capability to innovate. This problem does 1 not arise in model-based design approaches like CMD which explore the space of: compositions. For CMD, in reasonably well understood dom ains, specifying the com plete set of basic model fragm ents is relatively easy and hence the completeness depends on the m ethod used to construct the solution. Finally the modules used in library-based design presum e the purpose the physical structures are supposed, to achieve. Thus even though a physical structure may produce m ultiple useful functions, it can only be used for those functions specified explicitly in the modules. This problem does not arise for CMD since it explores all such design choices arising! from th e consideration of m ulti-function use of physical structure. W ithin the library-based paradigm , several im portant research contributions have been m ade towards extending their perform ance or robustness. REDESIGN ([28]) is an exam ple of im proving perform ance. Given a design specification and a com pleted design th a t an engineer decided is close to the specification, R E D E S IG N , determ ines subportions of the design th at can be reused and reconstructs new de signs for those portions th a t cannot be reused. To the extent th a t the designer has selected a good m atch between the design specifications and th e old design, p erfo r-, m ance of the design process can be substantially improved. New parts of the design, j for which search is required, are hopefully quite small. 24 LEA P [27] is an exam ple of extending the generality of th e library-based ap-j proach by facilitating the acquisition of new schemas. Using LEAP, design involves; hierarchical refinem ent, where each refinem ent uses a library design fragm ent pro- j posed by th e user. LEAP enters a new schem a in the library by generalizing on th e 1 schem a using a form of goal-directed generalization [11] in which LEA P preserves those constraints on the fragm ent th a t are relevant to achieving its stated purpose. T he learning technique improves generality by extending the set of schemas in the library. I 2.2 Related Work in Planning ‘ A num ber of design approaches use plan debugging [49, 42, 4] approach th a t origi nated from Sussm an’s work on “problem solving as debugging alm ost right plans” and Stallm an and Sussm an’s work [43] on dependency-directed backtracking. T he : basic approach is to construct an initial solution, identify inconsistencies in the p la n , (bugs), pinpoint planning decisions th a t lead to these inconsistencies and modify the plan to remove the inconsistency. ; The various debugging techniques differ in the way the initial plan/design gets; generated, inconsistencies are detected and th e revision operators. T he key p ro b -; lems are determ ining inconsistencies, their cause and operators for handling them . Inconsistency handling ranges from heuristic inconsistency detection and heuristic operator application to m ore formal approaches. T he system s in references [49, 38, 28, 18] take a heuristic approach to m o d ify ; faulty designs. H A CK ER [49] takes a heuristic approach for reordering the steps in ! a plan. C IR O P [38] uses heuristic debugging rules, during bipolar amplifier design, to change the selection of schemas instantiated. REDESIGN [28] uses h eu ristic, debugging rules during digital design to correct signals m ism atch. All of the above approaches rely on use of heuristic bug detection and heuristic plan/design m odification operators. The use of heuristics results in efficiency, since inconsistency detection is hard, at th e cost of completeness and correctness. W ithin this debugging paradigm there have been some m ore principled approaches [15, 4, 42, 5] th a t attem p t to provide some foundational basis for the debugging approach and lay down the groundwork for formal evaluations of the technique. T he approach to : generative design developed in CMD falls in this category. Related work falls m ostly j in th e context of planning. TW EA K [4] constructs plans for conjunctive goals using a constraint posting a p -; proach which makes use of a set of plan modification operators th a t are derived fro m ; the principles for effects of actions to hold (called tru th criteria) and persistence of effects. By basing the debugging approach on the truth-criteria, the TW EA K is able: to provide guarantees on the correctness of plans constructed and the com pleteness of the search m ethod. ‘ GORDIUS [42] is another system th a t uses a set of general m odification p ro ce-; dures as opposed to situation-specific rules on geological interpretation and planning ] problems. T he procedures are based on a causal m odel of how the world works. The bugs are caused due to incorrect approxim ations m ade in the planning or in terp re-, tation generation stage. B oth TW EA K and GORDIUS share com m onalities w ith our com positional model- based design approach. CMD pinpoints places in th e design fragm ent where revisions are required and form ulates revision choices based on failure-conditions derived from a set of general principles defining how devices work. CMD differs from GORDIUS in the way inconsistencies are detected. GORDIUS does plan sim ulation to determ ine inconsistencies. CMD identifies the basic types of simplifications th a t are m ade in generating approxim ate designs and makes them explicit in th e design fragm ent representation, thereby, facilitating reasoning about th e assum ptions and how they may be revised. 2.3 Modeling of Physical Systems The reasoning in the CMD m ethod is based on qualitative models of the design do main. It does active model construction as part of the design process. Considerable research has been done in the area of qualitative reasoning [17, 16, 20, 10, 13, 1, 52, 33, 8]. This section reviews related work in m odeling of physical systems. In com positional m odeling (Falkenhainer and Forbus [13]), device models are constructed by composing a set of model fragm ents which are qualitative abstrac tions of prim itive physical com ponents and interactions between them . Each model fragm ent is conditioned on a set of assum ptions which explicate the approxim ations,1 26- !granularity and operating assum ptions. A user query is used to focus th e search for) models. A m odel is defined to be adequate if it contains the term s m entioned in the! query. A m odel is constructed using a variant of constraint satisfaction called dy nam ic constraint satisfaction and then validated using either qualitative or num erical1 solutions. | T he CMD work builds on the m odel-fragm ent representation developed for com-i positional m odeling [13]. Model construction in CMD takes place when designing for transitions. Given a set design of decisions and a query on establishm ent of an | inequality condition, CMD first generates a partial model based on a set of assum p-; I tions th a t could bring about the inequality condition. This type of m odeling task i s : quite different from the com positional modeling work which generates a model th a t fits all regions of the device - th a t is, the models are lim ited to devices having a uniform m odel across regions. Such modeling is possible when region transitions of | a device are autom atic. A nother closely related work in the area of qualitative m odeling is th a t of Davis [8]. Davis gives an axiom atization of Q ualitative Process theory [16] for a microworld. T he microworld can be viewed as a design description plus a set of m odel fragm ents, th a t m odel th e com ponents used in the design. The axiom atization shows th at physical theories like those of Q P theory can be expressed in sim ple physical axioms and th a t the predictions m ade using such a theory can be viewed as monotonic inferences. He uses a set of basic axioms of real analysis, tem poral reasoning, and a set of general axioms constraining the possible behavior of a physical param eter and relating it to the influences on it. T he axioms defined in CMD for behavior1 correctness resemble D avis’s axioms. 1 T he CMD approach differs from D avis’s approach in the use of such axioms. Davis uses them for behavior prediction whereas CMD uses them for design. In CMD, the design objects and the applicable m odel fragm ents are incom pletely specified. The end result of CMD is a com plete specification of such design objects and model ■ fragm ents as obtained from a design fragm ent which establishes a desired behav ior fragm ent. For Davis, this com plete description of design, called the microworld is th e starting point. This distinction is im portant - since the n atu re of the ta s k ' enforces certain constraints on how inferencing is perform ed for th a t task. In the case of prediction, since the microworld is static (i.e. no new objects or m odel frag- J m ents get added), Davis can generate the possible influence closures a priori (before' beginning inferencing) from the in p u t physical theory and and then do m onotonic inference using th e augm ented theory. This is sim ilar in spirit to use of th e closed-: world inference in static databases [22]. In CMD, since th e design is incom plete, the influence closures assum ptions are defeasible inferences which undergo revisions a s ! th e design gets updated. This is sim ilar in spirit to the approaches in non-m onotonic reasoning [37, 41, 9], which treats non-m onotonic inference as occurring in th e m idst of th e deductive process or as p art of the tim e-varying system . O ther exam ples include the application of closed-world assum ptions to dynam ic database [37], solu tions to th e fram e problem where non-m onotonic fram e inferences are constructed for a particular scenario [41] and non-m onotonic tru th m aintenance. Chapter 3 Representation i i This chapter describes the representation of the dom ain models and the desired j behavior input to the CMD m ethod, the physical designs o u tp u t by the CMD m ethod | and th e interm ediate design fragm ents constructed and m anipulated by th e m ethod. [ 3.1 Domain Models We adopt Forbus’s Q ualitative Process (QP) theory [16], to represent dom ain models. QP theory is a m odeling language for representing qualitative models of physical; phenom ena. In Q P theory, a com ponent or interaction is described by a model \ fragment which consists of: • 1. Individuals: A set of participatory objects and their types. ■ 2. IndivConditions: A set of static structural constraints among the individuals; and a set of m odeling assum ptions on th e individuals. I 3. OperatingConditions: A set of dynam ic conditions corresponding to the state j of physical system (e.g. quantity inequality relations and th e activity of co n -' stitu en t m odel fragm ents). 4. Relations: A set of qualitative causal relations betw een the quantities of the m odel fragm ent and its individuals. I I An instance of a m odel fragm ent is postulated to exist when a set of o b je c ts; m atching the individuals of a model fragm ent is found to exist and satisfies the — 1 Table 3.1: Definitions for model fragm ent existence, activity and effects. j V z, mf(z), exists-mf(z) | [V x 6 Indivs(z), exists-mf(x)] A [V y € IndivConditions(z), holds-rel(y) [Mf Existence] ! V z, mf(z), active-mf(z) < - » ■ i exists-mf(z) A V x 6 OperatingConditions(z), holds-qrel(a:) [Mf-Activity] j 3 z, mf(z), active-mf(z) — * ■ j V x £ Relations(z), holds-rel(z) [Mf-Effects] constraints and assum ptions given by IndivConditions. An instance is active if th e | operating conditions of th e model fragm ent hold. W hen an instance is active, all \ th e relations im posed by th e m odel fragm ent hold. In CMD, we express each of the! above types of m odel fragm ents as a set of logical im plications as shown in Table 3.1. j Q P theory defines two types of causal relations betw een quantities: j 1. A direct influence between two quantities p and q, denoted as I±[<?,p], de scribes how changes in q are m onotonically dependent on th e sign of p. For exam ple, th e velocity of an object is directly (positively) influenced by its; acceleration: if its acceleration is positive, zero or negative, its velocity will j be increasing, steady or decreasing, respectively. A direct influence relatio n ! betw een two quantities p and q is used to model th e quan titativ e relation ■ dq = / ( ...,Pi •••) where / is a m onotonic partial function. i 2. A qualitative proportionality betw een p and q, denoted as Qprop±(<?,p), de scribes how changes in q are m onotonically dependent on changes in p. For! exam ple, the acceleration of an object is (positively) qualitatively p ro p o rtio n al; to the net force on the object: if the net force on the object is increasing, steady or decreasing, its acceleration will also be increasing, steady or decreasing, re spectively. An indirect influence relation between p and q, is used to model th e quantitative relation dq = dp , ...), where g is a m onotonic partial function. i Figure 3.1 shows a portion of th e dom ain m odel for hydro-m echanical devices. T h e| m odel fragm ent for contained-liquids states th at, if there exists a container and a liq- ■ uid substance th a t could be its working fluid, then an instance of the contained-liquid; Defquantity: Defquantity: Defquantity: Defquantity: Defquantity: m ass(? individual) pressure(?individual) level{?individual) valve-open-area(?individual) flowrate(?individual) Entity-MF: Relations: Container(?can) Physical-obj(?can) Entity-MF: Relations: Valve(?v) Physical-obj(?can) View-MF: Individuals: IndivConditions: QuantityConditions: Relations: Contained-liquid(?sub,?can) container(?can) & substance(?sub) working-fluid(?can, ?sub, liquid) & phase(?sub, liquid) mass(liq-in(?can)) > 0 non-negative-quantity(level(liq-in(?can))) & non-negative-quantity(pressure(liq-in(?can))) & Qprop+(pressure{liq-in(?can)), level(liq-in(?can))) Qprop+(level(liq-in(?can)), mass(liq-in(?can))) corresponds(level(liq-in(?can))=0 , mass(liq-in(?can))=0) View-MF: Individuals: IndivConditions: QuantityConditions: Open-valve(?v) valve(?v) & path(?p) valve-in-path(?v, ?p) open-area(?v) > 0 corresponds(open-area=min-o,resistance(p)=max) Process-MF: Individuals: IndivConditions: QuantityConditions: Relations: Closing-valve(?v) valve(?v) & path(?p) valve-in-path(?v, ?p) opening-rate(?v) < 0 l+(open-area(?v),opening-rate(?v)) Qprop-(resistance(?p),open-area(?v)) Process-MF: Individuals: IndivConditions: QuantityConditions: Relations: Liquid-flow(?src, ?dst, ?p) container(?src) & container(?dst) & path(?p) port(?pr-src) & port(?pr-dst) & contained-liquid(?sub,?src) connected(?src, ?dst, ?can) & pressure-definer(?p, ?src, ?pr-src) & pressure-definer(?p, ?dst, ?pr-dst) pressure(?pr-src) > pressure(?pr-dst) l+(mass(liq-in(?dst)), l-flowrate(?p)) l-(mass(liq-in(?src)), l-flowrate(?p)) Qprop+(l-flowrate(?p)), pressure(?pr-src)) Qprop-(l-flowrate(?p)), pressure(?pr-dst)) Qprop-(l-flowrate(?p)), resistance(?p)) Figure 3.1: R epresentation of (a portion of) th e dom ain model for the boiler c o n tro l, exam ple. ' .3.1.! | m odel fragm ent (w ith bindings to the m atched container and substance) exists. The contained-liquid instance is active when the mass of the substance in the container is greater th an zero. W hen active, the contained-liquid’s level and pressure a r e ; qualitatively, positively proportional to its mass and level, respectively. ] The m odel fragm ent for liquid-flow states th a t a liquid-flow instance exists if the containers of two contained-liquid instances are connected by a p ath th a t perm its flow. The flow instance is active when the pressure of one contained-liquid instance i (source) is greater than th a t of the other (destination). W hen active, the flow in- stance specifies th a t the masses of th e liquid in th e source and destination container are negatively and positively influenced, respectively, by a flow rate which is qualita tively proportional to the difference in the two pressures and inversely proportional to the p ath resistance. ! QP theory distinguishes three types of m odel fragm ents based on their tim e dependent properties and th e influence relations they impose. 1. Entity model fragment (Entity-MF). E ntity m odel fragm ents, e.g. co n tain ers,1 impose static causal relations which do not change w ith change of tim e. Their i existence is sufficient to w arrant the inference of th e relations defined by them , j They have em pty IndivConditions and em pty O peratingC onditions. \ \ 2. View model fragment(View-MF). View model fragm ents, e.g. contained-liquid, ’ m odel the dynam ic state of a com ponent where the state of the co m p o n en t; is dependent on some quantitative relation between param eters of the com ponent. Thus th e activity of view m odel fragm ents are tim e dependent. The fragm ents have both existence conditions and operating conditions. The op erating conditions are states and determ ine the activity of the view instance. T he relations of a view model fragm ent specify th e causal relations and cor respondences which specify the sim ultaneous reaching of landm ark values for two given quantities related by an indirect influence relation. An exam ple of a ; view m odel fragm ent is the open-valve model fragm ent, th a t models th e open : state of the valve which is dependent on th e condition th a t the param eter open-area(?valve) is greater than zero. View m odel fragm ents are also used to ■ m odel an entity (e.g. liquid) in the structural context of another com ponent | (e.g. container) where th e combined entity (e.g. contained liquid) is dependent J on q uantitative conditions. i 3. Process model fragment (Process-mf). Process m odel fragm ents are similar to view m odel fragm ents, in th a t they also m odel interactions th a t are tim e dependent. T he activity of processes are dependent on the holding of existence conditions and operating conditions. The operating conditions are states and j determ ine th e activity of the process instance. T he relations of a process j specify th e effects it has on quantities in term s of causal influence relations. i T he m ajor difference betw een view and process m odel fragm ents is th a t the j form er (also entity m odel fragm ents) model local causal relations im posed b y : design elem ents th a t can be used to propagate influences and thereby provide access paths for a quantity change to influence another quantity. T he process m odel fragm ents define th e prim ary forces th a t bring about a change. This ] i difference is captured in term s of the types of effects each has on quantities. ■ A view m odel fragm ent specifies effects only in term s of indirect influence! relations. A process has direct influences and possibly indirect influences. Processes are used to m odel physical processes in the dom ain. 3.2 Behavior The desired device behavior is specified by a partial region diagram consisting of a set of non-overlapping regions and a set of transitions between the regions. Each region in a region diagram is described by a set of inequalities betw een quantities | and qualitative changes (inc, dec, std) to quantities.1 Each transition from a reg io n ' Ri to a region Rj is labelled by the condition (a quantity inequality relatio n sh ip ); under which the transition occurs.2 1Note that though a qualitative change may be specified in a region, it need not necessarily hold in all the states represented by the region. For exam ple, in regulatory devices, the quantity to be regulated m ay be specified to be steady in a region. The intention is to design a device that will attem pt to m aintain it steady in the region by sensing and com pensating for disturbances. Since i there m ay be a delay, the quantity could be disturbed from its value temporarily. j 2We do not consider compound transition conditions. Figure 3.2: Region behavior specification for th e boiler control example. i The region diagram for the boiler control exam ple described in C hapter 1 is | shown in Figure 3.2. In region R \, the steam-outflow rate from the drum to th e j load, FRSd,ii m ust be increasing to m eet an increase in dem and at th e load. In! addition, th e steam pressure in the drum , P Sd , th e steam pressure in the boiler, | PSb, and th e w ater level in th e drum , LWd, m ust be m aintained steady. W hen th e: outflow rate of steam from the drum reaches the desired outflow rate, the device, is required to transition to region R 2, in which th e four quantities are m aintained' steady. 1 3.3 Physical Designs [ A physical design is represented by a stru ctu ral description th a t specifies th e individ- j ual com ponents, their types, their connections, and their param etric constraints. An j exam ple of th e last is the constraint th a t th e height of the container c\ is th e sa m e ; as th e height of container c2. For the boiler control problem , a part of a possible! design solution for m aintaining the water-level in the drum constant in th e p resence; of a w ater supply from the drum to th e boiler, is given in Table 3.2. T he solution specifies th a t containers c\ and drum are connected by a pipe link p\. T he working fluid in Ci is w ater in gaseous state and the working fluids in drum are w ater in liquid and gaseous states. A float, f\ is connected to th e liquid contained in the drum and is m echanically linked to the valve iq, where v\ is in the pipe p ath p\. .34 j Table 3.2: A portion of th e design solution for th e boiler control problem specifying the com ponents and connection links between them . j container(drum) container(ci) j pipe(pi) link(/i) I float (/i) valve(vi) j connection(ci, drum,p\) valve-in-path(vi,pi) j mechanical-link(/i, v\, l\) working-fluid(drf/m, water,gas) \ working-fluid(dr«m, water, liquid) working-fluid(ci, water, liquid) j I . 1 ! 3.4 Design Fragments j A design fragm ent(D F) describes how a partial design establishes a behavior frag- i m ent. It is a 4 tuple < B, D, CRN, A > , in which • B is th e behavior fragm ent established, • D is the design th a t establishes th e behavior fragm ent, • CRN is th e causal-relations network th a t describes how th e design establishes : th e behavior fragm ent j • A is a set of auxiliary assum ptions under which the designed device works. In m ore detail, j I 1, Behavior B(DF). Behavior fragm ents m ay be sim ple (e.g. a qualitative change : j to a quantity in a region) or complex (e.g. a collection of qualitative changes | constituting a region, or a collection of regions and transitions between them ). A part from fragm ents of th e input behavior, auxiliary behavior fragm ents 1 deem ed necessary by the design m ethod m ay also be included. Figure 3.3, illustrates a design fragm ent generated during the design of the boiler control system . T he design fragm ent establishes a behavior fragm ent (m aintaining the steam pressure in th e drum steady) from region of Figure 3.2. 2. Design D(DF). T he design is specified by a set of design com ponents (e.g. I container(d)) and structural relations describing how they are assembled (e.g. connects(sx, d, pi)). Figure 3.3 shows a portion of the design stating th a t t h e , DF, (PSd=std) B = [PSd =std] CRN, (PSd=sld) A= [A2: ic<MSd,[[- FRSd t ][+ FRSbid]]) A3: cancels(FR Sb d > FRSd ,) A5: container(?sk-c1) = boiler(b) A7: PSdiffb d > 0 ...] D = [container(d), container(b), working-fluid(b,water, gas) pathCpfl, connects(b, d, P i),...] f PSd= std Qprop+(PSd,M MSd=std in f!(F R S d ,l,M S d ,n eg )-^ / infl(FRSb,d,MSd,pos) FR Sd,l>0 \ jL !-(MSd, FRSd.l) FRSb‘ d>0" l+(MSd,FRSb,d) active(FSd,l) A active(FSbd) active(CG(water,d)) exists(FSb d) ^ A A5 - active(CG(water,b)) 7 /^ exists(C G (w ater,b ) i ■ A9:M Sb>0 ' / pathfsk-p!) .X con tain er(b ) V^connects(sk-c1, d, sk-pfl working-fluid(b,water,gas) ^ FRSdj = inc Figure 3.3: A design fragm ent for establishing steady steam pressure in the drum | for boiler control exam ple. j i drum and boiler m ust be containers w ith working fluids w ater and steam , and ! Pi m ust be a p ath connecting th e drum and the boiler. | j 3. Causal-relations network CEN (D F). The causal-relations netw ork is a d ata dependency graph th a t defines the justification links from elem ents in B(D F) to D (D F) and A (D F). T he nodes of the graph m ay be: a) qualitative changes, b) quantity inequalities, c) partial influences on a quantity, d) causal relations, e) activity statu s of m odel fragm ent instances, f) existence of m odel fragm ent instances, g) design com ponents and structural relations, and h) assum ptions. ' T he links of the graph are justifications supporting the nodes. In general, qualitative changes to a quantity are justified by a collection of p artial influ- ! I ences on th e quantity; p artial influences are justified by causal relations (direct j influences and qualitative proportionalities) and quantity inequalities or quali tativ e changes; causal relations (and some quantity inequalities) are supported by th e activity of th e m odel fragm ent instances to which they belong; activity j of a m odel fragm ent instance is supported by th e activity of its constituent j m odel fragm ent instances and its operating conditions; and, finally, existence | of a m odel fragm ent instance is supported by the existence of its constituent m odel fragm ents, design com ponents and their stru ctu ral relations. A causal explanation for a behavior fragm ent m ay be obtained by tracing the justifica tion links starting from the node representing the behavior fragm ent. Figure 3.3 describes the causal-relations netw ork th a t m aintains the steam pressure in th e drum steady. In particular, th e netw ork shows th a t th e steam J pressure in th e drum is steady because it is qualitatively proportional to the | j steam m ass which is steady since the partial influences on it (based on direct j influences from the outflow and inflow) cancel each other. T he two direct I influences on the steam mass in the drum are obtained from the two instances j of steam flow (from the drum to the load and from the boiler to the d ru m ),1 both of which are active. Assumptions A(DF), There are four types of assum ptions under which the design m ay establish a behavior fragm ent: 1 1 1 (a) C o d e s ig n a tio n a s s u m p tio n s . In extending a p artial design, ad d itio n a l! objects m ay be required. Often, instead of considering new objects, some ; of th e existing objects m ay fulfill the role (a form of function-sharing). , Codesignation [4] explicitly considers th e possibility th a t two objects m ay . be identical. For exam ple, to m aintain the steam pressure in the drum steady, the design m ethod proposes an inflow of steam to com p en sate: for th e outflow. At this stage, however, the source of the inflow is not com pletely specified: it may be the boiler (an existing object) or a tank containing steam (a new object). T he causal-relations netw ork in Fig ure 3.3 is based on the assum ption, A 5, th a t the source codesignates w ith the boiler. (b) In flu e n c e c lo su re a s s u m p tio n s . To determ ine the qualitative change | i to a quantity, th e p artial influences on th e quantity (from direct influ ences or qualitative proportionalities) m ust be combined to determ ine th e net influence. T he com puted qualitative change is valid only under th e closed-world assum ption [17] th a t all the p artial influences on the I quantity are known. This assum ption is explicitly represented by listing | all the known p artial influences on the quantity. For exam ple, in t h e , causal-relations netw ork shown in Figure 3.3, assum ption A i is an influ- j ence closure assum ption specifying th a t th e only known partial influences on th e steam mass in th e drum are a positive one from th e steam in flow (from the boiler) and a negative one from the steam outflow (to the load). Influence closure assum ptions may be supported by codesignation assum ptions (e.g. the influence closure assum ption A 2 is based upon the j codesignation assum ption A 5). Different codesignation assum ptions will j lead to different influence closures (and, therefore, different q u a lita tiv e ! changes). | ! (c) In flu e n c e d o m in a n c e /c a n c e lla tio n a s s u m p tio n s . W hen there are opposing partial influences on a quantity, the qualitative change to it 1 m ay be ambiguous. Influence dom inance/cancellation assum ptions spec ify w hether one set of partial influences dom inates or cancels th e other, i I thereby, perm itting unam biguous com putation of qualitative changes.3 In ' Figure 3.3, th e steam mass in th e drum is steady based on an influence 1 cancellation assum ption A 3 which states th a t the inflow rate of s te a m ; from the boiler equals th e outflow rate of steam to the load. [ l (d) Q u a n tity in e q u a lity a s s u m p tio n s . Q uantity inequalities th a t are not i justified by the model fragm ent instances m ust be assum ed as initial con- [ t ditions or region boundary conditions. For exam ple, the inequality as- ‘ sum ption Ay specifies an initial condition: th e steam pressure difference: between source, Si, and drum , d, m ust be greater th an zero (to enable the steam inflow from th e source). ■ 3This assumption m ay be refined to determine how the cancellation or dominance is achieved , when the preliminary qualitative design is analyzed with quantitative inform ation or exact equations. A (design fragm ent is locally correct if, based upon its design and auxiliary as-j sum ptions, its causal-relations network can be inferred from the dom ain m odel a x -! ioms and qualitative inference rules, and if its causal-relations netw ork entails all the behavior fragm ents specified in its behavior. i i 3.5 Summary i i This chapter specified the representation of the inputs and outputs to th e CMD a n d : described the representation of the design fragm ents which CMD constructs to search i for design solutions. The im portant requirem ent of the different pieces of knowledge and how their chosen representation m eet those requirem ents are - I • T he dom ain model input specifies the model fragm ents th a t qualitatively m o d el1 j available types of com ponents in the design dom ain and general in tera ctio n ; laws between individuals of those types (e.g. flows and heating). In a model- i based design approach like CMD, the dom ain model is used to compose design: solutions (as opposed to hierarchical refinem ent) as well as construct models, of designs. : Composing design solutions requires a m odular representation of types of de- j sign elem ents, th e types of interactions betw een them and th a t th e represen-1 I tatio n obey the no function in structure principle. The latter is im portant to allow flexible com position based on local interactions imposed by the m odel el- j em ents. T he model fragm ent based dom in m odel representation satisfies such a requirem ent. i C onstructing models of designs is required in an approach like CMD which construct approxim ate design solutions for behavior fragm ents and then com poses them . In order to find the ram ifications of some existing physical design elem ents in the context of a constructed design, it is necessary to fin d /c o n stru c t; relevant models to determ ine w hat interactions they impose on each other. T he m odel fragm ent representation facilitates such m odel construction by m aking explicit the stru ctu ral and operating context in which the model frag m en t' applies. 39! • The behavior of continuous physical devices can be defined by specifying all j its states and state transitions. For specifying desired behaviors of devices, a | representation th a t allows partial specification of device states and their tran- < sitions is required. A region diagram representation m eets such a requirem ent. A device region can be partially specified by stating only th e device behaviors th a t hold throughout th e region. T he transitions betw een regions then define device state transitions as opposed to transitions of individual state variables, j Such a representation is required to specify behaviors of complex devices hav- j ing m ultiple operating regions. I • T he physical em bodim ent of a conceptual design is schem atically specified. T he outp u t representation in term s of com ponent individuals, their types and structural constraints on them is adequate for such schem atic specifications. ; • M odel-based generative design approaches m ust restrict and focus th e search J to cope w ith search com plexity for design using complex dom ain models. De- j sign based on the design fragm ent representation can: i) Focus th e search b y ' exploiting solution constraints. T he representation by m aking explicit th e link : betw een form (structure) to behavior, facilitates exploitation of the desired ( behavior to guide search in the dom ain model for appropriate design elem ents! th a t establish the behavior. M oreover, since th e design fragm ent can be viewed as a causal process description of th e working of a design, we can specify th e criteria for such a process to correctly establish desired behaviors. T he criteria is a solution constraint th a t can then be used to focus the search for correct de- j I sign fragm ent. T he next chapter provides such a criteria and how they can be I I used to to focus search for solutions, ii) R estrict search. The search space can be reduced by constructing approxim ate design solutions. T he design fragm ent representation facilitates construction of approxim ate design solutions. Thee assum ptions in the representation can be used to represent th e approxim ation j m ade in constructing a solution. Since approxim ations are potential sources of incorrectness, focused search for th e sources of incorrectness and their revisions 1 are facilitated by th e explicit representation of th e assum ptions. ! I i _ 40_ Chapter 4 Behavioral Axioms, Failure Conditions and Revision Operators j i T he conceptual designs generated by any m ethod m ust be verified at a qualitative level for th eir correctness. There are several ways to verify a design, of which the two 1 im portant ones are: i) Sim ulation. The design is sim ulated to predict its behaviors which are then checked for subsum ption of the desired behavior, and ii) Inference. All the causal relations im plied by the design are inferred, and then checked if they do im ply th e desired behavior. In both cases, the verification process m akes u s e 1 ! of some set of general criteria th a t specify th e necessary and sufficient conditions I for behavior fragm ents. In sim ulation, such criteria are interpreted as sim ulation I rules and are used to sim ulate the design. In inference they are used to predict the j behavior. ! An alternative approach to verification, the one explored in CMD, is perform-1 ing verification at design generation tim e. The objective is to focus th e search fo r, correct designs by m aking use of the verification criteria at design generation tim e. One approach to using the criteria to search for designs, is by doing deduction. The criteria is used as a set of design inference rules, which are used to deduce th e causal relations and design elem ents th a t entail a desired behavior. The deductions m ade, define a proof structure which explain how the design achieves the behavior. An al ternative approach to deduction, developed in CMD, is define a design representation which captures th e proof structure and use the criteria to search for such structures. T he la tte r approach imposes the following two constraints on the specification of th e criteria: i) T he verification criteria m ust be stated in term s of th e design rep resentation used to search the space. Such a criteria, being a specification of w hat m ust exist in the design representation for a behavior to be produced, can then be; used constructively to post constraints on the design fragm ent and thus focus t h e , search, ii) T he verification criteria m ust be declaratively specified such th a t it can be incorporated into the generator. The declarative specification can then be used to define a set of operators, which constitute the generator. In CMD, th e search space is based on th e design fragm ent representation, which j makes explicit the causal relations th a t are imposed by design objects and the effect | 1 of such relations on th e behaviors. In qualitative physical dom ains, if the general laws : for qualitative behavior are also specified in term s of influence relations, then th e y ! can be used directly to define th e verification conditions for the design frag m en ts.! Such a form ulation is useful, since the problem of correctness of the criteria gets j autom atically solved. In this chapter we give a form ulation of the behavioral axioms ; th a t satisfies such a constraint and show how the basic operators can be defined based on them . T he form ulation of the axioms is based on previous research work in th e field of qualitative reasoning which make use of such laws procedurally in qualitative sim ulation engines[17, 16, 20, 10, 52]. j T he question then is how to exploit the criteria in CMD. One approach is to | i do com plete verification analysis at each design choice point and search for design; choices required to satisfy the verification criteria. As observed in th e introduction j chapter, exhaustive search for a com pletely verified design is very difficult because of individual m odel fragm ent com plexity as well as alternative m odel fragm ent choices j th a t can be composed for achieving a desired behavior fragm ent. ■ The approach taken in CMD to address such problem s, is based on the notion of increm entally constructing partial design fragm ents based on simplifications of the verification criteria. In such a less conservative approach, one runs into the risk of generating design solutions th a t are potentially incorrect. To handle such incorrectness, CMD m ust have the capability of finding th e sources of incorrectness and revising th e design. In addition, in order for the search com plexity reduction obtained from such simplifications to be effective, (i) CMD m ust be able to p in p o in t; the source of incorrectness (the blam e assignment problem ), and (ii) CMD m ust b e ' able to focus th e search for revisions (the revision problem ). CMD addresses such 1 problem s by using th e verification criteria to define potential reasons for incorrect ness, called failure conditions and by perform ing verification analysis to derive such failure conditions which are then used to focus the search for revisions. j This chapter first describes the behavioral axioms th a t define th e verification criteria for obtaining qualitatively correct designs based on the design fragm ent rep resentation. T he problem s of efficiently using such criteria for constructing design fragm ents are then characterized. The problems arise from trad in g off design c o r-! i rectness w ith search, based on using simplifications of th e verification criteria in j obtaining an approxim ate design fragm ent. We then describe how CMD addresses ! such problem s system atically. I 4.1 Behavioral Correctness Criteria for Design Fragments i Design fragm ents represent a specification of the designed device and how it qual- 1 itatively works to produce behavior fragm ents in a region. T he representation of j how a device works is based on causal relations between quantities and inequality relations betw een quantities. T he behavior fragm ents established by a device are quantity change behavior fragm ents in a region and are conditional on th e reg io n ; I th e device is in. Given such a qualitative representation of th e device, th e criteria j for a design to produce behavior fragm ents in a region m ust specify i) C riteria for j behavior fragm ents. The constraints on causal relations and quantity inequalities for ! a behavior fragm ent to hold in a region, and ii) C riteria for inequalities. Since be- j havior fragm ents are based on causal influence relations betw een quantities which in | I tu rn are dependent on quantity inequalities, the criteria m ust specify the necessary conditions for those inequalities to hold in a region. We define these two criteria in th e next two subsections based on qualitative abstractions of the general laws for a quantity change. 4.1.1 A x io m s for Q u a lita tiv e Q u a n tity C h a n g e j To determ ine, when a quantity change in a specific direction is established in a region , it is necessary to know th e im m ediate causal influences on the q uantity th a t push ' Table 4.1: Behavioral axioms for a qualitative change, q--=inc. Let, ....... V + be the set of positive influences on a quantity q under a set of codesignation assumptions, = A [V p, q1, in fi(p,q',pos, R) A codesignates(g', q) « p £ P + ] V — be the set of negative influences on a quantity q under a set of codesignation assumptions, = [Pi>---,Pn] A jV p, q', infl(p, q', neg, R) A codesignates(g', q) < - * • p € V —] A. holds(g = inc, R ) O- 3 p, infl(p, q',pos, R) A codesignates(g', q) [1.1] A [ [V p, infl(p, q , neg, R) — + -> codesignates(g , q)] V [3 p, infl(p, q , neg, R) A codesignates(g , q) — * 3 'P—,V+, p G V — A dominates(7: > + , V —, g,pos)]] [1.2] infl(p, q,pos, R) [2 ] [holds(I+(g,p), R) A holds(p > 0, /?)] V [holds(I-(g, p), R) A holds(p < 0, /?)] V [holds(Q prop+(g,p), R) A holds(p = inc, i?)] V [holds(Qprop-(g,p), R) A holds(p = dec, 12)] h old s(I± (g,p ), 12) 3 M , m f(A f) A active(M , 12) A [active(Af, 12) — + h old s(I± (g,p ), 12)] [3.1] holds(Q prop±(g,p), 12) < $ ■ 3 M , m f(M ) A active(M , 12) A [act.ive(M, 12) — ► holds(Q prop±(g,p), 12)] [3.2] th e quantity in the positive or negative direction and constraints on the m agnitudes ! of those influences. j l We can state such criteria as a set of axioms. Table 4.1 shows the axioms for qualitative changes *. For simplicity, we show here only the axioms for the specific qualitative change of q = inc. Axiom 1.1 states th a t, in order for a quantity q to be | I increasing in a region R, it m ust necessarily be positively influenced by a quantity, j p, in R. In addition, in R , either all quantities q' th a t are negatively influenced do not codesignate w ith q (Axiom 1.2) or, if some do, then the set of positive influences ' on q m ust dom inate the set of negative influences (Axiom 1.2), resulting in a net positive influence on q (under an influence closure assum ption, supported by a set of codesignation assum ptions). A quantity p partially influences a quantity q, positively (or negatively), in a region R, if and only if, in R, a) p is a direct positive influence on q and p is j xThe appendix gives a listing of all the axioms. I positive, or b) p is a direct negative influence on q and and p is negative, or c) q is proportional to p and p is increasing, or d) q is inversely proportional to p and p is decreasing (Axiom 2). A causal relation between p and q (direct influence or qualitative proportionality) holds in a region R , if and only if, a m odel fragm ent instance th a t imposes th e causal relation is active in R (Axioms 3.1, 3.2). Axioms for the activity and existence of model fragm ent instances are obtained from th e ir ! I definitions in the dom ain m odel (for exam ple, see Figure 3.1). I 4 .1 .2 A x io m s for In eq u a lity C o n d itio n s Behavior fragm ents are ultim ately dependent on quan tity inequalities th a t hold in a region. The persistence of a region of a device is therefore dependent on per sistence of the quantity inequality conditions th a t define the region. Device region ! transitions are then dependent on th e establishm ent of shifts of the qualitative re- \ gions of individual quantities holding in an adjacent region of th e device. Such shifts , of a region of a quantity result from its increase/decrease. T he conditions for es- j tablishm ent of shifts of quantity inequalities and conditions for persistence of such j inequalities then define th e necessary conditions for an inequality condition to hold | I m a region. | I Table 4.2 declaratively specifies th e necessary and sufficient conditions for in - ; equality conditions to hold in a region2. For sim plicity we discuss here th e axioms for th e inequality conditions p > c and p — c . Axiom 1.1 states th a t, in order for th e inequality p > c to hold in a region R j, a) it m ust necessarily hold in the adjoining region Ri which m eets Rj along < ? , or b) th a t p = c holds in the adjacent region and th a t p = inc in i?;. In addition, p > c m ust be m aintained throughout Rj. From these conditions and the definition of meets (given by Axiom 4), if Rj is a point region then p > c m ust persist from the adjoining open region since we are interested only in continuous devices and discrete changes are not allowed. 2A11 quantities are viewed as taking continuous values. We consider qualitative abstraction of quantity values defined in terms of open intervals which are adjoined by point intervals. The point intervals define landmark values of quantities or point region. The open intervals define extended ; regions. Hence we view a quantity as being in a region. For exam ple, level of water, ia ,, in a ! container can be in the region Lw < IId or Lw — Ha, where Ha is som e constant height. ' Table 4.2: A xiom s for inequality conditions p > c and p = c , to hold in a region. Let, holds(P, R) denotes that literal P is true in the interval defined by region R P+(q) denotes set of positive influences on a quantity q in some region Ri, P _ (g ) denotes the set of negative influences on a quantity q in som e region Ri i_inf(p, q) denotes p is an indirect influence (Q+ or Q - ) on q d_inf(p, q) denotes p is a direct influence (/+ or /_ ) on q a,-co-occuis(reli(p), rel2{q)) denotes correspondence assumption of equality re/i(p) and the equality re/2(g) correspondence(re/i (p), rel2(q)) denotes co-occurrence of inequality relx(p) and the inequality rel2(q) where a qualitative proportionality im poses a direct causal link between p and q All unquantified variables are universally quantified All quantities are denoted by the sym bol letters p ,q ,r ,s All constants are positive and are denoted by the sym bol letters c, ci, c2, c , c holds (p > c , R j) O [ [3 Ri, c ,V q, meets(J?i, R j,q) A holds(p > c , P^)] [1.1] V [3 q, m eets (Ri, R j,q ) A holds(p = c , Ri) A holds(p = inc, i?,)] ] [1.2] A m aintained(p > c ,R j) [1-3] holds(p — c , Rj) O [3 q, meets(Ri, Rj,q) A holds(p = c , R,i)] [2.1] V [3 Ri, c, c ,V q, m eets(R i,R j, q) A q = c € Rj A q < c 6 Ri A holds(p > c , Ri) —► holds(p = dec, Ri) A co-occurs(p = c ,q = c, Ri) ] [2.2] V[3iJi,c,c ,V q, m eets(f?j, R j , q) A q — c € Rj A q < c G Ri A holds(p < c , Ri) holds(p = inc, R,) A co-occurs(p — c ,q — c, Ri) ] [2.3] R)] [3] m aintained(g > c, R) O [holds(g = std, R) V holds(<jr = inc, m eets(Ri,Rj, q) O 3c, ci, ci < c, [ c i < q < c £ R i A q = c£ P j] [4.1] V [g = ci € Ri A ci < q < c € P j] [4.2] co-occurs(p — c ,q = c, R) O [ holds(p > c ,R) A holds(g < c,R) —* ■ [ holds(p = dec, R) A holds(? = inc, /2)] A [ [P+(p) = {} A P-(p) = {g} A Q-(p, q) A correspondence^ = c , q = c)] [5.1] v [p+(p) = {} A p-(p) - { 9} A Q-(p»9) A correspondence(p = c , q = c )A co-occurs(g = c , 9 = c)] [5-2] V [P_(p) = {? '} A P+(p) = {} A I-(p,q) A a-co-occurs ([g = ci,g = c ],[p = c ,g = c])] ] ] [5.3] I T he necessary and sufficient conditions for th e equality p = c to hold in region R j are: a) th e equality, p = c , persists from th e adjoining region R,, (Axiom 2.1), or, b) if the quantity p is greater th an c in the adjoining extended region R, where the border3 betw een R; and Rj are defined by some quantity q, and q < c holds in [ Ri, then it m ust be the case th a t p = dec holds in Rt and th a t p reaching c co-occur! w ith q reaching c (Axiom 2.2), or, c) if the quantity p is less th an c in the adjoining extended region R, where the border between Rt - and Rj are defined by q, and q < c holds in R,-, then it m ust be the case th a t p = inc holds in R; and th a t p reaching c co-occur w ith q reaching c (Axiom 2.3). T he criteria for a quantity inequality to hold in region are dependent on the per sistence of the inequality in the region. The persistence conditions for the inequality q > c are specified by Axiom 3. Axiom 3 states th a t q > c is m aintained in a region R iff q is held steady in R or th a t q = inc in R. J The definitions of m eets and co-occurs predicate is given by Axiom 3 and 4 respectively. T he definition of m eets is based on the m odel th a t two open regions are separated by a point region which defines th e boundary between them . The 1 definition specifies th a t region R, m eets Rj if and only if a) th e open region, R4= ' Ci < q < c, defined by quantity q, is adjoining the point region R j = [q=c] (Axiom 4.1), or b) th e point region R ;^ # = ci ]> is adjoining the open region, R j=[ci < q < c] (Axiom 4.2). j T he co-occurrence axiom specify the conditions th a t hold in a region for sy n -' chronized occurrence of a specific value of one quantity at th e region boundary I specified relative to some reference quantity. T he synchronized occurrence is re quired if the region shifts of one or m ore quantities are to be coordinated w ith the j region shifts dictated by changes in the reference quantity. A b etter understanding of this constraint can be obtained by considering the liquid-level control exam ple j (Figure 4.1(a)) where the liquid-inflow rate to a container c m ust be m ade zero when the level of th e liquid in the container has reached the desired level, h. This constraint is expressed by stating th a t flowrate = 0 m ust co-occur w ith level = h in th e region where level < h and flowrate > 0. To specify th e conditions for co occurrence, we consider the general case, elaborated in Axiom 5, for co-occurrence j 3The border between two extended regions R, and Rj is defined by a point region R ij . 1 Ievel|iq=inc Transition: 1 level,iq =h level-of-liq=std h contain® r(c) level|jq =[<h,inc] intlow=[>0,dec] co-occurs(inflo w=0, leveluq=h) (a) C evel,iq =[h,std] 'N inflow=[0,std] ) level|iq =inc --> inflow=dec 0> ) Figure 4.1: An exam ple of the co-occurrence constraint on liquid-inflow rate and liquid-level for region transition in the liquid-level control device. j | of p = c w ith q = c for th e case where p > c , q < c, p= dec and q = in c holds in | region R. T he axiom states th a t for th e above case, any of the following conditions m ust be m et: l i 1. A qualitative proportionality relation Q-(p, q) holds between p and q and there ] is a correspondence of values c and c of quantities p and q respectively (A xiom ! 5.1), j j 2. A qualitative proportionality relation Q _(p,q) m ust hold between p and q\ \ and a correspondence relation m ust hold for values c and c of quantities p and q respectively and a co-occurs relation holds between values c and c o f ; quantities q and q respectively. T he underlying basis for such an assum ption is : th a t, since the influencing quantity (</) shifts along w ith th e influenced quan- j tity (p), there exists some value of the influencing quantity which corresponds . w ith th e value of the influenced quantity and hence the co-occurs requirem ent on values of p and q can be established by establishing a co-occurs relation between q and q. Consider th e co-occurrence requirem ent, in the liquid-level, control exam ple, of the liquid-inflow rate to a container to be zero when th e I level of th e liquid attains h. If we consider th e influence of the path-resistance changes on th e inflow rate, th e liquid-inflow rate is inversely proportional to the path-resistance, there exists a corresponding value of p ath resistance (path- resistance = some m axim um value, R m), at which th e liquid-inflow rate is zero. Hence th e required co-occurrence requirem ent is m et by satisfying th e corre- \ i spondence requirem ent and the derived co-occurrence requirem ent betw een th e J values of the p ath resistance, R m, and the liquid-level, h. 3. A direct influence relation h (p,q ) holds betw een p and q , and a co-occurs' assum ption can be m ade which specifies th a t the sim ultaneous holding of v al-, ft t 1 ues ci and c for quantities q and q respectively, implies the sim ultaneous j holding of values c and c of quantities q and p respectively. To understand the underlying basis for such an assum ption, consider the steam -engine exam ple where there is upw ard and downward m otion of piston and the requirem ent j is to have th e the piston velocity to be zero when the piston is at the top of! i th e cylinder. In this context, there is a direct influence of acceleration on the piston velocity. In such a context, there are no direct correspondence relations betw een the quantities, velocity, acceleration and piston position. T h at is, we cannot impose the requirem ent th a t velocity is zero when the acceleration is 1 zero and piston is at a certain position. T he argum ent being, the changes in j velocity of th e piston is determ ined by the sign of the m agnitude of th e ac- j celeration of th e piston. The only constraint th a t can be enforced in such a{ context is on th e initial value of the direct influence: enforcing the acceleration j of the piston to be at a certain value at some prior position of the piston, such | th a t th e velocity reaches th e required value at some later piston position (as j specified by the co-occurrence requirem ent). j Each of the above cases ensure the existence of some feedback p ath of influences from quantity q to quantity p, such th a t as the quantity q gets shifted, th e quantity p is also caused to shift by changes in q , thereby forcing the region crossing of p to be coordinated w ith the region crossing of q. The different cases correspond j to th e different types of influences th a t may constitute th e first influence link to ; th e quantity p in such a path. R eturning to our level control exam ple, to bring about th e co-occurrence of flowrate = 0 when level = A, a causal influence p ath is I established from level of th e liquid to the flowrate through floats, links, levers and path-resistance ((Figure 4.1(b)). j 4.2 The Qualification and Persistence Problem in Design Given the above verification criteria and its use in design as discussed at th e begin-1 ning of this chapter, the question then is how to exploit such criteria in CMD effec-; tively. Answering this question requires understanding of (i) th e dynam ical aspects 1 of a device relevant to desired behaviors, and (ii) the tradeoffs betw een correctness | and search com plexity in th e process of design. | A device has quantity change behaviors which extend over intervals called regions, j Regions are defined by quantity inequalities. A design for a device establishes cau sal! relations which have positive/negative influences on th e quantity. T he influences' produce quantity changes which in tu rn change quantity inequalities. Such changes in q u an tity inequalities are called quan tity shifts. Since regions are defined in term s i of quantity inequalities, quantity shifts produce region transitions. T he quantity changes and changes of quantity inequalities are the dynam ical aspects of a device1 relevant to the desired behavior. j In designing devices th a t work to produce desired quantity change behaviors by i m eans of causal influences on quantities, th e design process uses m odel fragm ents j i from th e dom ain model th a t support causal influence relations of the form, if in- J . ! fluence p then change of quan tity is in direction p . G enerating com pletely verified | design choices requires searching for all potential causal relations and changes th a t j m ay affect th e desired behavior. Because of individual m odel fragm ent com plexity: (more th an one influence relations im posed by a model fragm ent) and alternative j types of m odel fragm ent choices th at can be composed to bring about a change, in | reasonably complex dom ain models, generating such verified design choices becomes : very complex. Knowledge of w hat other influences m ight affect th e desired changes I is dependent on future design decisions and hence is incom plete at any interm ediate | i stage of the design. D eterm ining those influences, requires th a t all possible d esig n ; topologies in th e current design context be explored. For exam ple if CMD wants to produce a correct design th a t m aintains the pressure of steam in drum steady , I 4The exact influence relation Qdb(q,p) or I± (q ,p ) imposed by a model fragment can be viewed as a set of extensions of form: if p = dec/p = inc then q = inc/q = dec or if p > 0/p < 0 then j q = inc/p = dec j in a region, CMD m ust verify th a t there is no steam outflow, steam-inflow, conden sation, w ater evaporation, and etc., and m ake design choices th a t circum vent any interactions arising from causal relations im posed by such model fragm ents th a t a re ! applicable in such a context. T he alternative is to be less conservative and base th e design on partial influences th a t qualify a given quantity change behavior. This m eans th a t th e partial designs worked w ith will be approxim ately correct and hence the design process m ust bej prepared to recover from incorrect design approxim ations by revising th e design, j T he above problem of trading off the correctness of the design w ith the am ount o f ' search characterizes th e qualification problem [41, 37] as it arises in m odel based! design. I The qualification problem is not the only problem th a t CMD m ust confront w ith : in order to reduce search complexity. T he other problem in design of devices w ith : operating regions is establishing the regions over which a quantity change occurs, j Regions are defined by inequality conditions which determ ine th e activity of m odeli fragm ents, and consequently the influences th a t produce quantity changes. S h ifts; of inequality conditions produce device region transitions. Since the holding of in -: I equality conditions is dependent on quantity changes, the ram ifications of quantity} changes on the persistence of inequality conditions are critical to determ ining th e j operating regions of a device and preventing unw anted region transitions. Hence for com plete verification of th e design for expected region behaviors and expected transi tions, it is necessary is determ ine the persistence of all quantity inequality conditions j th a t can potentially affect the operating regions of a device and transitions betw een j those regions. This would require determ ining all possible effects of causal relations and chains of such relations on persistence of quantity inequalities and searching for j correct design choices th a t prevent transitions or accomplish transitions. Since t h e , global state of a device is defined by th e inequality relations between all relevant quantities, to determ ine persistence of an inequality over an extended region it is necessary to obtain all possible global states of the device in the region and verify th a t th e inequality holds. For exam ple, in region Ri of the boiler control system , for a given set of m odel i fragm ent choices, there are different quantities and inequality relations based on them th a t m ay be potentially relevant for th a t region behavior. Given th e drum [specific quantities (such as steam -m ass, steam -pressure, tem perature, water-level, and etc.) and th eir changes, and th e boiler specific quantities and their changes, i it is necessary to determ ine the ram ifications of such changes on th e inequality! relations between such quantities and relations w ith respect to th eir landm ark values | (for exam ple, water-level in the drum being greater th an zero or equal to zero).j T he ram ifications m ust then be analyzed to verify th a t th e correct relations hold throughout the region or undergo tim ely shifts and take design actions if they do not. Such inform ation of global states of device is only partially specified at any design; stage. In order to obtain m ore com plete global state inform ation, all future design' i choices and all global states resulting from such choices have to be enum erated,! which results in increased search complexity. j A less costly approach is m aking persistence assum ptions of th e relevant inequal- j ities over extended regions and be able to revise the design when such assum ptions j fail. This problem of efficiently reasoning about effects of quantity change on inequal- j 1 ity conditions characterizes th e persistence problem[24] as it occurs in m odel-based, design. In sum m ary, this chapter has highlighted th e two m ajor problem s th a t arise > from th e conflict betw een th e goals for efficiency and correctness in the context of! th e m odel-based design task, (i) the qualification problem and (ii) the persistence' problem . We now give a system atic solution th a t uniform ly addresses both problems. T he key idea underlying th e solution is increm entally generating design fragm ents th a t establish behavior fragm ents based on simplifications of th e verification (by m aking com pleteness assum ptions on th e qualifications for a change based on only j the influence resulting from a design choice for a required behavior, and m aking1 persistence assum ptions), criteria and m aking use of the design fragm ent assum p- 1 tions to explicitly represent those simplifications. Such sim plifications in th e initial generation process reduce search at the cost of generating potentially incorrect de signs. For such efficiency gains to be effective, w ithout com prom ising correctness, CMD m ust (i) be able to focus the search for the sources of incorrectness (the blam e assignm ent problem ), and (ii) be able to focus the search for th e relevant revisions to design such th a t correctness is restored. In the following sections, we describe' i how CMD addresses these problems. 1 4.3 Failure Conditions and Revision Operators i CMD increm entally constructs partial design fragm ents and extends them based on failure inform ation obtained from verification analysis. In such a design process, j incorrectness of a design fragm ent m ay occur in two ways: (i) Absence of necessary design fragm ent elem ents th a t establish a quantity change behavior or quan tity in equality, and (ii) Incorrect assum ptions. T he latte r arises from th e sim plifications j th a t CMD m akes as discussed in th e previous section. Each of th e above sources j of incorrectness are handled uniform ly in CMD by recognizing th e reasons for in-: correctness, called failure conditions, as p art of verification analysis and applying I revision operators th a t satisfy the failure conditions. j I i 4 .3 .1 E sta b lish m e n t F ailure C o n d itio n s i E stablishm ent failure conditions are caused by incom pleteness of the design frag- m ent. Given th a t a design fragm ent establishes a quantity change or a quantity in equality, there are four types of necessary-establishm ent failure conditions: (i) N u ll-; influence for steady quantity change behavior, (ii) Positive-influence for quantity increase, (iii) Negative-influence for quantity decrease, and (iv) M eeting-region fo r! inequality condition. These failure conditions are obtained from sim plifications of! th e criteria for quantity changes and inequalities. j For exam ple, th e positive-influence failure condition arises in th e context of in crease of a quantity when no influence relations exist in the design fragm ent to affect i th e quantity. T he condition specifies th a t th e reason for incorrectness of a design fragm ent to establish q = inc is th a t the design fragm ent does not establish a single positive influence on q, where the positive influence also com pletely specifies t h e ! influence closure assum ption on q. This failure condition is a sim plification of t h e : verification criteria for q = in c given by Axiom 1 in Table 4.1, since th e criteria spec- j ified by th e other conjuncts are ignored. This failure condition m ay be satisfied in th e following ways (each resulting in a distinct revision operator): 1. Forcing a quantity q' which is positively influenced to codesignate w ith q. | | 2. Introducing a new positive influence on q based on choosing a new model! fragm ent from the dom ain m odel th a t imposes th e causal influence relation! j I+(q,p) and introducing th e inequality requirem ent th a t p > 0 . I 3. Introducing a new positive influence on q based on choosing a new m odel fragm ent from th e dom ain m odel th a t imposes th e causal influence relation I-(q,p ) and introducing the inequality requirem ent th a t p < 0 , 4. Introducing a new positive influence on q based on choosing a new model fragm ent from th e dom ain m odel th a t imposes th e causal influence relation Q+(q,p) and introducing th e quantity change requirem ent th a t q == m e, j i 5. Introducing a new positive influence on q based on choosing a new m odel j fragm ent from the dom ain m odel th at imposes the causal influence relation j Q-(q,p) and introducing th e quantity change behavior requirem ent th a t q =■ dec. ; In each of th e above cases, the com plete influence closure assum ption is m ade based ' on the single influence im posed by the model fragm ent choice. N ote th a t the deriva-; tion of the positive-influence failure condition for a given behavior is derived by; testing th e CRN for th e existence of th e influence relations and th e closure assump- 1 tions. The establishm ent failure condition for th e inequality condition, p > c, to hold j over an extended region, Rj, is based on sim plification of th e verification criteriai specified by Axiom 1.1 in Table 4.2. j | holds(p > c , Ri) A m aintained(p > c , Rj) — > holds(p > c , R{) i where p > c is considered m aintained in Rj if there are no negative influences on p. Since CMD does increm ental construction of design fragm ents, th e m ain tain ed ! constraint is verified w ith respect to the design decisions m ade so far and is assum ed ^ to hold for all future design choices. The establishm ent failure conditions for a n ' inequality condition thus m akes th e assum ption th a t the inequality is m aintained throughout the region. Such a greedy decision m ay be incorrect in three w ays:; i) design choices m ay lead to quantity changes and influence relations th a t are in consistent w ith the assum ptions m ade for a required behavior, or (ii) the region over which they are assum ed to persist m ay undergo changes which conflict w ith the I assum ed region over which the persistence holds, or (iii) th e region over which they are assum ed to persist m ay overlap w ith other regions where th e inequality p < c or | p = c holds. Such inconsistencies are handled by th e consistency failure conditions) and revision operators. j 4 .3 .2 C o n siste n c y F ailu re C o n d itio n s i Consistency failure conditions are caused by incorrectness of th e sim plification as- j sum ptions m ade in th e design fragm ent construction process. In the boiler exam ple, if th e com plete set of influence relations affecting the pressure of th e steam in the drum is assum ed to be em pty in order to establish steady pressure in th e drum , composing w ith a design fragm ent th a t establishes a steam-outflow from th e drum I leads to causal ram ifications which impose a negative influence on th e pressure of| j the steam in th e drum . In such a design fragm ent context, the em pty influence clo -' sure assum ption th a t satisfied the simplified verification criteria is inconsistent and j requires revision to restore consistency w ith respect to the new ram ification update) and m ake the fragm ent correct in the context of th e update. j There are four types of consistency failure conditions: (i) Net-positive-influence, (ii) Net-negative-influence, (iii) N et-influence cancellation, (iv) Inequality-m aintenance, and, i (iv) Inequality-shift. I These failure conditions are obtained from the criteria for quantity changes and inequalities th a t are ignored by the establishm ent operators. Here we elaborate on the positive influence failure conditions, and inequality m aintenance. 1. Net-positive-influence: This failure condition occurs in th e context of estab lishing an increase in a quantity q when there are some existing influences on q. T he condition specifies th a t th e reason for incorrectness of a design fragm ent to establish q = inc in the context where the design fragm ent specifies a neg ative influence p on q, is th a t th e influence closure and dom inance constraints specified by the design fragm ent does not specify a set of positive influences and negative influences which includes p such the positive influences on q dom inate th e set of negative influences on q (from Axiom 1.2). This failure m ay be revised in three ways (resulting in three distinct revision operators): a) pre-, venting th e negatively influenced quantities from codesignating w ith q, and, j 1 b) revising th e influence closure and forcing th e set of positive influences toj dom inate th e set of negative influences5. ! 2. Inequality-Maintenance: There are different subtypes of this failure condition! based on th e inequality relations between two quantities p and q, where one of the quantities m ay be a constant: a) p > q, b) p < q, and c) p = q. We 1 describe the failure condition and revision operator for m aintenance of p > q where q is equal to some constant c. The failure condition for m aintenance of inequality condition p > c in the context where there is a negative influence on j p specifies th a t the reason for incorrectness is th a t p is not increasing or th a t p is not held steady. This failure may be revised in two ways: i) E x ten d in g 1 the B of the design fragm ent w ith the quantity change requirem ent, p = inc, or ii) E xtending the B of the design fragm ent w ith requirem ent of p = std. The following subsection describes how the revision operators for q — inc can be| derived directly from the axioms. The derivation of other operators can be shown 1 in a sim ilar m anner. j 4 .3 .3 D e r iv a tio n o f th e R e v isio n O p era to rs for q = inc ! i T he com plete set of revision operators for q — inc can be derived by enum erating th e conditions under which a design fragm ent can fail to establish q = inc. From Axiom 1 in Table 4.1, the conditions for failure to establish q = inc are given by (taking the contrapositive of Axiom 1) ! 5A third option, is to remove the negative influence. Since, in a constructive approach, the t negative influence can be the result of an earlier design choice, removing it would defeat the design | choice. Since alternative choices, without the negative influence, would get considered and in essence subsume the effect of removing the negative influence, no additional operator is required. , ; -i [holds(g = inc , i?)] ! -> [3 p, infl(p, q', pos, R) A codesignates(g', q) [1] V _l [ [V p, infl(p, q", neg, R) — * -i codesignates(^”, q)] V [3 p, inti.(p,q " ,neg,R) A codesignates(g”, q) — * 3 V —,V+, p G V — A dom inates('P + , V —, < 7, p«-s)]] [2] j : Considering each disjunct seperately, we have the following cases: | Case 1: -< [3 p, pG P + , inf(p, 9, pos)] j T he failure to establish q = inc due to th e condition specified by Case 1 can be| 1 handled by th e following operator. | Establishm ent-O perator: j Precond: -> [3 p, p € P + , inf(p, 9, pos)] Action: Find p, such th a t inf(p, < 7, pos); establish inf(p, q,pos)] \ m ake influence closure assum ption on q based on influence p. \ Postcond: 3 p, p € P + , inf(p, q,pos) j P / For the other disjunct specified by 2, we have: Case 2 j -* [ [V p, infl(p, q", neg, R) — > -> codesignates(g", < ? )] V [3 p, infl(p, q", neg, R) A codesignates(g”, q) — » i 3 V —,V+, p € V — A dom inates('P -f, V —, q, pos)]] [2] j i i f f ‘ -> [V p, infl(p, q ,neg,R) — > -1 codesignates( < 7 , 5)] [2.1] | A -i [3 p, infl(p, q", neg, R) A codesignates($”, q) — » | 3 V —,V+, p € V — A dom inates("P+, V —, q, pos)]] [2.2] j i f f [V p, infl(p, q", neg, R) A codesignates(g", 9)] [3.1] A [3 p, infl(p, q”, neg, R) A codesignates(g", q) A -1 [3 V —,V+, p G V — A dom inates{V + , 'P —, q,pos)] [3.2] T he failure to establish q = inc can be removed by negating any of th e conjunct in 3.1 or 3.2. In th e context of a constructive m ethod, th e negative influence in 3.1. or j 3.2 m ay be a side-effect th a t cannot be removed since the m odel fragm ent im posing i the side-effect m ay be used in the design fragm ent to establish another behavior. Hence th e negative influence has to be prevented in influencing q or counteracted: th e first is achieved by ensuring non-codesignation (operator-2) and the second is achieved by enforcing dom inance of positive influence. Consistency O perator-2: Precond: [ < 7 1 = q — » inf(p, q\ , neg)) A P + = {p} Action: M ake not-codesig(^x, q) Postcond: P — = {} A P + = {p} A not-codesig(^i, q) Consistency Operator-3: Precond: inf(p1; q, neg) A P + = {p} P — = {} Action: M ake dom inates(p,pi) and make influence closure assum ption on q based on positive influence p and negative influence p i. Postcond: P — = {pi} A P + = {p} A dom inates(p,pi) 4.4 Summary ! This chapter described the role of verification criteria for design fragm ents in model- j based design, defined th e criteria, identified key problem s in constructing verified; design fragm ents based on such criteria, and developed solutions for those problem s. 1 1 The criteria are based on th e prem ise th a t the qualitative behavior and th e qual- j I itative working of a device can be represented in a qualitative representation, the design fragm ent, which is an abstraction of q uantitative models. T he basic in tu itio n : underlying th e derivation of the criteria is th e notion th a t th e design im plem ents a causal process which establishes its own quantity change behaviors. Based on such an intuition we characterized th e properties, the verification criteria, th a t such a process would have to satisfy in order to correctly establish the given behaviors. T he criteria are th e general laws for qualitative quantity changes and quantity in- i I equalities to hold in a region. The laws define th e criteria for design frag m en ts, j because of th e uniform ity of th e predicates used in th e laws and the design fragm ent representation. i T he verification criteria bears resem blance to the T ru th C riteria used in n o n -! I linear planning[4]. The key difference is in the notion of region and the notion of shift of regions. Since device behavior extends over regions, w here o ther sim ultaneous behaviors m ay be present, th e criteria m ust consider such sim ultaneity. T he tem poral ordering of device behaviors is best described in term s of operating regions which are defined w ith respect to certain quantities. We identified two problem s in use of such criteria th a t arise from conflicts in j trying to obtain correct solutions on one hand and reduce th e search for conceptual J design. B oth problem s were discussed previously in th e context of planning and j reasoning about change. In those areas, the problem is one of tradeoff between | accuracy of prediction and risks on one hand and efficiency on the other hand. It is j l very difficult to form ulate precise notions of accuracy of prediction and risks which! can th en be used to solve such problems. In CMD, for conceptual design based on verification criteria, the problem s do have, solutions. T he solution we provide is based on constructing approxim ately co rrect! i design fragm ents. The key property th a t such approxim ations m ust satisfy in o rd e r1 to be effective is th a t it should be possible to system atically identify failures when I they arise from approxim ations and also be able to focus the search for revisions. ■ We identified certain types of approxim ations in th e verification criteria, th a t satisfy ' such a property. We showed how failure conditions and revision operators can be derived th a t can be used to revise incorrect design fragm ents. T he above solution also leads to formalizing the bidirectional n atu re of search th a t underlies the intuition of obtaining partially correct designs and revising th e m ! based on inform ation obtained from verification failures. We identified th e e sta b -' lishm ent failure conditions and revision operators th a t lead to generation of approx im ately correct design fragm ents. We identified the consistency failure conditions th a t can be derived from verification analysis and revision operators th a t are used for focused revisions. We now describe the operations th a t use such failure condi tions and revision operators to construct design fragm ents for behaviors specified by I region diagram s. Chapter 5 Construction of Basic Design Fragments i T he m ulti-operating region behavior of a device can be decomposed into region! behaviors and region transition behavior. T he region behavior can be further de- j composed into individual qualitative changes, called basic behavior fragm ents, which; conjunctively define th e region behavior. T he CMD m ethod follows th e above decom -; position and develops the basic operations on design fragm ents for 1) co n stru ctin g 1 design fragm ents for basic behavior fragm ents, 2) composing design fragm ents to establish com posite behavior, and 3) extending design fragm ents to m aintain region j behavior and establish region transitions. This chapter describes the first o p eratio n .; T he compose and extend operations are discussed in C hapters 5 and 6, respectively.! i 5.1 Construct Operation Constraints Individual qualitative changes to quantities are the basic behavior fragm ents. T he construct operation searches for design fragm ents th a t establish these behavior frag -' m ents. Before we define the operation, we identify three im portant constraints on; th e operation and the design fragm ents it produces, th a t allow the operation to perform focused search. 1. Approximately correct design fragments. CMD is based on an increm ental divide-and-conquer search strategy th a t constructs, composes and extends a p - ! proxim ately correct1 design fragm ents. T he design fragm ents are approxim ate j l 1We reserve the term partial design fragments for design fragments which are incom plete or are approxim ately correct. in th a t their correctness depends on approxim ation assum ptions th a t result from simplifications in the verification criteria. In the previous chapter we de scribed the rationale for such approxim ations in an increm ental search strategy. T he approxim ations focus the search to w hat is relevant for th e establishm ent of th e behavior fragm ent and ignores the other secondary b u t relevant d etails.! Such approxim ations result from m aking assum ptions on com pleteness of thei influence relations relevant to a quantity change and assum ptions on holding of inequality conditions in a region. I 2. Independence of design fragments. This constraint allows th e CMD to construct | basic design fragm ents under independence assum ptions. T he independence) assum ption leads to searching for simplified design fragm ents which are con strained to satisfy only th e necessary requirem ents for th e local behavior t o ! hold and ignores interactions arising from considering other required behaviors ! and their ram ifications which are best handled by th e com position operation. j The objective here is to defer design decisions th a t are best handled at the later com position and extend stages of the design strategy when m ore infor- I I m ation is available. T he postponem ent also simplifies the search space of the construct operation and generates a com pact and flexible representation of the design fragm ents th a t can be used to focus the search of later stages. 1 3. Least committed design fragments. This constraint is satisfied by co n stru ctin g ! basic design fragm ents th a t are least com m itted w ith respect to specific design, choices for the bindings of individuals th a t are needed for th e existence and activity of m odel fragm ents used in the design fragm ents. T he objective of such delayed binding is defering design decisions until m ore inform ation is available; on them . Moreover such least com m itted design fragm ents lead to a com pact representation of a base set of design fragm ents th a t can be flexibly composed and extended by later operations in a divide and conquer search strategy. j 5.2 Steps of The Construct Operation I Table 5.1 shows th e steps of the construct operation. T he operation takes as input an individual quantity change behavior to be established (& </), a dom ain model Table 5.1: Steps for DF construct operation. DF-Operation: Construct-DF(6< i, Di, D M , T im elim it ) • Given: A partial df specification in terms of Bd, Di. DM. = Dom ain Model • Output: A set of alternative design fragments which establish bd • Steps: 0. Initialize Let, Bd = {& d } Di = initial design constraints df0 = (Bd,Di, 0,0) DFhase = {dfo} Loop until T im elim it Exceeded or No-change in an iteration Begin 1. Generate design fragment (1.1) Select df from D F tase (1.2) If exists Fc, establishm ent-failure-condition(d/, Fc) Then do: (a) Let, Rops — Find all applicable establishm ent-revision-operators(d/, Fc) (b) DFms = Result of applying each operator in Rops to df (c) Replace df with the set dfms in DFtase 2. Verify and Revise (2.1) Select df from DFtase (2.2) Let, dfk =Update-necessary-mf-inf-ramificat,ion(df) (2.3) If exists Fc, consistency-failure-condition(d/j,, Fc) Then do: (a) Let, Rops = Find all applicable consistency-revision-operators(Fc, dfk) (b) D Fms — Result of applying each operator in Rops to dfk (c) Replace df with the set dfms in dfws End. (T>A4), and an initial set of design constraints (Di) and produces as o u tp u t a set of; design fragm ents th a t establish the desired behavior under a set of approxim ation assum ptions. T he initial set of design constraints specifies the set of objects and ! constraints on them in the structural context of th e behavior being established. T he j algorithm constructs a design fragm ent, which as described in C hapter 3, consists of a 4-tuple: {B , D , C R N , A), where B is the desired behavior, D is the design solution, CRN is the causal relation network and A is the set of assum ptions. Search of th e design fragm ent space is carried out w ith a working set, DFbase, which is th e set off partial design fragm ents currently being elaborated. i j In the initialization step (Step 0 in Table 5.1), an initial df0 is created whose B is J initialized to the behavior, b to be established, whose D is initialized to the initial design constraints, and whose C R N and A are em pty 2. T he working set, DFf,aseJ is assigned the set consisting of the single elem ent df0. I T he body of th e operation is an iterative loop consisting of two steps: (a) Genera tion. In this step, working backwards from th e behavior fragm ents to be established, all the necessary elem ents of the causal-relations netw ork down to the design com po nents and th eir stru ctu ral relations are generated based on assum ptions th a t satisfy i the correctness conditions. The generation is done by determ ining establishm ent, I failure conditions and applying revision operators to satisfy them , (b) Verification j and revision. In this step, th e necessary ram ifications of design choices m ade in t h e , generation step are derived through forward inference, the design fragm ent is u p -' dated w ith the ram ifications, verification analysis is done to derive the consistency i failure conditions and revision operators are applied to satisfy the failure conditions, i T he iteration stops when th e m axim um tim e lim it is reached or when all th e design fragm ents in the working set do not have any failure conditions associated w ith them th a t require revisions to the design fragm ent and hence changes in the working set. Step 1 of th e operation (Table 5.1) generates approxim ate design fragm ents for a 1 quantity change. In step 1.1 a design fragm ent, df, is selected from the working set. ! T he design fragm ent is then checked for existence of establishm ent failure con d itio n ' (Fc) in step 1.2. There can be two types of establishm ent failure conditions: i) be- j havior establishm ent failure condition th a t correspond to establishm ent of quantity increase/decrease/steady behaviors, and, ii) inequality establishm ent failure condi tion th a t correspond to holding of inequality relations betw een two quantities. If there is such a failure condition, revision operators th a t are relevant to the estab- j lishm ent of th e failure condition are retrieved (step 1.2(a)) and are applied to satisfy t th e failure condition (step 1.2(b)). s For operators th a t establish a quantity change behavior by introducing influence relation relevant to the quantity into th e CRN of th e design, there m ay be several ways of establishing the behavior based on a choice of different m odel fragm ents from th e dom ain m odel. In the current im plem entation, each instantiation of the operator j 2The convention followed in describing the operations in this chapter and the following is that sets are denoted by capitalized letters and variables and constants are denoted in sm all case letters. ! corresponding to each possible way of establishing th e behavior, is used to create a I new design fragm ent. For the introduced model fragm ents which require existence of certain types of individual physical com ponents, typed skolemized constants are generated to stand for those individuals. T he operator creates the justification I structure for the quantity change behavior based on the model fragm ent choice! m ade. T he new design fragm ent choices are used to replace th e selected design j fragm ent. | For inequality establishm ent failure conditions, application of the relevant re -' vision operator results in m aking th e m aintained assum ptions on th e inequality; i condition requirem ents th a t are im posed by the quantity conditions of process and \ view m odel fragm ents th a t are chosen to impose an influence an a quantity. ! Step 2 of the construct operation does interleaved verification and revision of de-j sign fragm ents generated in step 1. It selects a design fragm ent from the working set! and tests for consistency. T he verification and revision process involves: (i) Rami- \ fication U pdate (substep 2.1). All necessary causal relations im plied by an existing m odel fragm ent instance are introduced into th e CRN of th e design fragm ent, and (ii) Failure condition detection and revision (substep 2.2). T he design fragm ent is; checked for existence of any consistency failure condition. T he identified failure con-1 dition is then handled by executing applicable design fragm ent revision operators! (substep 2.2.a and b). Such revisions m ay lead to producing new design fragments,! D Fms. T he new design fragm ents are used to replace th e chosen design fragm ent in! I th e working set (substep 2.2.c). Design fragm ent consistency checking involves verification analysis to derive con-; sistency failure conditions for quantity changes and application of revision operators j i th a t ensure continued consistency of each design fragm ent in the working set. T h e 1 three consistency failure conditions are: (i) Influence-Cancellation (ii) N et-positive influence existence (iii) N et-negative influence existence. Note th a t the consistency1 checking and revision for m aintenance of inequality conditions is not done in this operation, but is handled by the operations discussed in C hapter 6 . To obtain an understanding of the failure condition derivation and subsequent ! consistency revision operator application, we go through an ab stract exam ple of thej net-positive-influence failure condition. T he left m ost CRN in Figure 5.1a shows th e local CRN structure of a design fragm ent th a t establishes q = inc and satisfies the Ramification Update: q=inc q=inc dom(p,{}) Revision-Op1 /D F q = in c q=inc N inf(p,q,pos)^?^\ inf(p',q,negp I dom(p,{}) v A:ic(q, [+ p]) > dom(p,{}) A:ic(q, [[+ pjl) Failure Condition Derivation H - AND Ramification Update inf(p1, q, neg) q=inc Failure-Cond: net-pos-inf(q=inc) Failure-Cond: net-pos-inf(q=inc) inf(p,q,pos) A: dom(p,{})j (a) \^inf(p’,q,neg) A:ic(q, [[+ p]]) ' Revised DF: (b) inf(p,q,pos) q=inc dom(p,p’) (c) I \inf(P’,q.neg) A:ic(q, [[+ p][- p’] ] } / Figure 5.1: Ram ification update, failure condition derivation and revision operator choices for design fragm ent verification analysis and revision. I I I verification criteria, in th at it satisfies th e existence of one positive influence of p on j q which also qualifies the com plete set of influences on q, specified by the influence closure assum ption, ic(q, [[+p]]). Now consider a ram ification update, inf(p, q, neg), which specifies a negative influence on quantity q. The right-hand side of Figure 5.1a shows th e im m ediate effect of th e u p d ate on the design fragm ent. T he ram ification update results in adding an additional negative influence. T he verification analysis p art of the algorithm now exam ines the CRN of the design fragm ent, and determ ines th a t for th e given design fragm ent behavior, q — inc: the influence closure and dom inance assum ptions are incorrect. More specifically it finds th a t in the context of negative influence p on q, th e influence closure assum ption of a single positive influence, p, on quantity q and the dom inance relation dominates(p, empty) are incorrect in th a t they conflict w ith th e criteria th a t m ust be satisfied by a design fragm ent to establish q = inc in th e context of a negative influence. A failure condition, in this case the net-positive-influence failure condition, shown in the right- hand side of Figure 5.1b is derived. The net-positive-influence failure condition is satisfied by th e applicable revision operator, th a t can modify the design fragm ent to j satisfy th e criteria for q = inc. The revision operator shown in Figure 5.1c m eets the! criteria by m odifying the influence closure assum ption w ith the positive and negative I influences on q and m odifying the dom inates assum ption such th a t the influence p dom inates th e influence p . The revised design fragm ent resulting from application j of the operator on th e design fragm ent is shown in the right-hand side of Figure 5.1c.) i I 5.3 Design Fragment Construction: An Example! In order to illustrate th e design fragm ent construction operation, we give a de- j tailed exam ple of the construct design fragm ent operation. T he exam ple is from th e J boiler controller design problem . T he problem is to construct a design fragm ent th a t j establishes a steady steam pressure in the drum in th e presence of steam out flow from th e drum to th e load in region R\. For the purposes of clarity only a p o rtio n ! of the dom ain theory relevant to the design is shown in Figure 5.2 and the trace of the operation shown in the figure correspond to only one set of choices made. In the initialization step, a new design fragm ent is created w ith its behavior, B , initialized to th e required behavior of steady pressure of steam in drum (Figure! 5.2a). T he design, D , of th e fragm ent is initialized to the input design constraints) th a t specify the existence of drum , load, connection between the drum and the load | and th e constraint th a t pressure of steam in th e drum is greater than the pressure j of steam in th e load. In th e generate step, shown in Figure 5.2a, the beh av io r,' I PSd = std is established by identifying the th e null-influence establishm ent failure' condition for PSd = std and applying the revision operator for this failure condition which results in updating the design fragm ent such th a t the there are no influences on th e steam pressure in th e drum . In th e verification phase, shown Figure 5.2b, necessary causal ram ifications of the existence of th e load and its connection to the drum in the design, D, of the fragm ent, are determ ined by forward inference from th e design and assum ptions A, of the fragm ent. This results in instantiation and activation of the m odel fragm ent for steam-flow from drum to load. The causal ram ifications of th e existence of flow from drum to load result in changes in the influences affecting the mass of steam i n ! th e drum and has the effect of decrease in the steam m ass which in tu rn affect the ; i pressure of steam in the drum . The conflict is shown by the shaded portion of the DF: <PSd=std, {d, I , conn(d,l,p),PSd>PS,}, {}, {}> + [G enerate J C H N Psd=std PSd=std ic(PSd tstd ,0 ) ps^std (a) /iew-MF: cs(?x,w,g) Individuals: container(Vx) Relations: Qprop+(PS(?x), MS(?x)) I Causal Ramifications: PSri=std ic(PSd=std,{}) ConfH c t inf(MSd,PSd,neg) 15 (b) F R S d ( >0 qprop+(PSd, MSd) MSd=dec steam-flow(?s, ?d, ?p) Individuals: path(?p) & container(?s) IndivConds: conn(?s, ?d, ?p) QtyConds: press(cs(?s,g,w)) > press(cs(?d,g,w) Relations: i+(mass(cs(?s,g,w), rate(steamflow(?p)) J PSd=std inf(FSdl, MSd, neg) A5=ic(MSd, [FSdl) FS(d, 1 ) ^ load(lY \ N -drum(d) connected(d.l) Verify & Revise: - Null Influence Failure Condition - Revise-op: establish-std-influence(PSd) ■ ic(PSd=std,{}) inf(MSd,PSd,std) (C) qprop+(PSd, MSd)-^ -- MSd-std inf(FSdl,^MSd, neg) A5=ic(MSd, [FSdl) Conflict I PSd=std Verify & Revise: - Cancellation Failure Condition • Revise-op: Introduce-pos-inf(MSd) — MSd=std qprop+(PSd, MSrff A4: cancels(FSdl, FSb.d) inf(FSbd, MSd,pos) - ^ / \ A 5 = i c ( M S d, [[neg, FSdl][pos, FSb.d] active(FSdb) inf(FSdl MSd, neg) active(FS(d, I)) container(?b) atiner(d) <Annected(b,d) load(f (d) dmm(d) connected(d.l) Figure 5.2: An exam ple of design fragm ent construction for the boiler control exam ple. CRN in Figure 5.2b. T he verification analysis identifies the null-influence consistencyj failure condition, for steam -pressure in drum . There are two possible revisions: i)' introduce another positive influence on steam pressure (PSd), or ii) introduce thei behavior requirem ent of steady steam -m ass in th e drum (MSd = std). Figure 5.2c shows an exam ple of the latter choice. j C ontinuing the th e verification and revision, since the required behavior of thej mass of the steam in th e drum is steady and th e steam outflow from th e drum to! th e load exerts a negative influence on the steam -m ass, the operation identifies thej net-influence cancellation failure condition for M S d • In th e current context of thei existence of a negative influence, the revision operator th a t satisfies the cancellation failure condition, involves introducing a new positive influence on th e m ass of steam flow rate th a t cancels th e existing negative influence (Figure 5.2c). T he operator! searches the m odel fragm ents in the dom ain model for a suitable causal relation th a t m ay introduce the positive influence. In this case, it finds, th a t th e gas-flow model; fragm ent has th e relevant influence relation, I+(masso f steam, steam flow), th a t c a n ! be used to introduce a positive influence on the steam -m ass. Accordingly, it creates; modified design fragm ents where it instantiates and activates the flow and augm ents the D of the modified design fragm ent w ith th e required design com ponents an d ' stru ctu ral relations th a t are necessary for activating the flow. In this case, a steam - j flow from container, b, having working fluid steam is instantiated. The individual, container, b, is represented as a typed skolemized constant. It also modifies the; relevant influence closure and cancellation assum ption. For any inequality conditions th a t m ay be required for activating the model fragm ent, they are handled recursively.; 5.4 Summary This chapter has described th e construct operation on design fragm ents. T he con structed design fragm ents establish a given quantity change behavior under a set of approxim ation assum ptions. We identified three m ajor constraints on the de sign fragm ents the operation produces, th a t when exploited aids in focusing the search in the construct operation and also leads to generating a set of flexible design fragm ents th a t can be used to focus the search in the later stages. T he three con straints on th e design fragm ents were: (i) A pproxim ately correct design fragm ents, j (ii) Design fragm ents based on independence assum ptions, and (iii) Least com m itted design fragm ents w ith respect to binding of com ponents. Exploiting the first two constraints essentially leads to generating locally correct design fragm ents based on sim plifications of the verification criteria. The sim plifications lead to m aking as sum ptions on influences and assum ptions on inequality conditions th a t are explicitly j captured in th e design fragm ent. T he least com m itm ent constraint on binding ofj individual objects is m et by skolemizing th e new individual com ponents which get | introduced into the design and hence th e design fragm ent. T he objective of all three] constraints is postponing decisions on design choices to later stages which consider] th e relevant context of those decisions and hence can do a m ore focused search forj m aking those choices. ; Chapter 6 Composition of Design Fragments i i t T he construct operation produces partial design fragm ents, each of which establishes desired behaviors under a set of assum ptions. Com position of design fragm ents is 1 needed to: i | 1. Establish region behaviors. For conjunctive behaviors w ithin a region, thei independently constructed design fragm ents need to be composed such th a t I th e com posite design fragm ent establishes the conjunctive behavior. ' i 2. Extend design fragments to establish additional behavior. A partial design; fragm ent which has an additional unestablished behavior m ust be com posed! w ith a design fragm ent th at establishes the behavior. For exam ple, a design j fragm ent for constant steam outflow from a boiler m ay require th e additional j behavior th a t th e mass of w ater in the boiler be increasing in order to sustain the flow throughout a region. In such a case, a constructed design frag m en t: th a t establishes the increase in th e mass of the w ater in th e drum m ust be | composed w ith th e design fragm ent for the steam outflow from th e drum . I 3. Use existing components for multiple functions. T he existing com ponents used in a design fragm ent m ay be used to support m ultiple functions. W hen a new 1 com ponent is introduced by CMD to support a specific function, the compose operation can be used to search for solutions th a t are based on m ultiple uses o f . I an existing com ponent, provided they can support th e function provided by the new object. For exam ple in a steam engine design the bottom com partm ent of j the cylinder w ith the piston m ay be used for both a source of steam pressure j to cause upw ard m otion of piston as well as a source of steam-flow into the upper com partm ent for downward m otion of th e piston. 4. Establish a causal link with an existing component. Though quantity changes of existing com ponents m ay not be of interest, the desired region specification m ay be defined relative to some quantity of the com ponent (for exam ple if level of liquid in container x is less than the level of liquid in container y then increase the level of liquid in x). In such a situation, com position causally links th e com ponent to th e existing design fragm ent through codesignation. i In all of the above cases, when trying to compose two independently constructed ( design fragm ents, the m ajor problem is one of adverse interactions. Such interactions j m ay be viewed to have an uniform basis in the codesignation of design objects j across design fragm ents. Com position of design fragm ents thus requires determ ining 1 ram ifications of such codesignations on the combined design fragm ent and revising j th e fragm ent for consistency. i The following sections describe the steps of the compose operation and illustrates how th e operation works using the boiler example. 6.1 Steps of the Compose Operation i Table 6.1 shows th e steps of the compose operation. T he operation takes as in p u t! I two partial design fragm ents dfi and dfj to be composed, a dom ain m odel (T>A4) ! and a tim elim it on the operation. It searches a space of com posite design fragm ents th a t establish com posite behavior fragm ents or establish behavior fragm ents under codesignation of m odel fragm ent entities. T he body of the operation consists of two steps. Step 1 generates alternative design fragm ents under specific codesignation constraints and their ram ifications. Step 2 does verification analysis and revision of th e generated fragm ents. In th e initialization step, the input design fragm ents, dfi and dfj are combined , (by taking the union of B , D and A of the two design fragm ents to be composed) to form th e design fragm ent dfc. The working set, DFWS, is assigned the set consisting ' of th e single elem ent dfc. The union of the set of stru ctu ral objects in D (dfi) and th e set of structural objects in D(dfj) is assigned to IN D . 71 ! I Table 6.1: Steps for D F com pose operation. Operation: Compose-DF(d/S ) dfj ,J>M, Tim elim it ) • Given: dfi and dfj are partial design fragments with behavior fragments B{ and Bj T>M = Dom ain Model • Output: A set of design fragments, DF W S, each of which establish the conjunctive behavior B{ A Bj • Steps: 0. Initialize: dfc — com bine-df(d/,, dfj) Ind{= Individuals components in dfi Indj = Individual components in dfj I N D — union(7nd,-, In d j ) D FW S = {dfc} 1. Generate Repeat until em pty(JjVD) Begin (1.1) Select elem ent C j from I N D do: For each elem ent Cj € I N D do: For each df £ D FW S do (1.1.1) If valid-codesignation(df, cd(cj, Cj)) Then do: Update df with ramifications of codesignation, cd(cj, Cj) (a) dfk = result of Update of C R N (df) with model-fragment existence due to codesignation. (b) Update CRN (dfk) with model-fragment activity due to codesignation. (c) Update CRN(dfj,) with necessary relevant influence relations im posed by any new mf-existence and m f-activity introduced in (a) and (b) (d) Add dfk to DFW S (1.1.2) If valid-non-codesignation(df, cd(c,, Cj)) Then Update df under non-codesignation(c;,Cj) and add to DFW S (1.2) Remove C i from IND. End 2. Verify df consistency Repeat until Tim e Exceeded or No-change in an iteration Forall df in D FWS, do (2.1) If consistency-failure-condition(df, f c) Then do: (a) Find applicable-revision-operat.or(/e,df, Rops ) (b) dfms = Apply-operators(72ops,/c,df) (c) Replace df with the set dfms in dfws 72. ! Step 1 of the operation is an iterative loop which selects an individual c; from th e set I N D and considers candidate codesignation and non-codesignation relations w ith the rest of the elem ents in IN D . We use a very simple criterion for determ ining I if an individual x can codesignate w ith an individual y. T he criterion is derived from I i th e constraint th a t individual com ponent m odel fragm ents m ay be p art of a process j or view m odel fragm ent (e.g. a container model fragm ent is p art of a liquid-flow m odel fragm ent). Since a process model fragm ent or view m odel fragm ent m ay im pose certain stru ctu ral constraints on the individual com ponents, specified by the j IndivConditions of a model fragm ent, for a com ponent individual to codesignate w ith another individual such constraints m ust be satisfied. For exam ple, if a liquid- flow in th e design fragm ent requires a source container individual w ith w ater as working fluid, and a steam-flow in th e fragm ent requires a source container individual j w ith working fluid as steam , th e same container can be used for th e two flows ' provided th e container has steam -pressure and liquid-pressure definer ports which are ; distinct. Based on such a requirem ent, we specify two conditions for codesignation j of elem ents x and y: (i) their types m atch, and (ii) all relevant IndivC onditions th a t p ertain to x in the design fragm ent is subsum ed under unification w ith th o s e ! pertaining to y in th e design fragm ent. ; Each valid codesignation is applied to all the elem ents in th e working set of | design fragm ents. Applying a codesignation constraint to a design fragm ent involves j updating th e design fragm ent w ith ram ifications of th e codesignation (steps 1.1.1(a), i (b) and (c) in Table 6.1)1. The application of a codesignation constraint to a design ! fragm ent results in m aking updates to the CRN. There are two prim ary types of j updates th a t can result from a codesignation: j l 1. U pdate from differences in m odel fragm ents based on the sam e structure. T he ■ two design fragm ents being composed may m ake use of different model frag m ents but are based on the same individual entity type. In such a case, the ram ifications of the codesignation constraint m ay result in a set of influence relations on a specific quantity of the entity which is th e union of the relations th a t existed before th e com position. For exam ple, the two design fragm ents 1 Finding ramifications essentially involve doing forward inference to determine existence o f ; m odel fragment, their activity and influence relations imposed by them . 1 .7 .3 J being composed m ay be based on liquid-inflow and liquid-outflow m odel frag- j m ents which m ake use of common container entities Ski and S k 2 and their] contained-liquid model fragm ent. T he codesignation of th e containers, Ski I and S k 2 across the two design fragm ents, updates th e influence relations on I th e m ass of the liquid in th e container to be a negative influence due liquid-! outflow and a positive influence due to liquid-inflow. i I 2. U pdate from introduction of new m odel fragm ents based on th e sam e structure. In this case, one of the design fragm ents being composed (say d f) is based on j active m odel fragm ent, m f , whose existence is based on on an individual j ! entity Xj. T he other design fragm ent (say dfj) being com posed w ith df, is' based on some entity Xj and does not m ake use of any m odel fragm ent of ty p e ! m f . If Xj and xj can codesignate, th en th e ram ifications of th e codesignation result in introduction of new m odel fragm ents and corresponding new influence' relations. For exam ple, a design fragm ent may be based on a contained-liquid m odel fragm ent which uses a container Ci. Composing the design fragm ent 1 w ith another fragm ent which makes use of an em pty container Ski w ith a n 1 out-port, where Ski 2 and cj can codesignate, results in introduction of a new i liquid-outflow fragm ent and its causal relations which affect the m ass and level; of liquid in Ci. \ 1 These two types of updates are perform ed in steps 1.1.1(a), (b) and (c). The design] fragm ents resulting from the updates are used to replace the old design fragm ent in ’ the working set. j Step 2 of th e compose operation does verification analysis and revision of the d e -' sign fragm ents generated in step 1, as a result of the application of the codesignation constraints. T he step goes through an iterative loop, where in each iteratio n a design i fragm ent from th e working set is selected and then checked for consistency failure conditions. The existence of consistency failure conditions are handled by applicable revision operators. The revised set of design fragm ents are added to th e working set. T he verification process is term inated when there are no design fragm ents in the working set w ith consistency failure condition or the tim e lim it is exceeded. ! 2S ki is a skolemized typed constant. Q =inc in fl(P iA .+) Q2=std Ram ifications of Codesig. Q2= std > / c 1 ~ c 2 active(MF1) + I Q 1 = Q * (b) f / X i n f l ^ A ,, +) Aic2: ic(Q2, []) / Aic2: ic(Q2, []) j c, --------------------- c2 V erifiy: influence-cancetlation failure C ondition Revise (a) I T S (C) make non-codesignatingfc^c^) . , - . . introduce-mfluence: infl(Q2,-,P2 ) add assumption: cancels(P-|.P2) Figure 6.1: An abstract exam ple of influence closure inconsistencies arising in com position of design fragm ents. There are two types of design fragm ent inconsistencies and consequently consis tency failure condition derivations th a t can result in th e verification analysis stage: (i) influence closure related, and (ii) inequality assum ptions related. Failure con ditions of the first type result when th e addition of new influence relation makes th e influence closure of the quantity incorrect for th a t behavior. Figure 6.1 shows an exam ple of such a failure condition. Figure 6.1(a) shows the two design frag m ents being composed w ith required behaviors Q = inc and Q 2 = std. T he design fragm ent for Q = inc (the leftm ost design fragm ent in Figure 6.1(a)) establishes j its required behavior using th e influences im posed by the activity of m odel frag- j m ent M F\ whose existence is dependent on the entity c\. A side-effect of th e model • fragm ent, M Fi, is th a t it imposes a positive influence on quantity Qi of ci. T hei design fragm ent for Q2 = std establishes its required behavior by m aking th e em pty | I influence closure assum ption. Ram ifications of the applicable codesignation Ci and ' c2 result in quantities Q\ and Q2 being codesignated and consequently introduces . a positive influence on Q2. T he result is shown in Figure 6.1(b). Such an update produces the influence cancellation consistency failure condition which can be re- | vised by introducing an additional positive influence on Q 2, m odifying the closure, assum ption and m aking th e influence cancellation assum ption (Figure 6.1(c)). The ' other option is to consider non-codesignation of cx and c2. | Design fragm ent incorrectness resulting from inequality assum ption failures can arise in two ways: (i) New behaviors affect the persistence of an inequality th a t was | assum ed m aintained. For exam ple, consider the use of th e drum as a w ater supply for water-flow into the boiler. Prior to com position, the level of w ater in the drum was assum ed to be m aintained greater th an zero. Com position results in decrease; in th e mass of the w ater in the drum and consequently decrease in the water-level in the drum . Such a decrease jeopardizes the assum ption th a t water-level in the, drum rem ains greater th an zero. Such failures are handled by operations discussed in th e next chapter, (ii) Inconsistent inequality conditions m ay result from codesig- j nations. In this case, an inequality assum ption m ade in th e design fragm ent before j com position conflicts w ith an inequality condition im posed in the u p d ated design fragm ent as a result of codesignation. A sim ple exam ple of the la tter is establishing a liquid flow to a source container, s, from a destination container d, under th e as- j i sum ption th a t Pressure(portb(s)) > pressure(portb(d)), where portb is a function j returning the bottom port of a container. T he ram ification of codesignating thej source s, w ith some other source s x whose height is less th an th a t of d, is th a t thej pressure(portb(s\ )) < pressure(portb(d)). Handling failures of this form requires( i establishing th e required inequality condition by starting from a previous region; where it does not hold. Such failures which m ay require reasoning across regions1 » are handled by the design fragm ent e x t e n d operation described in th e next chap-j | ter, which satisfies th e constraints required for holding of inequality conditions in a) region. i 6.2 Design Fragment Composition: An Example Figure 6.2 shows how the design fragm ents for two qualitative changes in region i Ri of th e boiler control system exam ple are composed. The design fragm ents being com posed, dfi and d/2, establish constant pressure of steam in th e boiler and c o n sta n t, w ater level in the drum respectively. T he design fragm ent dfi makes use of w ater tank Ski for supply of w ater to m eet th e steam generation requirem ents. T he design fragm ent d/ 2 is based on the m inim al closure assum ption th a t there are no influences on th e m ass of w ater in th e drum and hence rem ains steady. Now consider the generate step (step 1) and 1 th e verify and revise step (step 2) based on a choice of a candidate codesignation betw een container (Ski) and container(d). T he codesignation is valid since Ski is a PSb =std' T M Sb ‘ £'sM infl(SIFd, MSb, neg I Compose L d = std DF, + d f2 M (S G b, MSb, pos) container(Sk-xl) SIFd >0 container(d) FRSd j ss jnc SGRb>0 active(SG, b) i A9:ic(MWb, [[i+ LFRJfi- S G flJ M W h SGRhsinc ,vlvvb FRHf^winc ,Bc=dec infl(MWbl LFRb TTpos) \ A10: cance!s(LFRb, S G R ^ Sk-x1=d feedwater-tank ac,iv.(L F„1b) in"|MW- SGH» ~ 3 i I ^ exists(CL(Sk1, water,liq)) container(b) containerCSki) working-fluid(sk1, liq, water) LWd = std cd1 ^ 1. G enerate Codesignations: choices a) cd,= cd(Sk1. container, d) b) cd2 = not-cd(Sk1 f container, d) - Find-ramifications(cd1, DF! & DF2) Lrt = std PSh =std ♦ ----- A2’: ic(^,0) Q+(Ld, MSd) MWd=dec / A4: ic(MWd, [I-, FLd b ]) infl(MWb, LFRb„ pos) inf(FLd b, M ^ di neg) ' active(FLdb) exists(Cl!.(d.water,liq)) A8: cd(Skl. container, d T V * contai" er(Ski) container(d) Revision-1 i PSb =std L d = std A ; 2. Verify - Ramification: cancellation-failure-cond(MWd) - Revision-1: introduce(water-flow. d) - Revision-2: make-no-good(cdl)) . A2’: ic(U, 0 ) j Q+(Ld, MSd) MWd=std infl(MWb, LFRb, pos) _ -A4: ic(MWd, [I-, FLd b ][l+. F L ^ d ) LWd = std jnftFL^b, M W d, neg) active(FLd ib ) inf(FLik2,d, MWd, pos) j Nvactive(FLsk 2 > d ) exists(CL(d,water,liq)) | i exists(CL(d,water,liq)) ‘^ y Ns-container(Sk1) A8: cd(Sk!. container, d) contain^(Sk2) Figure 6.2: An exam ple showing the com position of design-fragm ents establishing Ld = std and PSb = std for region R x of the boiler control system . skolem constant which can unify w ith d, both individuals are of type container and | the constraints on them required in the individual design fragm ents are consistent — ! the constraint of working-fluid( 5 k\, water, liquid) required in dfi is consistent with) the constraint of working-fluid(d, water, liquid) in df2. I T he generate step proceeds to update the combined design fragm ent w ith rami- i fixations of such a codesignation. T he result of th e codesignation is th a t th e w ater flow process now uses th e functionality of the drum as its source. U pdating th e combined design fragm ent w ith ram ifications of this sharing of containers leads to! adding new influence relations th a t affect th e mass of w ater, M W d , in the drum d> and under influence closure assum ption causes th e m ass of w ater in drum to de- j crease. The decrease of th e mass of w ater in the drum and th e indirect influence] relation betw een the mass-of-water and the level of w ater (Ld) produces a positive J influence on th e level of water. This influence invalidates th e em pty influence clo sure assum ption m ade in the design fragm ent df2 before com position and makes the com posite design fragm ent incorrect w ith respect to establishing Ld = std. | In th e verification analysis and revision step, the above incorrectness in the influ ence closure gets detected and the influence-cancellation failure condition for mass- of-water is subsequently derived. The revision operator for this failure condition J introduces a new positive influence on the mass of w ater in the drum . T he operator j searches the dom ain model and finds the liquid flow m odel fragm ent to have the 1 required causal relation: a direct positive influence on the destination fluid mass by j th e flow rate. Accordingly, th e operation attem pts to recursively establish an a c tiv e 1 fluid flow instance (w ith steam as substance and th e drum as the destination) whose | flow rate is positive (Axioms 2, 3; Table 4.1). In this case, since th e source and p a th ! are not specified, they m ay codesignate w ith existing objects or new objects may be introduced. T he operator revises th e influence closure to be consistent w ith t h e ! current set of influences and makes the influence cancellation assum ption. ! i 6.3 Summary This chapter has described th e operation for com position of two design fragm ents. | We identified the m ain objectives of such an operation and defined a procedure for generating com positions of design fragm ents under all possible codesignations. Com position of design fragm ent introduces new influence relations on a quan tity which were ignored when considering the behavior of the quantity in a design fragm ent context different from th e context resulting from the com position. We identified th e j basis for such influence relations in term s of (i) use of different view m odel frag- ■ m ents having the same underlying physical basis and (ii) activation of new model fragm ents based on use of th e codesignated object. B oth cases result in a single physical object supporting m ultiple functions — here the m ultiple functions derive j from use of different m odel fragm ents having a common physical basis. For ex am p le,! th e drum serves as th e steam -source for the steam-outflow m odel fragm ent as well source of water-inflow to the boiler, b. j Revisions of design fragm ents for consistency failures m ay introduce m ore new , objects which can be considered for codesignation. Such newly introduced objects are considered by recursive calls to the compose operation w ith one of the in p u t; design fragm ents used to represent the new object and its context. j Chapter 7 i i i Region Maintenance and Transition of Design j Fragments j 1 [ The construct and compose operations described in th e previous two chapters produce design fragm ents for quantity change behaviors in a region. The generated design • I fragm ents m ake assum ptions on persistence of quantity inequality conditions which i define th e regions. I 1 For m aintaining a region or for establishing region transitions th e quan tity in-1 equality conditions have to be m aintained or have to be shifted, respectively. A, quantity inequality has to be m aintained since quantity changes m ay produce un-! w anted transitions of qualitative regions of quantities which in tu rn m ay produce! unw anted device region transitions. A quantity inequality has to be shifted to an- i other inequality condition since different operating regions of a device m ay be based j •on different inequality conditions and for transition to occur, each of those inequal-j ities in th e starting region m ust be shifted to the corresponding inequality in thej final region. , This chapter first describes the extend operation for m aintaining a region. We then describe the operation th a t further refine design fragm ents to m eet th e require-' m ents for region transitions. 1 7.1 Maintaining a Region T he region of a design fragm ent constructed by the compose operation is based on' persistence assum ptions on quantity inequalities. T h a t is, for a given region, t h e 1 I 80! Table 7.1: Steps of Extend operation for m aintaining inequality conditions over a region._____________________________________________________________________________ Operation: Extend-DF(df/, T im e L im it ) • Given: d f = design fragment for a region Tim elim it = bound on the tim e allowed for this operation • Output: A set of design fragments, D FWS, which are extensions of design fragment df • Steps: 0. Initialize Let, D f ws = {df} 1. Repeat until Tim e Exceeded or No-change in an iteration For each dfx £ D f ws do If Exists zem such that, inequality-m aintenance-failure-condition(d/:c, iem ) Then do: (1.1) Find applicable-revision-operator(*em, Rops) (1.2) D F ms — Apply-operators(Rops, iem, dfx ) (1.3) Replace dfx with D F ms in the working set D F W S quantity inequalities required to sustain the desired quantity throughout the region are assum ed to persist. Since quantity changes lead to changes in the in eq u ali-! ties, they m ay cause shifts in the inequalities and thereby produce unw anted region transitions. T he problem of m aintaining a region is to prevent an unw anted region transition when conditions other th an the transition condition are reached. The extend operation for region m aintenance takes a conservative approach to ensure persistence. It uses th e criteria for persistence of inequalities to determ ine th e fail- I ure conditions and extends th e design fragm ent w ith behaviors th a t ensures th a t the j regions over which those inequalities hold subsum e the desired regions. For exam ple, j if th e inequality p > c is assum ed to persist in a design fragm ent and there exists a negative influence on p, then the inequality p > c m ay get shifted to p — c and subsequently to p < c. Such a shift m ay conflict w ith th e desired region transi tion requirem ents and require extensions of design fragm ent behavior w ith quantity changes, here p = std, whose establishm ent prevents the shifts. Table 7.1 gives a description of the steps for extending a design fragm ent such th a t th e inequality conditions are m aintained in a region. It takes as input th e design ! fragm ent for a region. The operation m anipulates a working set of design fragm ents D F W S . i 1 In the initialization step (step 0 in Table 7.1), the working set, DFWS, is set to the input design fragm ent. T he body of the operation is an iterative loop in which a design fragm ent, dfx, is chosen from the working set and is checked for existence of inequality-m aintenance failure conditions. T he identification of such failure con- j ditions is based on qualitatively projecting the effect of changes of quantities on inequality assum ptions th a t are m ade by a design fragm ent to establish its required behaviors and determ ining w hether such changes can shift the inequalities. An in- J equality, q < c/q > c, where c is a constant is considered to be a candidate for a shift j if q = inc/q = dec, respectively. A m aintenance failure condition condition speci-' fies th e inequality condition th a t m ust be m ade to persist in the presence of such J changes. All candidate inequality shifts do not qualify as a basis for a m ain ten an ce. failure condition. The design fragm ent itself establishes certain quan tity changes : whose purpose is to produce a desired region transition. Inequality shifts resulting J from such quantity changes do not conflict w ith the region persistence requirem ents; and hence do not cause any incorrectness of the design fragm ent. I T he body of the operation takes actions to satisfy the persistence requirem ents, j T he body of th e loop has three steps. In step 1.1, applicable revision operators fori the inequality failure condition are retrieved. D epending on th e nature of inequality | th a t m ust be m ade to persist, the revision operators th a t augm ent the required) l behavior of the design fragm ent w ith additional behaviors are determ ined in stepi 1.2. For exam ple, to satsify m aintained^ > c) failure condition in a design fragm ent, ® i d f , the B (d f ) can be augm ented w ith the behavior q = dec or q — std. The revision operators extend the B of the design fragm ent w ith such alternative required behaviors and create alternative design fragm ent extensions. In step 1.3 th e modified fragm ents are used to update the working set of design fragm ents. T he following subsection illustrates the working of th e extend operation. To show , th e net effect of such an operation on the design fragm ent we show th e extensions and also their establishm ent which require using the construct and compose operations th a t were discussed in the C hapters 5 and 6, respectively. Maintained(PSb >0) PSb^dec" PSd = std i MSb = dec qprop(PSb, MSb) . infl(IFSd, MS^neg) S!Fd>0 \ Maintained(PSb>0) PSbLstd MsJ=f std Ramifications of SIFd>0: MSb=dec FailureCond: quantity-inequality-persistence(PSb>0) Revision: Introduce steam -generation in boiler / in f i infl(SIFd , MSb , neg)- infl(SGb, MSb, pos) A9: cancels(SGRb, SIFd ) SGRb>0 active(SG, b) ♦ MWb>0 A7: ic(MWb, [[i-,'SGR^)) Failure: quantity-inequality-persistence(MWb>0) Revise: Introduce cancelling influence: water-flow MWb>0 ^ l L - — A9:ic(MWb, [[i+ LFRJfi- SGRb ] Aic3'= ic(MWb,[[i-, SGRb ],[i+ LF1]]) ^ / A 10: cancelsfLFRfr SGRb ) infl(MWb, LFRb„ pos) infl(MWb, SGRb, neg) Figure 7.1: An exam ple showing region m aintenance in th e boiler control exam ple. 7.1.1 E x a m p le o f M a in ta in in g a R e g io n j In the com posite design fragm ent of Figure 7.1, if th e source of the steam inflow to j the drum codesignates w ith th e boiler, then, since the steam m ass in the boiler is j decreasing due to the flow, it may eventually become zero. In this case, the flow I stops and th e region makes an unw anted transition. Therefore, to m aintain the flow, i the steam mass in the boiler m ust be m aintained greater th an zero. This requires j the behavior fragm ent of steady steam m ass in th e boiler (or increase in steam mass) which is added as a necessary auxiliary behavior to be established by th e 1 design fragm ent. Figure 7.1 shows how this behavior fragm ent m ay be established by generating steam in th e boiler at a rate equal to th e rate of steam outflow from the boiler. Such a choice of steam -generation in the boiler requires th a t the mass i of th e w ater in th e boiler be greater than zero. Since steam -generation negatively influences the m ass of w ater, the persistence of such an inequality condition is n o t; j w arranted. T he failure condition of m aintenance of m ass of w ater above zero is m et by revising the design fragm ent behavior to include the auxiliary behavior of; increasing the mass of w ater in th e boiler. Figure 7.1 shows how this behavior i fragm ent m ay be established by introducing a w ater flow into th e boiler. j 7.2 Design for Transition j I T he operations discussed so far are prim arily region specific. They construct, com- j pose and extend design fragm ents to satisfy region specific behavior and inequality j constraints. T he rem aining operation involves reasoning w ith design fragm ents th a t pertain to different regions of th e device behavior. Such an operation is necessary for design of m ulti-operating region devices. A design fragm ent constructed for a region using th e construct, compose and extend operation, m ake assum ptions on inequality conditions and ensure their continued persistence throughout th e region. T he design ; fragm ent constructed for a region m ay have persistences established (m aintained) in th e region th a t m ay conflict w ith the inequalities required to hold in the design | fragm ent constructed for an adjacent region. The operation for transition design in effect revises design fragm ents such th a t th e inequalities undergo shifts to be consis ten t w ith the criteria for holding of an inequality in the next region. To form ulate j such an operation we first look into an exam ple of transition design and identify th e j basic problem s th a t th e operation m ust handle. j An exam ple of a device w ith m ultiple operating regions, is a steam engine [48] w ith two operating regions (Figure 7.2a). In region i?i, piston p\ makes an upw ard j stroke while p 2 makes a downward stroke. In region i?2, the behaviors of pi and p 2 are I j reversed. The engine is required to shift between these two regions of behavior when th e pistons reach the top and bottom of their respective cylinders. Figure 7.2(e) ; shows a candidate design which works as follows: When piston pi is at the bottom of cylinder C\ and piston p2 is at the top of cylinder c2, the piston strokes are triggered by the opening of valve v\ and the closing of v2. When valve vi opens, steam flows from the boiler to the lower compartment of c\ causing the steam pressure to increase. The increasing upward force due to the build up of the steam pressure overcomes piston(p2) „ . , . cy lin d er^ ) I cylinder^,) piston(p-f) ± ± condenser(cd)v2r— I I jfv a lv e (v l) | p 1 water-c P p i- B ci & Pp2=Tc2 Fu=Fsi Fd=Fg+Fa+Fse+Fso w h e r e , Fu=net upward force Fd=net downward force Fsi=force due to steam inflow Fso=force due to steam outflow Fg=force due to gravity Fa=force due to atmospheric pressure Fse=force due to steam expansion Fsc=force due to steam compression (c) a ± water-tank(I) steam-src(b) r-drainer(d; (b) steam-smk(s) boiler-steam-source(b) R2 R1 A: Fu < Fd (c.2) A: Fu > Fd (C .1 ) DFu: B = [PP1 =incj C R N (p p i= in c ) A=IA9: ic(Net-Fp1,[[- SolJ- RSJ[- G][- AP][+ Sif]]) A7: domina!es([Sif], [RS, Sof]) As: s = condenser(c) A7: PSdiffj, c1> 0 A ll: desUSIF^bot-cfc.,), ... ] D=[piston(p1), cylinder(cl), condense r(c),boiler(b) working-fluid(c1 .water,gas) pathfpO, connects(bot(ci), top(b), sp,)....] A1:lc(Pp1,[+Vp1]) Vpi=lpos,inc] Vpi=inc infl(Api , Vp1 ,pos) Apt >0 l+(Vp1, Ap1) active(Acceln-up) A5:Net- Ppi=inc infl(Vpi, Pp1, pos) K P p 1 .V p1) active(Molion up) A3: V Net-Fpj=[pos,inc] Net-Fpi=lnc inf(G, Net-Fp1,neg) int(AP, Net*Fp1, neg) infl(RS, Net-Fpi , neg) intl(Sof, Net-Fp1=neg) A ll InflfSif, Net-Fpi,pos) actWe(SIF) (d ) Figure 7.2: a) A region diagram for a steam engine, b) A schem atic design of a double-acting com pound steam -engine, c) A design which under different o p e ra tin g , assum ptions establishes the device behavior in each region, but does not autom ati cally transition between regions, d) A revised design th a t includes m echanism s for explicitly effecting the transitions. ; the atmospheric pressure and the gravitational force to produce an upward stroke of p\. At the same time, a flow of cold water into the condenser CD, causes the steam in the lower compartment of C 2 to condense. The residual j gas pressure falls, and the atmospheric pressure and gravitational force push j i down the piston, resulting in the downward stroke of p 2- When p\ reaches j the top of ci and P2 reaches the bottom of C 2, valve v\ closes and V 2 opens. | The vacuum left by condensing steam in C 2 causes the steam from Ci to flow ; into the lower part of C 2. Thus, the force due to steam pressure causes P2 to move up. Decreasing steam pressure in Ci causes p\ to move down. The cycle repeats when p\ and p 2 reach the bottom and top of their respective cylinders. I I For simplicity, we focus only on the region transition for a single cylinder (ci) ^ piston m otion. Figure 7.2c shows a design which achieves each of th e region behaviors independently, under different operating assum ptions, for the piston m otion in ci. ; For exam ple, if the force on the piston pi due to the pressure of steam inflowing into cylinder Ci is greater th an the forces due to the atm ospheric pressure and gravity, 1 and the steam outflow to th e steam sink s is zero, then p\ is pushed upwards as i ! required in region R\. The design fragm ent shown in Figure 7.2d achieves such ; upw ard m otion of th e piston. If th e steam inflow from the source, 6, is assumed to be zero, and if the forces | I due to atm ospheric pressure, gravity, and steam outflow are stronger th an the steam j pressure due to compression, then piston p\ is pushed down, as required in region j i?2. However, each behavior persists since th e operating assum ptions do not change; hence, the steam engine will not autom atically transition between th e two regions. Consequently, additional mechanisms such as valves and linkages m ust be incorpo rated into th e design to accomplish the transition (Figure 7.2e). In th e following sections we describe th e operation for extending design fragm ents I w ith additional requirem ents which when m et, results in establishing the transition i behavior of the device. T he operation takes as input, two partial design fragm ents th a t accom plish the behavior of each region and have a common design solution basis. : T he operation is based on the fundam ental notion th a t all region transitions of a , device involve shifts in inequality conditions plus additional constraints on the tim ing 1 of those shifts, where a shift in a quantity inequality is a m ovem ent or transition of a • , I 86j quantity from one region to another. It divides th e problem into three subproblem s: 1) W hich quantities m ust be changing to accom plish a shift of an inequality? 2) To, which quantities m ust these quantities be causally linked, to m ake th em change a s ' required and in synchronization w ith other changes? 3) W hat m echanism s should! be added to the design to produce the required causal links? Briefly, th e answers to these questions for th e above exam ple are: 1) the steam inflow and outflow rates m ust be changing to switch the operating assum ption th a t the upw ard force, Fu, be greater th an th e downward force, Fd, in region Ri, to th e operating assum ption th a t | Fu be less th an Fd in region R 2, 2) the rates of the steam inflow and outflow m ust be i causally linked to th e piston’s position to achieve the proper synchronization, and | 3) th e causal link between th e inflow and outflow rates and the piston’s position m u s t, be established through an appropriate configuration of valves, levers, and linkages. | I 7.3 Design Fragment Refinement j | T he problem of establishing inequality shifts for transition from a startin g region, design fragm ent, dfs, for region S, to a final region design fragm ent, dfp, for region; F, is the problem of establishing the inequalities in dfp given th e inequalities holding j in dfs- Since the inequalities in dfs are assum ed or m aintained to persist over regions j th a t subsum e region S , the requirem ents for necessary shifts m ay be conflicted by such persistences. Establishing the shift then requires searching for refinem ents of dfs th a t establish quantity changes required for an inequality shift and are also consistent w ith th e required behaviors th at are established by the original design fragm ent d f s . T he persistence conflicts are resolved in the refinements by constraining their | persistences over subregions of S. Hence th e search for refinem ents m ust be based, on refinem ents of dfs at finer resolutions of th e region S. ; Table 7.2 gives th e top-level description of th e refine operation th a t is used to j increm entally search for the above refinem ents. It takes as input th e two design j fragm ents, dfs and d fp , and th e quantity inequality, r/,e, th a t m ust be established in dfp. T he body of th e operation consists of a generate phase followed by veification analysis and revision based on failure inform ation. These two steps follow th e struc- j tu re of th e construct and compose operations described in th e previous chapters. j T he steps of operation result in generating least com m itted requirem ents of design ! i ______________________ 8. 7. . ' Table 7.2: Steps for refine operation. Operation: Refine-DF(g4e, d f s , d f p ) • Given: d f s — starting region design fragment d f p = final region design-fragments q i e = a quantity inequality condition of design fragment d f p , to be established • Output: A set of alternative elaborations of dfp • Steps: 0. Initialize Let, D F W S = {} 1. Generate m eeting design fragments. If Meeting-df-failure-cond(<j,e , d f s , f c ) Then do, Let, D F N = Construct-m eeting-partial-dfs(/c) Else Use d f s to Establish i c x , add-t,o-ws( { d f s } ) . Go to Step 3. 2. Verify and Revise refinements. Forall dfi in D F N do: (a) IF Contradiction-B-ramifications(<i/j,d f s ) Then mark-nogood(d/j) (b) If region-boimdary-failure-condition(r//i, d f s ) Then Order-region(dfi, dfs) (c) If Co-occurrence-Failure(f//i, f c) Then apply co-occurrence-fc-op(/c , d f i , d f s ) . (d) add-to-w s({df5 , d/»} 3. Return D F WS. fragm ents1 for th e preceding bordering region, which are th en tested for consistency j w ith the d f s through verification analysis and revisions m ade to satisfy th e identified j failure conditions. The operation outputs the im m ediate refinem ents of d f s th a t are j consistent w ith the requirem ents for establishing the inequality. 1 i 7.3.1 G en era tin g C a n d id a te R efin e m en ts Step 1 of the operation (shown in Table 7.2) first checks if d f s can establish the given inequality condition. The test for existence of m eeting-df-failure-condition for the inequality does this checking. T he failure condition is identified for the inequality 1The generated design fragments are least com m itted since the boundaries of the region for the j fragments are m inim ally constrained. For exam ple if the region for F is specified by q — c, a least com m itted extended region which borders F is specified by — 3 c , c < q < c. - x .88 ' dfs: bot<pos<top df<: Pos=top Vp= 0 & AUp<0^ p>0 & Aup>0 Fu>Fd & Sif>0 □ f-j ibot<Pj <pos<top df2: bot<p1<pos<top c°(VD =0,pos=top 1. Generate: holds(Vp=0, df/) Meeting-df-failure-Cond(Vp=0) (a) Region-Boundary-Failure-ConditionfdfJ Revise: bourtdary(dfs, d fj 2. Verify-Revise 'd fs 1 : bot<pos<=p1 Vp>0 & Aup>0 Fu>Fd &Sif>0, Vp=inc—. dt,: bot<p1<pos<top V =dec) , co(Vp=0,pos=top) NoGood: Contradiction-B-ramifications(df2, dfs) (b) Figure 7.3: G eneration of design fragm ent refinem ents and their revisions to establish, the inequality Vp = 0 in the steam -engine example. when dfs does not satisfy the region definition, inequality conditions and th e behav- J ior requirem ents of a m eeting design fragm ent th a t can establish th e inequality. Ifj there is a m eeting-df-failure condition then new alternative partial design fragm ents j are constructed th a t satisfy the failure condition. I Figure 7.3a shows an exam ple of the generated m eeting design fragm ents t o 1 establish the velocity of piston, Vp = 0, in the design fragm ent dff . T he fragm ent dfj establishes steady behavior of th e piston when it reaches th e top of th e cylinder. T he starting design fragm ent dfs correspond to th e upw ard m otion of th e piston as j discussed in th e earlier sections. As shown in the figure, there are two alternative' m eeting design fragm ents th a t can establish the velocity of the piston to be zero when th e position is at the top. The design fragm ent, dfx is based on th e condition th a t th e net velocity of the piston is greater th an zero in the bordering region, defined by pi < pos(piston) < top, when the piston is below th e to p 2 T he design fragm ent, df 2 is based on the condition th a t the net velocity of th e piston is less th an zero3. 7.3.2 V erify an d R e v is e R efin e m en ts i i Step 2 of th e operation (shown in Table 7.2) does verification analysis and revision of | design fragm ents generated in Step 1 in the context of the design fragm ent, dfs, for the initial region S th a t precedes region F. The steps generate refinem ents based o n ' satisfaction of other necessary constraints for inequality conditions and consistency 1 requirem ents. This is done by analyzing for specific types of failure conditions and applying revision operators. Below we describe each case (handled by the substeps * (a), (b), (c) of step 2) in further detail. Step 2(d) updates the design fragm ent i working set w ith the modified design fragm ents resulting from the revisions. 1 • Inconsistent Behavior Ramifications. This inconsistency is handled by Step 2(a) of th e operation shown in Table 7.2. A refinem ent of dfs m ust be consis ten t w ith the required behaviors of th e original dfs■ This substep perform s a lim ited consistency check for such a requirem ent and prunes out inconsistent i ones. T he key understanding underlying such pruning is th a t all inequalities! I th a t are considered for establishm ent correspond to inequalities on rates which j define direct influences on quantities. Hence we can determ ine the ram ifica tions of an inequality in term s of th e positive or negative influences im posed! on quantities and predict the effects of such influences on desired q u a n tity ! change behaviors. Hence testing for consistency w ith necessary behavior ram - . ifications involves deriving the behaviors th a t would necessarily result from; i such influences and testing for conflicts w ith th e desired behaviors established j by B (dfs). Inconsistent ones are pruned. For exam ple, in the Figure 7.3, df2 is inconsistent w ith the desired behavior of increase in the position of the piston w hen below top, as established by dfs . Hence df 2 is considered no-good. • Region-boundary failure condition. This failure condition is handled by Step 2(b) of the operation shown in Table 7.2. This step handles failure conditions; ! 2Note that the constant p\ is a skolemized variable that is constrained to be greater than bottom . 3The velocity of the piston is less than zero based on viewing the velocity as a vector sum o f 1 the velocities in the upward and downward direction arising from inconsistent design fragm ent region boundaries. T h e m eeting de-1 sign fragm ents introduced in step 1 m ay conflict w ith th e existing dfs . T he conflicts arise from region overlaps of design fragm ents w ith conflicting be haviors of quantities whose individual regions are consistent across the twoi fragm ents. For exam ple, in Figure 7.3, the m eeting design fragm ent, dfi, es tablishes Vp = 0 required by dff , by establishing a decrease in th e velocity, Vp = dec, in th e region, px < pos < top, where the piston is below th e topj and its velocity is greater th an zero. Since the design fragm ent dfs establishes' velocity increase, Vp = inc, in th e overlapping region bot < pos < top, th e two! design fragm ents have a boundary inconsistency. Such inconsistencies give rise| to region boundary failure conditions which are handled by modifying bound aries of the two design fragm ents such th a t the regions are non-overlapping. Inj th e above exam ple, dfs is constrained to hold over the region top < pos < p i , j I giving rise to the modified design fragm ent, df}. \ • Co-occurrence failure condition. This failure condition is handled by Step 2(c) I of th e operation shown in Table 7.2. T he previous tests ensure th a t there exists j a design fragm ent prior to the region where an inequality is required to hold, j such th a t the design fragm ent does establish th a t inequality through estab- j lishm ent of appropriate quantity changes. The rem aining problem is how to! i synchronize the behaviors th a t bring about shifts such th a t sw itching of regions | of th e quantities is tim ed w ith respect to the reference quantities which is also undergoing region shifts in th e process. Such synchronization failures, term ed as co-occurrence failures occur when there is shift from an interval region to a point region, i.e. an equality condition (p = c) at a point region (q — cj) is es tablished by quantity changes of p in th e previous region, q < c l, where p < c. Since m ovem ent through an interval takes tim e (rath er th an instantaneous at a point), th e tim ing of th e quantity reaching th e region boundary m ay not necessarily be consistent w ith the reference quantity reaching the boundary. T he tim ing m ay have to be established via explicit design - i.e. ensuring the; presence of causal influence relations between quantities th a t result in synchro nized m ovem ent of two or m ore quantities. Such synchronized changes of two or m ore quantities is established by satisfying the co-occurrence constraint on the changing quantities. The co-occurrence failure condition is a specification j of such a constraint which m ust be satisfied by a design fragm ent. The failure: occurs when th e design fragm ent does not specify such a constraint relation a s ! p art of its assum ptions or does not explicitly establish it in its CRN. | Failure to m eet co-occurrence requirem ents can occur in two contexts which j are distinguished by the nature of th e influences th a t are causing th e q u a n tity ! to change. In a direct influence context, th e quantity, whose attaining a spe- ■ cific value is being synchronized w ith the value of a reference quantity, is o n ly ! i directly influenced (e.g. shift of velocity of piston(T4>) from Vp > 0 to Vp = 0 is achieved by having its direct influence the acceleration to shift), co-occurrence I requirem ent is satisfied by introducing a co-occurrence assum ption th a t spec-1 ifies th a t a correspondence of a certain value of the direct influence (for e.g. j acceleration of the piston) w ith a value (say c) of the reference quantity (for e.g. j position of the piston) implies a correspondence of th e value of th e influenced quantity (for e.g. velocity of the piston) and a value (say a , where c ^ a) of th e reference quantity. To understand the rationale for such an assum ption, consider again th e piston m otion exam ple. In such a context, there are no direct correspondence relations between th e quantities, velocity, acceleration! and piston position. T h at is, we cannot im pose the requirem ent th a t velocity! I is zero when the acceleration is zero and piston is at a certain position. T he j I argum ent being, the change in velocity of th e piston is determ ined by the sign j of the m agnitude of th e acceleration of the piston. T he only constraint th at can be enforced in such a context is on the initial value of th e direct influence: j enforcing the acceleration of the piston to be at a certain value at some prior ^ position of th e piston, such th a t the velocity reaches th e required value at some ! later piston position (as specified by the co-occurrence requirem ent). In an indirect influence context, where the quan tity being synchronized is in fluenced by another quantity through a qualitative proportionality relation, th e co-occurrence requirem ent can be satisfied by imposing correspondence constraints betw een the influencing quantity and the influenced quantity and . a a co-occurrence requirem ent on values of th e influencing quantity and the reference quantity. T he underlying basis for such an assum ption is th a t, since ■ ! the influencing quantity shifts along w ith the influenced quantity, there exists ! some value of the influencing quantity which corresponds w ith th e value of the influenced quantity. Consider th e co-occurrence requirem ent, in a liquid-level control exam ple, of the liquid-inflow rate to a container to be zero when thej level of the liquid attains h. If we consider the influence of th e path-resistance \ changes on the inflow rate, th e liquid-inflow rate is inversely proportional toj the path-resistance, there exists a corresponding value of p ath resistance (p ath -1 resistance = some m axim um value, Rm), at which th e liquid-inflow rate is I zero. Hence the the required co-occurrence requirem ent by satisfying the cor- i respondence requirem ent and the derived co-occurrence requirem ent betw een j the values of th e p ath resistance, R m, and the liquid-level, h (as required by Axiom 4.1-4.4). I 7.4 An Example of Inequality Shift j I We illustrate in Figure 7.4, th e refine operation th a t leads to establishing an. inequality by going through repeated calls of the refine operation and showing th e ' trace of th e increm ental developm ent of a sequence of design fragm ents th a t arej refinem ents of exitsing fragm ents. T he quantity change behaviors in the introduced design fragm ents are established by calls to the construct operation. T he exam ple used is from the steam engine design problem as introduced in the earlier section in this chapter. For the purposes of clarity only a single sequence of the design j fragm ents constructed is shown in Figure 7.4. j i T he figure shows the establishm ent of the required inequality condition of a c -, celeration of th e piston p, to be A p < 0 when the piston is at its topm ost position ; and satisfying the co-occurrence constraints required for a shift. Given the dfs , as shown in Figure 7.4, which establishes the upward m otion of the piston (by estab- , lishing Vp > 0, Vp = inc, Aup > 0, Aup — inc etc), the design fragm ent sequence consisting of d/J, d/9, d/7, df5, and d/3 is one possible sequence th a t brings about th e establishm ent of th e inequality shift of Aup. The interm ediate revisions of dfs ! which correspond to changes in its boundary definition are also shown in th e figure. Rs: bot<pos<top 'v e lp1>0 & accelp1>0 Fu>Fd & Sif>0 RF. Pos=top Vp=0 & Aup<0 j df, (a) |P p1=dec — I . J Rs1: bot<pos<p1 'velp 1 >0& accelp 1 >0 Fu >Fd & Sif>0 Au T \ inf(F,Aup,neg) Aup=0 Psb=de<T>* ^ V si f <?of inf(Psb'F'neg^ R3: pos=p, <=top df3 (b) R5: p2<pos<p1 Rs2: bot<pos<=p2 velp1>0 & acce!p1>0 Fu>F < j & Sif>0 Aup=inc A U p > 0 co(Aup=0,pos=p1) Aup=dec: Rs3: bot<pos<p2 R7:pos=p2 velp1>0 & accelp1>0 Fu>Fd & Sif>0 Aup=inc Sif=dec Sof=inc Sif=Sof Rs4: bot<pos<=p3 'v e lp1>0 & accelp1>0 Fu>Fd & Sif>0 / R9:bot<p3<pos<p2 S if= d e c Sof=inc Sif>Sof V . Aup =inc co(Sif=Sof, dos- p2, R=[pos<pJ) holds(Sif>Sof, R) holds(Sif=dec,R) Sif<m aX j- co(Sif=Si<maXj, Aq: corres(Sif=s1, Sof=s2,pos=p2) co(Sof=s2<maxol pos=p2) olds(Sof=inc, R) A1: corres(Sif=s1,PR 1 =c-|,pos=p2 ) inf(PR-j, Sif, neg) co (P R ^cu pos=p2) Q-(Sif, PR,)- A2: corresp(openingv1=c4, PR,=c,,pos=p2) co(Openingv1=c4, pos=pz) Q-(Openingv1, PR,)1 f-^ ,s. " j A3: corresp(posL e v , er,=c6, Opening,,,=c4,pos=p2) Openingv1=dec co(poslever1=c6,pos=p2) I f c = pipe(p1) PRi=inc (P o s Lever1 * P ° S ) [P»- pipe(p1) “PPe(p2 Figure 7.4: An exam ple showing the increm ental refinem ent of design fragm ents for establishing velocity — o f — piston — 0 at top of cylinder starting from an initial region w ith velocity > 0 when piston is below top and moving upward. ' T he first call to th e operation for establishing Aup — 0, produces alternative choices for m eeting design fragm ent. The choice df3 (Figure 7.4b) specifies th a t A up = 0 and establishes Aup — dec. T he construct-df operation establishes Vp\ — dec. One of the inequality assum ptions m ade in dfi is A up < 0. This inequality is established by df3 (Figure 7.4b). Subsequent calls to the elaborate operation produces the other design fragm ents. The modified dfs after each refinem ent, reflects th e effect of applying the boundary failure condition operator which enforces ordering constraints on th e boundary for consistency of behaviors required for shifting th e inequality condition. I T he effect of enforcing the co-occurrence failure condition of steam-inflow rate, Sif, equal to the steam-outflow rate, SQ f, when the position of the piston is p2, is shown in Figure 7.4f. T he figure shows the CRN generated to establish th e required co-occurrence constraint, for one set of choices th a t defines an influence p a th from ^ th e position of the piston to th e steam-inflow rate. Establishing the co-occurrence i involves creating new indirect influence relation links or traversing existing links to j define a p ath of influences from position of piston to th e rate quantities, steam - inflow and steam-outflow to and from the bottom of th e cylinder, and posting re quired correspondence or co-occurrence constraints. For the given exam ple, the co-occurrence is established by first decomposing the co-occurrence into two sepa ra te co-occurrences, each based on S i f and Sof. The two co-occurrences are then; separately established. For exam ple the co-occurrence of S i f = si is elaborated in I Figure 7.4e. Since S i f = dec in the region due to indirect negative influence of th e ; path-resistance, the co-occurrence constraint between steam-inflow path-resistance and position of piston is derived. T he derived co-occurrence constraints get recur sively established until they term inate on the position of the piston. 7.5 Summary i In this chapter we described two operations on design fragm ents th a t reason about the inequality conditions th a t were assumed to hold by the construct and compose; operations. We identified one m ajor problems w ith the quantity inequality assump-1 tion. T he problem arises from the requirem ents on their persistence. In order to reduce search, the construct and compose operations m ake persistence assum ptions on th e quantity inequalities th a t arise in the context of establishm ent of behaviors. Such persistence m ay get conflicted in two ways (i) Q uantity changes produce shift of th eir regions. Such individual shifts m ay be prem ature and conflict w ith the; required region shifts, (ii) In order to m ake a region transition, th e persistences j of individual quantities holding in a region m ay need to be changed such th a t the; conditions required for the region to which a transition is to occur, does hold. TheJ requirem ents for establishing such changes in persistences, called quantity shifts, re-' quires appropriate quantity changes and synchronization w ith w ith other previously: established quantity shifts. T he latter requirem ent enforces the individual shifts toi be consistent to desired device region transitions. j T he first problem is handled by the extend operation which takes a conservative! approach and ensures th a t potential shifts of inequalities are prevented. It does so by I augm enting the design fragm ent behavior w ith behaviors th a t sustain th e inequality. I T he second problem is handled by the refine operation. T he operation searches j for refinem ents of existing design fragm ents at finer resolutions of th eir regions in, ! order to produce a sequence of of design fragm ents th a t establish th e shifts consistent w ith th e continuous behavior requirem ent (no discontinuous quan tity shifts and no: discontinuous behavior) and the inequality establishm ent criteria. ! Chapter 8 1 i » I C M D Method f i This chapter describes the overall com positional design m ethod. We th en illustrate how the m ethod works by tracing th e steps of the m ethod using the boiler control I exam ple. We then describe some of the im plem entation details of CMD. Finally, w e' describe a set of other exam ples th a t CMD has been dem onstrated on. | I 8.1 C M D Steps I Table 8.1 presents the algorithm for com positional m odel-based design. T he algo rith m accepts as input a behavioral specification in the form of a region diagram , a dom ain m odel, and initial partial design constraints and produces as o u tp u t a s e t! of designs th a t generate th e specified behavior. T he initial design solution is incom- j plete since it contains only the design objects whose changes are of interest and any ( initial additional constraints. J It uses a working set of design fragm ents and a set of design fragm ents for basic j behavior fragm ents (qualitative changes to quantities). In step 0, th e working set is I initialized such th a t each design fragm ent in the set corresponds to a region from the region diagram . T he behavior, B, of the design fragm ent is initialized to th e set of, qualitative changes in the corresponding region; the causal-relations network, CRN, is em pty; the design, D, is initialized to the objects m entioned in th e qualitative changes and other input design constraints; and, th e assum ptions are initialized to th e quantity inequalities defining the boundary of the region. T he algorithm cycles,' establishing the behavior required of the design fragm ents in the working set and th e basic set. The body of the cycle consists of steps 2 and 3. Table 8.1: The CMD M ethod Method: CMD(72.I>, D i, V M , M a x tim e ) • Given: 7ZT> = region-diagram behavior specification consisting of a set of regions, R, where each R, € R consists of a set of qualitative changes QQ and a set of quantity inequalities (defining the region boundary) Qls T>JA — Dom ain Model Di = A set of initial structural physical constraints on design M a x tim e = M aximum tim e allowed for the m ethod to execute • Output: A set o f design solutions Let, DF be a working set of design fragments DFjose be the set of design fragments that establish basic behavior fragments • Steps: 0. Initialize. D F - (d f | B (df) «- Q Q , CRN(df) « - [ ], D(df) «- D it A(df) <- Ql;} HFjaje— {} 1. I f Exceeded(M axtim e) OR Forall df 6 DF, Forall b G B (df), established-in?(6, df) A N D Forall da G A (df), assumable-p?(da) df) Then Halt and if covers-behavior(DF, 'JZ'D) output the design solution, the D(df), and the union of assumptions, the A(df) 2. Repeat until no change 2.1 Select earliest region df from DF such that 3 6* -> established-in?(6fc,df) 2.2 I f 3 dfj. G DF, before(d/*,,df) and established-df(d/jt) Then set D (d f)= D(dfk) 2.3 Forall b G B(df) and -i established-in?(6,df) do (a) I f - i 3 dfx G DFjaae, established-in?(6, dfx) Then Construct-DF(6, V A i ) and add the dfs returned to DFj,ase (b) Select a design-fragment dfe such that, d fe is behavior-establisher(6, DFjase) (c) Let, D F C = Com pose-DF(df, dfe) (d) Select dfc from D F C (e) Replace df with dfc 2.4 Extend-DF(d/, M a x tim e ) 2.5 I f No-change in step 2.4 Then Continue Else go to step 2.3 3. Forall df G DF do Forall qix G df do I f -> 3 dfx € DF and established-qi(qiK, dfx ) Then do: (a) Let, df = prev-region-df(df, DF ) (b ) D F ' = Refine-DF(9* x ,d f,d /'). (c) Select df from D F and replace d f with df in DF. 4. Go to step 1. 98 , Step 2 constructs design fragm ents for each region. Since all operating regions of 'a device have a common physical design basis, th e design decisions m ade in a prior region determ ine th e design decisions for the next region. The CMD m ethod takes advantage of such a constraint in searching for design fragm ents for each region. It j uses th e ordering of the regions in the region diagram to constrain the order in w hich; design fragm ents get constructed. Step 2 consists of five substeps. \ T he substep 2.1. selects the earliest region design fragm ent, df, which has some unestablished behavior. Step 2.2 checks if there is some dfk in the working set D F, which is before d f and all the desired behaviors of dfk are established. If there exists such a design fragm ent step 2.2, sets the design, D, of the design fragm ent d f, to the contents of the design of dfk- Substep 2.3 is an iterative loop which establishes all the behaviors of the selected design fragm ent, d f. Each behavior fragm ent b of th e design fragm ent d f is checked to see if it is established. If not, then a basic design fragm ent d fe establishing the behavior fragm ent is retrieved from the set of basic design fragm ents, constructing new ones (and adding them to the set of basic design fragm ents) if none are present. T he retrieved design fragm ent (d fe ) is composed w ith the design fragm ent d f so th a t d f now establishes b in addition to behavior fragm ents processed before b. Once every design fragm ent in th e working set (corresponding to every region in the region diagram ) has been established, step 2.4 extends each design fragm ent in the working set by posting auxiliary behavior to disable unw anted transitions. If changes m ade to design fragm ents in the working set result in extending their behaviors, then the new behavior fragm ents are established by cycling back through j th e algorithm from step 1. Step 2 will construct (or retrieve from the basic set, if! I one is available) a design fragm ent th a t establishes the newly added behavior and ‘ will compose it w ith th e design fragm ent. ! The m ethod executes step 3 when all the design fragm ents in the working set have been checked to establish their respective behaviors w ithout any unw arranted transitions. This step establishes the quantity inequality condition assum ptions m ade in a design fragm ent, d f, for a region. It either refines an existing design fragm ent in th e working set or refines it into two or m ore design fragm ents such t h a t } th e inequalities established are consistent w ith the region transition requirem ents and the required region behaviors. 1 T he cycle continues until one of the end tests, either th e user-set m axim um tim ej lim it has been reached or all the behavior fragm ents and transitions in the region j diagram have been established. T he design' solution is the union of th e designs of' the design fragm ents in the working set, and the assum ptions underlying the design] solution is the union of th e assum ptions of the design fragm ents in th e working set. \ T he application of the construction, com position, and extension operators, and 1 the basic revision operators, may produce several alternative design fragm ents. For! exam ple, the com position operator form ulates the codesignation assum ptions across design fragm ent. Each consistent collection of assum ptions will result in an alter native design fragm ent. T he algorithm in Table 8.1 lays out the basic search space | for th e design. The im plem entation explores this space in a depth-first fashion w ith ; backtracking. I 8.2 An Example Trace j We illustrate how the CMD m ethod designs a portion of the boiler control system ; discussed in the introduction chapter. In the trace, we show only th e design choices; m ade by the m ethod th a t will lead to th e design shown in th e introduction ch ap ter;! if it were to m ake alternative choices, it would lead to a different design. I Figure 8.1a shows the basic design fragm ents in DFtase th a t are constructed byj th e construct operation when invoked in step 2.3 (Table 8.1) establishing the basic j behavior fragm ents of region Ri. The design fragm ent constructed for PSj, = std is i .based on the existence of ju st the drum w ithout any ports. T he fragm ent establishes PSd = std by m aking the null influence closure assum ption. T he w ater level in thej drum and th e steam pressures in th e boiler are sim ilarly established to be steady! by assum ing they are uninfluenced. T he outflow rate from th e drum to the load is J increased by decreasing the p ath resistance through a valve and lever m echanism 1 attached to the governor sensing the steam dem and changes at the load (not shown in th e figure). Figure 8.1b shows the effect of com position (step 2.3(c)) of the design fragm ents for increasing the outflow rate and m aintaining the pressure at th e load steady. Thej com position results in a violation of the latter behavior fragm ent since th e outflow 100. decreases th e steam mass and pressure in th e drum . To re-establish the steady] pressure, an inflow of steam is introduced to cancel the outflow (Figure 8.1c). Further com position of the design fragm ent for m aintaining the steam pressure! in th e boiler steady with th e com posite design fragm ent obtained above, under th e assum ption th a t th e source of the steam inflow to the drum codesignates w ith, th e boiler, results in the steam pressure in the boiler decreasing due to th e flow, j Hence, the behavior fragm ent— m aintaining th e steam pressure in the drum steady— I is violated. To re-establish the steady pressure, a generation of steam is introduced j to cancel th e outflow (Figure 8.Id). T he com position of the design fragm ent for m aintaining th e w ater level in the; drum steady to th e com posite design fragm ent obtained above, does not violate any of the previously established behavioral fragm ents. Step 2.3 of the m ethod now extends the com posite design fragm ent to prevent unw anted transitions. Since thej w ater in the boiler is decreasing due to steam generation, it will eventually become! zero, leading to an unw anted transition from region Ri. To prevent th a t, an auxiliary I behavior fragm ent specifying th a t the mass of w ater in the boiler m ust be steady, is posted. In the next iteration of th e m ethod, a design fragm ent for maintaining! it steady is constructed and composed w ith the above com posite design fragm ent. T he w ater level in th e boiler is m aintained steady by introducing an inflow of w ater into the boiler to cancel the loss due to steam generation (Figure 8.1e). If the source of the inflow codesignates w ith the drum , then a previously estab-j lished behavior fragm ent, m aintaining the w ater level in the drum steady, is violated.! To re-establish the steady w ater level, an inflow of w ater into the drum from a tank' is introduced to com pensate for the loss due to th e outflow of w ater (Figure 8.If). i 8.3 Implementation T he CMD m ethod is im plem ented as a program , C M D P, in Sun Com m on Lisp. It uses the ADB tool [17], which provides a focused forward chaining inference engine w ith assum ption-based truth-m aintenance capability. The focused triggering of rules in ADB allows the top-level CMD program to exercise goal-directed control on th e1 triggering of rules. This is necessary in order to apply different types of operators, Construct-d f ] DFL W d=std G drum( D F p s d = s td DF, PSb=std DF, FRSd.Mnc PSd=dec Rp=dec drum(d) (a) - failure: PSd=std; Influence-cancellation - Revise: Introduce steam-flow from X £^FRSd t|=inc oiler(b) {MSd=dec, PSd=dec} |Com pose-D F (b) ,= inc Failure under X=b: PSb = std; influence-cancellation Revise: Introduce steam-generation in boiler b inc. Steam-generation; inc. combustion-rate; inc. fuel-air-mixture ;RSd j = inc {MSd = std, PSd = std} fMSh=dec. PSb=dec} (c) Rp=dec feedwater-tank Failure: region-persistence(MWb > 0) - Revise: Introduce water-flow into boiler. LWd = std T container(Y) - Failure under Y=d: LWd =std; influence-cancellation - Revise: Introduce water-flow into drum Extend-DF Rp=dec FRSdi| = inc GRSb=inc FRH,b=inc i t 4 Rc=dec = inc (d) FRSdl = inc ]_SGRb=inc FRHfb=inc ^ R^dec FR(t sre = ittc Figure 8.1: A trace of th e CMD m ethod for the design of a portion of the boiler control system. at different stages of the m ethod. The failure condition recognition operators and revision operators are represented as rules in ADB. A design fragm ent is represented as a dependency stru ctu re in ATMS. We ex ploit the context and environm ents feature of ATMS to represent design fragm ents and m odel fragm ents. A design fragm ent is represented as a dependency structure in ATMS, having an environm ent defined by the conjunction of sub-environm ents defined by B, D, and A. Such a symbolic representation allows flexible composi tion of design fragm ents and revision based on m odification of environm ents. The m odel-fragm ents in th e dom ain model are compiled as dependency structures in the ATMS. 102 \ C M D P has been dem onstrated on a num ber of exam ples taken from th e hydro- I i I m echanical devices dom ain, early steam engines and boiler control system s. The ■ dom ain m odel used for these exam ples consists of about 50 different types of model- . fragm ents including springs, valves, links, pum ps heat-exchangers, m otion, force, ■ boiling and condensing, [6]. Below we give-an overview of some of the design exam- : pies from th e steam engine dom ain and th e liquid-level control and why they were ■ chosen to dem onstrate CMD. j i 8 .3.1 S te a m E n g in e D esig n The problem here is to use the dom ain model of the hydro-m echanical device do m ain to generate design solutions for single piston m otion as given by th e region diagram in Figure 8.2a and initial design constraints given in Figure 8.2b. Several factors contributed to the choice of this domain: (i) Use of basic com ponents. All the early steam engines were based on basic physical principles in hydraulics and therm odynam ics, (ii) A lternative innovative designs. The history of steam engines has a num ber of exam ples of steam engines which are based on alternative causal m echanisms and function sharing. Such exam ples are used to dem onstrate th e abil- , ity of CMD to explore alternative solutions, (iii) M ulti-operating region behavior. T he steam engines have m ultiple-operating regions (upward and downward m otion) where th e transition from one region to th e other requires use of explicit mecha- , nisms. (iv) Complexity. Engine design requires handling com plexity of interactions I arising from function sharing as well as com plexity from persistence of regions and their shifts. : In the exam ples to follow we show some of th e design alternatives explored by ; C M D P w ith the help of some m anual guidance. T he rationale for this is th a t the cur rent im plem entation does not have a powerful inequality reasoner as well as heuristics to m ake choices at th e various choice points in the top-level search algorithm . It is very tim e consuming to allow C M D P to explore all paths in a depth-first m anner since some of them m ay cause the program to not term inate. Instead we intervened at those points where C M D P selects between alternate design-fragm ents to compose ( and extend, choosing paths th at led to plausible designs. From the experim ents it pos(p)=top pos(p)=std pos(p)<top pos(p)=inc pos(p)>bot pos(p)=dec /'Existing design: container(c) piston (p) piston-in-cylinder(p,c) (b) steam-src(b) steam-sink(s) v2 Figure 8.2: A lternative Steam engine design based on use of liquid pressure and steam pressure under choice of large capacity source and sink model fragm ents. has become apparent th a t additional focusing techniques are required to improve the efficiency of generating alternatives. Figure 8.2c is a sim ple design based on use of liquid-pressure. T he design works as follows: In region, i?i, th e piston is below the top and the valve, tq, is open and the valve, ?;2, is closed. Liquid-flow from the tank, c1 ? to the bottom com partm ent of the cylinder,c, causes th e mass of liquid there to increase which in tu rn increases the pressure on the piston head and consequently the force on it. T he increasing force on the piston head comes to dom inate the downward force due to atm ospheric pressure and force due to gravity. As the piston moves upward, th e valve is closed and the valve, V 2 , is opened. At some position below th e top, liquid outflow dom inates the liquid inflow. This results in downward forces dom inating the upw ard force which in tu rn causes th e acceleration of the piston to become negative. The negative acceleration causes the upward velocity of the piston to reduce to zero at which point th e piston is brought down by downward atm ospheric pressure. C M D P arrives at this design by m aking choices on liquid-flow to produce pressure increase in the bottom of the container. An alternative to this choice is considering steam-flow, as shown in Figure 8.2d. In both cases, the model fragm ent choices m ade for th e source 104 of liquid-flow(ci) and th e sink of the flow (02) are based on idealizations of infinite source and infinite sink. T he other alternatives correspond to choosing finite source and finite sink. Figure 8.3a, b and c show variants of the design based on use of steam pressure. The design shown in Figure 8.3a is a simplified version of th e Newcomen steam engine invented in th e early eighteenth century. This is an interesting example which dem onstrates how revising for certain failure conditions leads to a different design. Consider the previous exam ple, where the choice is m ade for steam-inflow from a finite source. This choice results in a region m aintenance failure - a possible unw anted transition of the engine before the piston reaches th e top of th e cylinder. Such a possible failure generates the necessary failure condition - th a t the steam- pressure in the source m ust be increasing. This is achieved by having explicit steam generation in the source. T he choice of alternative model fragm ents for reducing steam pressure at th e bottom of the container in order to shift to the the next region (velocity at top being steady), the finite steam sink (02) also leads to further revisions. Figure 8.3a shows the case for the choice of steam -cooling to reduce pressure. This requires cold w ater to be injected (water-flow m odel fragm ent use) into th e bottom com partm ent. The design shown in Figure 8.3b is a more interesting exam ple dem onstrating how function sharing devices can be generated by considering codesignation choices. In th e earlier exam ple, C M D P considered the choice, where th e source of steam generation is not codesignated w ith th e bottom of th e cylinder. Considering such a codesignation leads again to the problem of unw anted region transition from the possible region failure condition - mass of w ater not enough to support continuous steam generation and consequently upward piston m otion. This requires w ater flow into th e lower com partm ent. Now for th e downward m otion, th e steam pressure reduction requires steam cooling. This is based on the sam e choice as m ade earlier, using cold w ater flow. Now there exists a possible codesignation between the sources and pipes required for th e two water-inflows. The exam ple in Figure 8.3b shows the case w here the two are codesignated. T he design shown in Figure 8.3c considers the alternative where the source of the steam is not codesignated w ith the bottom of the cylinder. M oreover, th e cooling of the steam also takes place external to the cylinder. This exam ple also considers the 105 Figure 8.3: A lternative steam engine design based on use of liquid pressure and steam pressure using finite capacity source and sink model fragm ents case, where th e boiler w ater may not be sufficient to produce enough steam to drive the cylinder. This region m aintenance failure produces a revision corresponding to introducing a water-flow into the boiler. T he exam ple shows the case where the source of th a t flow is codesignated w ith the container where steam cooling takes place. This leads to reuse of steam energy not used during the upward stroke. T he design shown in Figure 8.4a is an exam ple showing a lim itation of the CMD m ethod. T he reasoning done in CMD is based on only flow variables and ignores energy and power variables and also CMD does not reason for satisfaction of global behavior constraints (for exam ple, repeated cycles of the piston m ovem ent). The design shown in Figure 8.4a generated by CMD is consistent w ith th e CMD logic but is incorrect. T he design uses a compressed spring m odel-fragm ent. T he restor ing force in the spring is used to cause upward m otion of th e piston. T he downward force due to atm ospheric pressure and gravity will cause downward m otion and con sequent compression of the spring. Due to loss of energy from friction and other (c) (b) Figure 8.4: (a) An exam ple of design th a t is consistent w ith CMD logic b u t will not work, (b) Examples of double acting steam engines generated when considering a closed cylinder. factors, the spring compression will not be the same am ount as th e starting point. Hence after repeated cycles there will not be any piston m otion. The design alterna tives considered so far are exam ples of single-acting engines. These engines deliver power only during the outw ard stroke of the position. The engine shown in Fig ure 8.4b and c are exam ples of double acting engines - where power is delivered in both th e inward and th e upward stroke. The exam ple in Figure 8.4b is a simplified form of the engine invented by Jam es W att in the m iddle of the eighteenth century [48, 7] and Figure 8.4c is a simplified version of the Stirling engine [7]. We consider here how th e latter design alternative gets generated. 107 i The previous designs result from considering the cylinder to be an open-container (i.e. using th e open-container model fragm ent to model the cylinder c). T he alterna tives shown in Figure 8.4b and Figure 8.4c result from considering the closed-cylinder m odel-fragm ent to m odel the cylinder. These exam ples dem onstrate how interest ing designs m ay result from considering alternative models of an ab stract idealized com ponent like the container. Considering such a choice yields a design which is quite different from the exam ples considered so far. The m odel-fragm ent choices in the design fragm ent for producing th e upward m otion in region R i is same as was done for the examples in Figure 8.3a — using steam inflow from a boiler to the bottom com partm ent of th e cylinder. For the downward m otion in the region, R 3 , th e downward force m ust dom inate th e upward force due to steam in the bottom com partm ent of th e cylinder, c. One choice for such a failure condition is to have an outflow of steam from the bottom com partm ent of c, and an inflow of steam in the upper com partm ent of c. Since the th e source of the inflow and th e destination of the outflow can codesignate — we have two choices, one w ith the source and destination of the steam flows codesignating and th e other non-codesignating. The codesignating choice gives rise to th e exam ple shown in Figure 8.4c. 8 .3 .2 L iq u id -lev el R eg u la to r D e sig n The problem in these examples is to use the dom ain model of the hydro-m echanical device dom ain to generate designs for water-level regulation. T he region diagram in Figure 8.5a specifies th a t if the level of w ater in the container, s, is less th an the level in the container, d — then the level of w ater in d m ust increase (region R i). T he water-level m ust become steady once th e desired level is reached (region R 2). To increase the water-level, some choices considered by C M D P are: (i) level increase by causing th e m ass of w ater to increase and subsequently the mass to increase by using liquid-flow. (ii) Using condensation and steam-inflow. T he second choice leads to very costly search by CMD and poor solutions as well. The exam ples shown in the figures shows the cases for considering the codesignation choice. Now the water-flow depends on the inequality condition th a t th e pressure of w ater at the source (s) is greater than the pressure of water at the destination (d). 108 Ievel(water-in(d))<level(water-i level(water-in(d)) =inc level(water-in(d)) v = level(water-in(s)) /ie v e l( \ v4evel(\ level(water-in(s))=level(water-in(d)' evel(water-in(d)) =std ite N n (d 5 )^ (a) container(s) <c) /in itia l partial design: closed-container(d) closed-container(s) working-fluid(s,water,liquid) (b) container(s) container(d) (d ) Figure 8.5: a) and b) Input region diagram and initial design constraints for liq u id -' level regulation in a container, c) and d) Design solutions for th e required behavior. Since the pressure at the bottom of the container also depends on the height of th e J container - there are different alternative possibilities based on considering different j inequality assum ptions between the heights of the two containers s and d. T he design j shown in Figure 8.5c is based on the assum ption th a t the heights are th e same. F o r; such a choice - th e transition is autom atic and no specific m echanisms are required I to stop th e flow when the heights in the two containers are same. T he choice of the height of the container(d) less th an the height of container(s) I - gives rise to th e requirem ent of explicitly bringing about th e pressures to be sa m e ' when th e heights are same. This requirem ent is m et by using the valve and float j m echanism as shown in Figure 8.5d. T he design works as follows - as the height of! level of w ater in container d increases, th e float rises and correspondingly the valve closes to cause the flow to stop when th e desired level is reached. The choice of height of th e container(d) greater than th e height of the container(s) produces the solution shown in Figure 8 .6. This solution is a simplified version of th e device designed by Thom as Savory [48] in the late seventeenth century, for I 1 raising w ater from a well. CMD fails to generate this solution since, it requires extending th e input region diagram to establish an inequality in region R x. C urrently c ontainer(b) pipe(p2) pipe(pi) container(d) furance(f) valve(vi) contamer(s) valve(v2) Figure 8.6: Liquid level regulator exam ple when the height of th e source of liquid-1 inflow to the destination container is supply is less th an th e height of th e destination ' container. I ,CMD does not try to establish any inequalities in the start region. If we extended CMD to consider ways of establishing inequality assum ptions m ade in region R i then the above solution can be generated. This would require using the inequality establishm ent operators to post requirem ents on increases in pressure of w ater in th e container,.S'. The pressure increase can be obtained either by decreasing t h e , volume or increasing the mass of gas (steam ) in the container. Following th e latter . choice - one option to increase the mass of steam is having steam inflow from another • ' container b. i 8.4 Summary ' In this chapter we described the m ethod for com positional m odel-based design. The procedure makes use of th e construct, compose and extend operations defined in the previous chapters. A detailed trace of th e m ethod was given to describe how the 1 m ethod works. We described an im plem entation of CMD in a program called C M D P. Several exam ples from the dom ain of early steam-engines and liquid-level controller were chosen to dem onstrate m odel-based generative design capability of CMD. We described some of these exam ples in this chapter to dem onstrate how the program handles these design problems. I Chapter 9 i f Discussion ' i i This thesis has described a com putational m ethod, CMD, for m odel-based concep-1 . . 1 tu al design of physical systems. The thesis has two m ain them es. F irst, to cope | w ith th e com plexity of th e search for correct designs w ith reasonably complex b e - ; havior, th e design process is viewed as partial solution construction. This raises problem s of incorrectness which is addressed by th e second them e of using informa- j tion obtained from verification analysis to extend and refine p artial solutions. This i chapter discusses the m ain points of this thesis, sum m arizes the m ain contributions, i sum m arizes its m ain lim itations, and suggests directions for future work. J f 9.1 Summary of C M D i CMD designs complex devices w ith continuous behavior by searching for design fragm ents which are representations of how the design works to establish its behav- j i iors. Independent of the search strategy, any design fragm ent output by a search I f process m ust be verified for its correctness. Since a design fragm ent can be viewed • as a causal process description of the working of a design, in order to verify its i correctness we need to know (i) w hat are the basic behavior fragm ents, the p ro -. cess establishes (ii) w hat are the prim itive representation elem ents of such a process j description, and (iii) w hat does it m ean for the process to correctly establish t h e ; behavior fragm ents x. These questions were answered in the first half of C hapter 4. xThis is one of the general approaches to construct task specific reasoning systems: once the knowledge representation language is chosen, one provides a semantics for this language appropriate ; to the inferences one wants to make for the application in m ind[21], ; 111J The key observations to be m ade from th a t chapter are th at: (i) quantity changes and quantity inequalities are the m ain characteristics of continuous physical devices (ii) since causal influence relations are the instrum ents of change th a t go into the I process description, the correctness criteria m ust also be stated in those term s. In j i C hapter 4, we declaratively defined such a criteria. T he problem then was how to ^ organize th e search for such design fragm ents satisfying the criteria. The approach | we pursued in CMD, was a constructive approach, in which th e object searched f o r ' (the correct design fragm ents) was constructed to m eet desired requirem ents. We identified two m ajor problem s in constructing such verified design fragm ents which stem from the (i) qualification problem, and (ii) persistence problem . These, problem s arise in the context of reasoning about change, where the goal for correct- . ness conflicts w ith the goal for efficiency. The qualification problem arises from the individual m odel com plexity and the com binations of influence relations th a t can ; I sim ultaneously be present. In term s of search, this increases th e branching factor at | each design choice point. The persistence problem arises from the fact th a t quan- ' I tities defining the inequality condition which form the basis of region behaviors a r e ; them selves subject to change. In term s of search, this requires determ ining th a t for ; all possible qualitative states in th e region, th e inequality persists. \ We form ulated an increm ental and approxim ate reasoning m ethod which uni- ] form ly addresses the above two problems w ithout sacrificing the correctness goal. ! T here were three key elem ents in the solution: (i) A pproxim ately correct design [ fragm ent construction: construct basic design fragm ents th a t are locally correct and ! satisfy the m inim al necessary verification criteria, (ii) Failure conditions based re v i-: sion: perform verification analysis to determ ine failure conditions and use such con-1 ditions to focus the revision of the design fragm ent, and, (iii) Divide-and-conquer and increm ental search strategy: compose and extend basic design fragm ents for ’ conjunctive behavior and region transitions. 1 9.2 Contributions j The contributions of this thesis are: I I 1 • Design fo r conjunctive behaviors in a region. It presents an approach for I solving the class of design problem s th a t involve conjunctive behaviors in a ; region. This is a difficult problem due to side-effects and structure sharing, j Previous approaches [54, 51] have been prim arily restricted to single conjunct behavior, and can be extended to handle the m ulti-conjunct design problem only by perform ing brute force search. • Design fo r region transitions. It presents an approach for solving design prob lems th a t involve m ultiple operating regions and transition betw een those re-1 i gions. This is a difficult problem because the design fragm ent for a region has ; to be transform ed to the fragm ent for the next region. Previous approaches | [54] have considered design of sim ple devices which have autom atic region transitions or whose transitions can be captured in a single equation. ! • Design-fragment-based search space. C hapter 3 defined a design-fragm ent rep- ^ resentation of a design object. The representation makes explicit four pieces of inform ation th a t is relevant to focusing the search for conceptual design: (i) th e behavior, (ii) the causal relation network, (iii) the design, and (iii) the! assum ptions. T he representation facilitates increm ental search for approxi- j m ately correct design fragm ents and their revisions for approxim ation failures. J The representation allows the desired behavior to focus the search for initial j designs. The causal relations and the assum ptions are used for verification! analysis and focus the search for determ ining the failure conditions and sub-1 sequently focus the revision. The representation also makes explicit th e link ■ betw een structure and behavior. This is necessary in order to search for fu n c-! tion sharing devices which use the same structure for m ultiple functions. • Design verification interleaved with design generation. The CMD approach, addresses the problem of qualitatively verifying th a t a design obtained from a \ design fragm ent achieves its behavior at any stage of a design fragm ent con- i struction process. To address such a problem , it form ulates verification criteria • fo r design fragm ents, a declarative specification of the criteria for evaluating the qualitative correctness of design fragm ents to satisfy desired behavior frag m ents. It uses such criteria constructively to increm entally generate design' fragm ents and design solutions from those fragm ents. j Approxim ately verified design fragm ents, failures and focused revision. In; C hapter 4 we identified two problems th at arise from th e conflict between th e ' goals for efficiency and correctness in the particular context of construction of design fragm ents for design, th e qualification problem and the persistence1 problem . To address such problems we introduced th e notion of increm entally; constructing approxim ate design fragm ents, where th e approxim ations re su lt! I from m aking simplifying assum ptions in the verification criteria. In order toj system atically handle incorrectness th a t result from the approxim ations, we I defined design-fragm ent failure conditions and revision operators: we used thej verification criteria to derive the set of design fragm ent failure conditions w hich; are specifications of necessary constraints on a design fragm ent to rem ain co n -; sistent and a set of operators th a t satisfy such constraints. T he failure condi tions are im portant - they pinpoint the inconsistencies and provide constraints j on the search for revisions th a t remove the inconsistencies. J Compositional model-based design. We form ulated an increm ental and least- ( com m itm ent design m ethod for obtaining designs of continuous devices w ith j m ultiple behaviors in a region and m ulti-operating regions. The m ethod u ses; l th e design fragm ent representation, failure conditions and revision o p erato rs; to restrict and focus the search for design solutions. S I C hapters 5, 6 and 7 defined the basic operations th a t are required to define an increm ental, divide and conquer search strategy. T he three basic o p eratio n s' defined were (i) Construct design fragm ents, (ii) Compose design fragm ents, and (iii) Extend design fragm ents. The construct operation is used to construct design fragm ents th a t are based on simplified verification criteria. The con structed design fragm ents are also least com m itted in th a t com ponents req u ired , to establish a causal relation alone are constrained to exist and th e decision, to use other existing com ponents for the same relation is deferred. They a r e , ; th en composed by the compose operation and extended until th e entire spec- j ified behavior is achieved. The individual operations of th e m ethod perform I generation, propagation of necessary ram ifications of other design frag m en t' constraints, verification analysis, and derivation of failure conditions th a t lead! to design fragm ent revisions. ; i • C M D p Program. We described a program th a t was im plem ented to demon- j strate th e working of the CMD m ethod and described several design exam ples th a t the program currently can handle. 1 9.3 Main Limitations of C M D I T he lim itations of CMD arise from lim itations in the input specification, th e design < fragm ent representation and the search strategy. The following subsections discuss! these lim itations. | i 9.3.1 C o n ju n ctiv e T ran sition s i The transition operation makes the assum ption th a t transition of operating regions j of devices is based on synchronizing the quantity inequality shifts w ith respect t o ! a single reference quantity. This lim its the types of devices th a t CMD can handle. T here are m ulti-operating region devices where region transitions m ust be synchro- : nized w ith respect to several quantities sim ultaneously reaching corresponding land- i m ark values. An exam ple of such devices are m ulti-cylinder engines in which the i piston m otions are co-ordinated. : 9 .3 .2 A g g re g a te B eh a v io r T he overall divide and conquer strategy used in th e CMD m ethod is based on the assum ption th a t th at the desired behavior of th e device can be decom posed into behavior fragm ents and design fragrhents constructed for each. This ignores devices 1 whose individual behaviors m ust also satisfy some global constraint. An exam ple of j a global constraint is th at th e piston deliver power over extended periods of tim e. Though th e behavior can be expressed in a region diagram , CMD will only ensure th a t individual region behaviors are m et and transitions do occur. Reasoning about such global constraints requires reasoning over iterative cycles of cyclic behavior of devices, which CMD cannot handle. I I 9 .3 .3 E x p ressiv e R e p r e se n ta tio n s j i In CMD, the region diagram is lim ited to expressing regions and behaviors in those i regions. A more expressive representation is required which allows one to express | causal relations between quantities. For example in designing a speedom eter, one j should be able be specify th a t the wheel rotation causes the pointer on a gauge to rotate. Also the design fragm ent representation is lim ited in certain ways. The j design fragm ent only represents the dynam ical aspects of causal relations between | two quantities. Such a representation is inadequate for m echanism design where th e : interactions between quantities resulting from paths of m otion (collisions) are im- [ p ortant in m aking design choices. Also the representation currently does not cleanly ! represent th e regions and relations between them . An interval-based representation developed for tem poral reasoning would be a m ore appropriate for reasoning about design fragm ents for regions and subregions and transitions between regions. [ 9.4 Future Work ! Two distinct areas of future work are in making CMD m ore efficient and in theoret- 1 ically and em pirically evaluating the scope of CMD. In the following subsection we{ discuss these directions for future work. ! 9.4.1 C on tro l H eu ristics for CMD C urrently CMD constructs basic design fragm ents for each new behavior and explores alternative compositions of th e new additional design fragm ent w ith the old design fragm ents. H euristic search control based on use of stored library of cases can be I used to focus the search for new modifications. A nother m eans of search control is explanation-based learning. Explanation- based learning can also be applied in learning search control operators th a t lead to 116 j early pruning of search paths in CMD. Such control knowledge can be obtained by j learning m ore problem specific knowledge th at specify m ore refined conditions for j revision operator applications. J ! 9 .4 .2 D o m a in M o d el S im p lifica tio n s in C o n c e p tu a l D esig n ) j In our approach to generative model based design we identified a generic class of i simplifications which also happens to correspond to how hum ans would simplify j when doing conceptual design. H um an designers try to obtain design concepts based on w hat will get it working before looking into how it m ight fail. In such a design i process — there were two components: a) A backward com ponent where generation j takes place directed by the behavior requirem ents, and, b) A forward com ponent j which reasons from ram ifications of design decisions. i C ertain approxim ations in the verification criteria cleanly fit w ith th e search J in the backward search com ponent. The issue is w hat approxim ations would b e , appropriate in the forward com ponent of the CMD m ethod. This raises the ra m i-' fication problem - approxim ating ram ifications of chosen m odel fragm ents in o rd e r; to restrict the search and focus on only relevant ram ifications. We feel th a t dom ain j m odel approxim ations could play an im portant role here. A pproxim ations in the j dom ain m odel would ignore certain incorrectness th at can potentially result from j considering a detailed model. Such approxim ations would focus th e search for ob- j taining com plete design solutions th a t are correct with respect to a set of domain m odel approxim ations. j ! i 9.4.3 F orm al an d E m p irica l P r o p e r tie s o f C M D ! I In C hapter 2, we characterized the problems th a t arise from simplifications as the qualification problem and persistence problem. T he increm ental and approxim ate reasoning approach used to solve such problems can be viewed as a form of non m onotonic reasoning. T he key difference w ith other standard approaches is th a t we show th a t the revision problem can be solved in a controlled m anner for conceptual design tasks (based on use of the verification criteria th at guides the revision p ro cess).' This approach is in the line of research which treats non-m onotonic reasoning as defeasible inference. It would be interesting to determ ine if only valid designs can get generated by this m ethod. T he other property th a t needs extensive work is em pirically analyzing the the perform ance of CMD. For a class of design problem s, w hat im provem ents are o b -! tained in term s of perform ance when approxim ations are m ade in the verification j criteria as opposed to no approxim ations at all or w ith dom ain m odel approxim a-1 tions. s 9.5 Significance of this Thesis j : j This thesis represents significant progress relevant to th e areas of conceptual design,) form alization of reasoning in qualitative domains and task-specific approxim ate re a -! soning techniques, in that: i ( 1. A pproxim ate design solution construction and revision based on inform ation j gathered through verification analysis allows focused search for design solutions j in generative model-based design. J 2. The verification criteria provides a declarative specification of the criteria for i qualitatively verifying the behavioral correctness of m ulti-operating region de- j vice. Such a criteria defined over th e design fragm ent representation forms the basis for qualitative verification of devices at different levels of approxim a tion of the design fragm ent th a t represents the design for the device and its working. ! k I 3. T he qualification problem and persistence problem arise in the context o f; model-based design of tim e-varying devices in complex domains. Such prob lems do have a system atic solution in a CMD-like framework. T he design; fragm ents can be generated less conservatively based on simplifications of the | criteria th a t lead to approxim ating the qualifications for a change and approx im ating requirem ents for persistence of quantity inequalities. The simplifica tions focuses the search to only w hat is necessary to bring about a behavior. To provide system atic means of revision for th e incorrectness th a t results from | th e approxim ation, the verification criteria can be exploited to focus search for ' revisions (the notion of failure conditions and revision operators). T he problem of conceptual design of m ulti-operating region devices is ad dressed by reasoning about quantity inequality shifts and their synchroniza tion. Appendix A Behavioral Axioms A .l Qualitative change • Axiom for quantity change, q—inc Let, V+ be th e set o f p o sitiv e influences on a q u a n tity q under a set o f co d esig n a tio n a ssu m p tio n s, = b l v i F n ] a [V p, q', infl(p, q',pos, R ) A co d esig n a tes(q ',q ) «-+ p € V+] V — b e th e set o f n eg a tiv e influences on a q u a n tity q under a set o f co d esig n a tio n assu m p tio n s, = \Pl,--;Pn] A [V p, q', in fl(p, q', n e g , R ) A cod esig n a tes(q ', q) «-» p £ V -] • A .1.1 A x io m for q = in c h old s(q = in c , R ) 4^ 3 p , infl(p, q',pos, R ) A cod esign ates(q ', q) A [ [V p, infl(p, q", neg, R.) — * co d esig n a tes(q ” , q)] V [3 p , infl(p, q \ n eg , R ) A co d esig n a tes(q ” , q) —> ■ 3 V —,V+,p 6 V — A dominates('P+, V —, q,pos)]] • A .1.2 A x io m for q = d ec h old s(q = d ec , jR) 3 p , infl(p, q', raep, jR) A cod esign ates(q ', q) A [ [V p , infl(p, q " ,p o s, R ) — * -i cod esign ates(q " , q)] V [3 p, infl(p, q",pos, R ) A cod esign ates(q " , q) — ► 3 V —,V+, p G V+ A d om in ates^ — , V+, q,neg)]} • A . 1 . 3 A x i o m f o r g = s t d 1 h o l d s ( g = std, R) j [ [ 3 ? - , n , p - = { } A n = { } V [ i n f l ( p , q d i r , R) A - < c o d e s i g n a t e s ( g / , g ) V [ i n f l ( p , g * , dir, R) A A c o d e s i g n a t e s ( g / , g ) — ► dir= s t d V [ 3 p , i n f l ( p , g ” , p o s , J ? ) A c o d e s i g n a t e s ( g / / , g ) — ► 3 V —,V+, p G P + A c a n c e l s ( ' P — ,V + , q,std ) ] j V [ 3 p , i n f l ( p , q", neg, R) A c o d e s i g n a t e s ( g “ , g ) — ► j 3 V —,V + ,p G T 5 — A c a n c e l s ( 7 3 + , ' P — , g , . s t d ) ] ; I t i • A . 1.4 A x i o m s f o r p o s i t i v e i n f u e n c e o n a q u a n t i t y g j i n f l ( p , q,pos, R) - « • I [ h o l d s ( I + ( g , p ) , R) A h o l d s ( p > 0 , i 2 ) ] V [ h o l d s ( I - ( g , p ) , R) A h o l d s ( p < 0 , i 2 ) ] V [ h o l d s ( Q p r o p + ( g , p ) , R) A h o l d s ( p = inc,R)\ j V [ h o l d s ( Q p r o p - ( g , p ) , R) A h o l d s ( p = d e c , i 2 ) ] ; h o l d s ( I ± ( g , p ) , R) j 3 M , r n f ( M ) A a c t i v e ( M , J ? ) A [ a c t i v e ( M , R) — ► h o l d s ( I ± ( g , p ) , R)] j h o l d s ( Q p r o p ± ( g , p ) , R) j 3 M , m f (M ) A a c t i ve(M ,R) A [ a c t i v e ( M , R) — ► h o l d s ( Q p r o p ± ( g , p ) , R)] | j A.2 Inequality conditions [ L e t , i h o l d s ( P , R) d e n o t e s t h a t l i t e r a l P i s t r u e i n t h e i n t e r v a l d e f i n e d b y r e g i o n R ' P+(q) d e n o t e s s e t o f p o s i t i v e i n f l u e n c e s o n a q u a n t i t y q i n s o m e r e g i o n R{, j P-{q) d e n o t e s t h e s e t o f n e g a t i v e i n f l u e n c e s o n a q u a n t i t y q i n s o m e r e g i o n i ? . , i J n f ( p , g ) d e n o t e s p i s a n i n d i r e c t i n f l u e n c e ( Q + o r Q - ) o n q d J n f ( p , g ) d e n o t e s p i s a d i r e c t i n f l u e n c e ( 1 + o r I - ) o n q i a - c o - o c c u r s ( r e l i ( p ) , rel2{q)) d e n o t e s c o r r e s p o n d e n c e a s s u m p t i o n o f j e q u a l i t y rel\{p ) a n d t h e e q u a l i t y rel2(q ) c o r r e s p o n d e n c e ( r e / 1 ( p ) , rel2(q ) ) d e n o t e s co-occurrence of inequality reli(p) and the inequality rel2(q) where a qualitative proportionality imposes a direct causal link between p and q All unquantified variables are universally quantified All quantities are denoted by the symbol letters p, q, r, s All constants are positive and are denoted by the symbol letters c, ci, c2, c , c • A.2.1 Axioms for p > c to hold in a region. h o l d s ( p > c , Rj) - £ > • [ [3 Ri,c ,V q, meets(Ri,Rj,q) A holds(p > c ,Ri)] V [ 3 q, m e e t s (Ri,Rj,q) A h o l d s ( p = c ,Ri) A h o l d s ( p = inc,Ri)\ ] A m a i n t a i n e d ( p > c,Rj) • A.2.2 Axioms for p < c to hold in a region. h o l d s ( p < c ,Rj) < & ■ [ [ 3 R i,c,V q, m e e t s ( J 2 , , Rj, q) A h o l d s ( p < c ,Ri)] V [ 3 i ? i , V q, m e e t s ( i 2 j , Rj,q) A h o l d s ( p = c ,Ri) A h o l d s ( p = dec,Ri)] ] A m a i n t a i n e d ( p < c ,Rj) • A.2.3 Axioms for p = c h o l d s ( p — c ,Rj) O [ 3 Ri, m e e t s ( i ? , , Rj) A h o l d s ( p = c ^ i Z , - ) ] V [ 3 R{, c ,c 'y q, m e e t s (Ri, Rj,q ) Aq = c E R j A q < c £ R i A h o l d s ( p > c ,Ri) — * ■ h o l d s ( p = dec, Ri) A c o - o c c u r s ( p = c ,q — c, Ri) ] V [ 3 R i,c ,c 'y q, m e e t s (Ri,Rj,q) Aq = c & R j A q < c £ R i A h o l d s ( p < c ,Ri) — * h o l d s ( p = inc, Ri) A c o - o c c u r s ( p = c ,q = c, Ri) ] • A.2.4 Axioms for maintained m a i n t a i n e d ( g > c,R) & [ h o l d s ( g = std, R) V h o l d s ( g = inc, J ? ) ] m a i n t a i n e d ^ < c,R) [ h o l d s ( g = std, R) V h o l d s ( g = dec, 1 2 ) ] m a i n t a i n e d ( # = c,R) h o l d s ( g = std, R) m a i n t a i n e d ( p > q,R) [ h o l d s ( p = std, R) A h o l d s ( < / = std, 1 2 ) ] V [ h o l d s ( p = std, R) A h o l d s (< 7 = dec, 1 2 ) ] V [ h o l d s ( p = inc, R) A h o l d s ( g = std, 1 2 ) ] V [ h o l d s ( p = inc, R) A h o l d s ( g = dec, R)} 122 • A.2.5 Axioms for adjoining regions. m eets(P,-,Pj,g) 3c,ci,ci < c, | [ c i < q < c £ R i A q = c£ Rj] V [q = Ci G Ri A c i < q < c £ R f\ • A.2.6 Axioms for Co-occurence ( co-occurs(p = c ,q = c ,P ) O j [ [ holds(p > c ,R ) A holds(g < c, R) — > j [ holds(g = inc, P ) A holds(p = dec, P)] A ! [ [P+ (p) = {} A P -(p) = {g} A Q-(p, g) A correspondence^ = c ,g = c)] J v [P+(P) = { } A P_(p) = { q } A Q-(p, q ) \ A correspondence^ = c',q = c")A co-occurs(g// = c',q = c)] j V [P-(p) = {?'} A P+(p) = {} A I-(p,q) A a-co-occurs(p = c',g = c,q - c")] ]] ; [ [ holds(p < c ',P ) A holds(g < c, R) — > [ holds(g = me, P ) A holds(p = inc, P)] A [ [Pf(p) = {g} A P -(p) = {} A Q+(p, g) A correspondence^ = c’,g = c)] j V [f+ (p ) = { ? } A P-(j>) = { } A Q + (p ,? ') ! A co r resp o n d e n c e^ = c,q' = c” )A co-occurs(g» = c ,q = c)] j I V [P+(p) = {q} A P -(p) = {} A I+(p, g‘) A a-co-occurs(p = c , g = c,q = c")] ]] [ [ holds(p > c , P ) A holds(g > c ,P ) — * [ holds(g = dec, P ) A holds(p = dec, P)] A [ [P+(p) = {} A P -(p) = {g} A Q+(p, g) A correspondence^ = c ,q = c)] V [P+{P) = {} A P_(p) = {q } A Q+(p, q ) A correspondence^ = c ,q — c")A co-occurs(g» = c ,q = c)] ; V [P-(p) = {?'} A P+(p) = {} A l-(p,q) A a-co-occurs(p = c',g = c,q = c")] ]] [ [ holds(p < c ,P ) A holds(g > c, P) — ► [ holds(g = dec, P ) A holds(p = inc, P)] A [ [P+(p) = {g} A P-(p) = {} A Q-(p,g) A correspondence^ = c',g = c)] ^ [P+(P) = {?'} A P-{p) = {} A Q +(p,g') A correspondence^ = c , g = c )A co-occurs(g» = c , g = c)] V [P+(p) = {g'} A P_(p) = {} A I+(p, q ) A a-co-occurs(p = c', g = c, q = c")] ]] I Appendix B Trace of CMD Program B .l Introduction j i Section 8.2 illustrated how the CMD program designs a portion of th e boiler c o n tro l, system . This appendix presents an annotated trace of CMD behavior for portions [ of this design example. | B.2 The Domain Model I f F The initial dom ain model given to CMD consists of: i) process model fragm ents: liquid-inflow, liquid-outflow, evaporation, condensation, steam -generation, heat-flow . i and gas-flow, ii) view model fragments: contained-liquid, contained-gas, contained- j gas-and-liquid, liquid-path, open-valve, and closed-valve. Some of these m odel fra g -: i m ents have been described in C hapter 3 (Figure 3.1). | B.3 The Desired Behavior Input The desired behavior of the boiler control system in region R \ is specified by the : following assertions (expressed in ADB [17]): i ( a s s e r t q (h o ld s (ds (mass (ste a m -in lo a d - c o n t ) ) 1) R I)) ( a s s e r t q (h o ld s (ds ( le v e l ( w a t e r - i n drum)) 0) R I)) ( a s s e r t q (h o ld s (ds (p r e s s u r e (s te a m -in drum)) 0) R I)) ( a s s e r t q (h o ld s (ds (p r e s s u r e (s te a m -in b o i l e r ) ) 0) R I)) ( a s s e r t q (h o ld s (g r e a t e r - th a n ( r a t e (s t e a m - in f lo w lo a d -c o n t S F i)) ( (CONST f r ) ) R I)) I 124. B.4 The Initial Design Constraints The initial design constraints for the boiler control system specify the existence of the drum , boiler and load containers, th e existence of the connection between the drum and the load, the steam pressure in the drum is greater th an the steam pressure in the load, and th a t the mass of water in the drum is greater th an zero. The constraints also specify the working fluids in each of the containers. f I ( a s s e r t q (c o n ta in e r drum)) | ( a s s e r t q (c o n ta in e r b o i l e r ) ) | ( a s s e r t q (c o n ta in e r lo a d -c o n t ) ) j ( a s s e r t q (w o r k in g -flu id (drum w ater g a s ) ) ) ! ( a s s e r t q (w o r k in g -flu id (drum w ater l i q u i d ) ) ) j ( a s s e r t q (w o r k in g -flu id (lo a d w ater g a s ) ) ) ' ( a s s e r t q (w o r k in g -flu id ( b o il e r w ater g a s ) ) ) , ( a s s e r t q (h o ld s ( g r e a te r -th a n (mass ( l i q - i n drum)) 0) ! ( a s s e r t q (h o ld s (g r e a te r -th a n (p r essu r e (ste a m -in drum)) (p r essu r e (ste a m -in l o a d ) ) ) ) ) B.5 CMD Program Behavior j CMD is executed by calling the top-level lisp function (start-CMD). The files defining th e input behavior and the initial design constraints are evaluated before calling this ] j function. In th e following, portions of the trace of the program are given. > ( s t a r t - C M D ) I n i t i a l i z i n g d e s ig n fragm ent DF-1 f o r r e g io n R -l w ith r e q u ire d b eh a v io r and d e s ig n c o n s tr a in t s . . . Working s e t o f r e g io n d e s ig n fragm ents = (DF-1) S e l e c t r e g io n d e s ig n fragm ent from working s e t : (DF-1) > > Selected design fragment to work on? D F - 1 I 125J E x is te n c e o f b e h a v io r e sta b lish m e n t f a i l u r e c o n d itio n s i d e n t i f i e d f o r r e q u ire d b eh avior of DF-1: 1. B - l = (h o ld s (d s(m a ss(ste a m -in lo a d - c o n t ) ) 1))) 2. B-2 = (h o ld s ( d s ( l e v e l ( w a t e r - in drum ))) 0 ))) 3. B-3 = (h o ld s ( d s (p r e s s u r e (s te a m -in drum))) 0 ))) 4. B-4 = (h o ld s ( d s (p r e s s u r e (s te a m -in b o i l e r ) ) ) 0 ))) >> Select the basic behavior to establish from above choices, j using Construct-DF operation? B-l ; i | i T he program calls the Construct-DF function to construct basic design frag m en ts; for the chosen behavior B \. The operation adds the constructed design fragm ents; to the working set of basic design fragm ents. If there is m ore th an one basic de- j sign fragm ent, then the program asks for user guidance on the choice of the design fragm ent for th e behavior. The chosen design fragm ent is then composed w ith th e ; region design fragm ent (DFi) currently being worked on. j C o n str u c tin g d e s ig n fragm ents f o r B-l. C on stru cted b a s ic d e sig n fragm ent DFB-11 based on ste a m -flo w f o r B-l. Working s e t o f b a s ic d e s ig n fragm ents - (DFB-11) S e le c t e d d e s ig n fragm ent f o r B-l: DFB-11 ! Composing DFB-11 w ith DF-1 . . . P o s s ib le c o d e s ig n a tio n c h o ic e s : 1. Cdl = ( c o d e s (s te a m -s r c -c o n ta in e r ? C 1 )(co n ta in e r drum)) 2 . Cd2 = (n o n c o d e s (s te a m -s r c -c o n ta in e r ? C 1 )(c o n ta in e r drum)) I n c o n s is t e n c y i d e n t i f i e d in DF-2 f o r ( d s (p r e s s u r e ( s t e a m -in drum )))=0 F a ilu r e c o n d itio n : (h o ld s(d s(m a ss (ste a m -in drum)) 0 ) ) Augmenting r e q u ire d b eh avior of DF-2 w ith (d s(m a ss(ste a m -in drum )))=0 R e v is in g CW As I n c o n s is te n c y i d e n t i f i e d f o r (d s(m a ss(ste a m -in drum )))=0 F a ilu r e c o n d itio n : n e g a tiv e in flu e n c e c a n c e lla t io n J u s t i f i c a t i o n : E x is t s n e g a t iv e in flu e n c e due t o ( in f ( r a t e ( s t e a m - o u t f lo w drum lo a d S F 3 ))(m a ss(ste a m -in drum ))neg) Forming DF-2 under a p p lic a t io n o f Cdl P o s tin g r a m if ic a tio n s under Cdl . . . u p d atin g CW As V e r ify in g f o r c o n s is te n c y f a i l u r e under Cdl . . . A pplying r e v is i o n o p era to r INTRODUCE-POS-INF . . . C reatin g DF-3 based on ste a m -g e n e r a tio n model fragm ent in s ta n c e . C reatin g DF-4 based on ste a m -in flo w model fragm ent Forming DF-5 under a p p lic a t io n o f Cd2 P o s tin g r a m if ic a tio n s under Cd2. V e r ify in g f o r c o n s is t e n c y f a i l u r e under Cd2 . . . Current r e g io n d e s ig n fragm ent working s e t : (DF-1 DF-3 DF-4 DF-5) >> Do you want a summarized, description of the design fragments in working set? y e s DF-1: has e sta b lish m e n t f a i l u r e c o n d itio n s f o r a l l b e h a v io r s in B(DF-l) DF-3: e s t a b l i s h e s b eh avior (h o ld s(d s(m a ss (ste a m -in lo a d - c o n t ) ) 1))) e s t a b l i s h e s b eh a v io r ( h o ld s (d s (p r e s s u r e (ste a m -in drum)) 0 ))) e s t a b l i s h e s b eh a v io r (h o ld s(d s(m a ss (ste a m -in drum)) 0 ))) E x is t s b e h a v io r e sta b lish m e n t f a i l u r e s Based on c o d e s ig n a tio n assum ption Cdl = ( c o d e s (s te a m -s r c -c o n ta in e r ? C 1 )(c o n ta in e r drum)) DF-5: e s t a b l i s h e s b eh avior (h o ld s(d s(m a ss (ste a m -in lo a d - c o n t ) ) 1))) E x is t s b eh avior e sta b lish m e n t f a i l u r e s Based on c o d e s ig n a tio n assum ption Cd2 = (n o n c o d e s(ste a m -sr c -c o n ta in e r ? C 1 )(c o n ta in e r drum)) >> Continue? Yes S e l e c t r e g io n d e s ig n fragm ent from working set: (DF-1 DF-2 DF-3) >> Selected design fragment to work on? D F-3 E x is te n c e o f b eh a v io r e sta b lish m e n t f a i l u r e c o n d itio n s i d e n t i f i e d f o r b e h a v io r s : 1. . B-2 = ( h o ld s ( d s ( le v e l( w a t e r - i n drum))) 0))) 2. B-4 = (h o ld s ( d s ( p r e s s u r e ( s t e a m - in b o i l e r ) )) 0 ))) >> Select the basic behavior to establish from above choices, using Construct-DF operation? B -3 C o n str u c tin g d e s ig n fragm ents f o r B-3 C on stru cted b a s ic d e sig n fragm ent DFB-31 based on n u l l in f lu e n c e on (p r e s s u r e (ste a m -in b o i l e r ) ) Working s e t o f b a s ic d e sig n fragm ents = (DFB-11 DFB-21 DFB-31) S e le c t e d d e sig n fragm ent f o r B-3: DFB-31 Composing DFB-31 w ith DF-3 . . . P o s s ib le c o d e s ig n a tio n c h o ic e s : 1. Cd3 = ( c o d e s (s te a m -s r c -c o n ta in e r ? C 2 )(co n ta in e r b o i l e r ) ) 2. Cd4 = (n o n c o d e s (s te a m -s r c -c o n ta in e r ? C 2 )(co n ta in e r b o i l e r ) ) Continue? N o n i l > (pp-C M D -design-solns) The d e s ig n s c o n s tr u c te d so far: D e s ig n -1 : ( (c o n t a in e r drum) (c o n ta in e r b o i le r ) (c o n ta in e r lo a d -c o n t) (p ip e p i) (p ip e p2) (co n n ected drum lo a d -c o n t p i) (co n n ected drum lo a d -c o n t p2) (w o r k in g -flu id (drum w ater gas))) (w o r k in g -flu id (drum w ater liq u id ) ) ) (w o r k in g -flu id (lo a d -c o n t w ater g a s))) (w o r k in g -flu id ( b o il e r w ater gas))) ) D e sig n -2 : The program was stopped in the above trace. T he partial design solutions con structed so far is printed by calling the function pp-CMD-design-solns. T he design shown above corresponds to the exam ple given in Figure 1.1. 129 Reference List [1] S. A ddanki, R. Cremonini, and J. S. Penberthy. G raphs of models. Artificial\ i Intelligence, 1991. j t I [2] Babcock and Wilcox. S tea m /Its Generation and Use. Babcock and W ilcox J Company, 1975. ! [3] D. Barstow. Autom atic Construction o f Algorithms and Data Structures. PhD \ thesis, Stanford University, 1977. ; [4] D. Chapm an. Planning for conjunctive goals. Artificial Intelligence, 1988. j I l [5] S. Chien. A n Explanation-Based Learning Approach to Increm ental Planning. ! PhD thesis, D epartm ent of C om puter Science, University of Illinois at U rb an a-' Cham paign, 1991. ■ I I [6] J. Collins and K. Forbus. Building qualitative models of therm odynam ic pro- [ cesses. In Technical Report, 1991. * [7] C. L. Cummins. Internal Fire. The Society of Autom otive Engineers, 1989. j [8] E. Davis. Axiom atizing Qualitative Process Theory. Technical R eport 590, D epartm ent of Com puter Science, Courant Institute of M athem atical Sciences,; November 1991. ! [9] J. de Kleer. An assum ption-based tru th m aintenance system . Artificial Intelli- ' ■ gence, 1986. [10] J. de Kleer and J. S. Brown. A qualitative physics based on confluences. A rti-' ficial Intelligence, 1984. [11] G. F. DeJong and R. J. Mooney. Explanation-based learning: An alternatives view. Machine Learning, 1986. i [12] M. Dyer, M. Flowers, and J. Hodges. Edison: An engineering design system operating naively. In Proceedings o f the First International Conference on A I\ Applications in Engineering, 1986. j [13] B. Falkenhainer and K. Forbus. Com positional modelling: Finding th e right! model for the job. Artificial Intelligence, 1991. ! i [14] E. S. Ferguson. Engineering and the M in d ’ s Eye. M IT Press, 1992. j [15] J. J. Finger. Exploiting Constraints in Design Synthesis. PhD thesis, D epart- j m ent of Com puter Science, Stanford University, 1987. i I I [16] K. Forbus. Q ualitative process theory. Artificial Intelligence, 1984. | t [17] K. Forbus. The qualitative process engine. In Readings in Qualitative Reasoning I about Physical Systems. M organ K aufm ann Publishers, 1990. I | [18] A. Goel and B. Chandrasekaran. Use of device models in adaptation of design j cases. In Proceedings o f the Second D ARPA Workshop on Case-Based .Reason-j ing, 1989. I [19] M. Huhns and E. Acosta. A system for design by analogy. IE E E Expert, 1988. j [20] B. Kuipers. Q ualitative simulation. Artificial Intelligence, 1986. I [21] H. Levesque. Knowledge representation and reasoning. In Annual Review o f \ Com puter Science 1:255-87. 1986. I [22] V. Lifschitz. Closed-world databases and circum scription. Artificial Intelli gence, 1985. [23] M. L. M aher. Engineering design synthesis: A dom ain independent ap p ro ach .: Artificial Intelligence in Engineering, M anufacturing and Design, 1988. [24] J. M cCarthy. Epistemological problems of artificial intelligence. In Proceedings o f the Fifth International Joint Conference on Artificial Intelligence, 1977. i [25] D. M cD erm ott. Flexibility and Efficiency in a Com puter Program fo r Designing Circuits. M IT AITR-402, 1977. [26] J. M cD erm ott. R I: A rules-based configurer of com puter system s. Artificial- Intelligence, 1982. j [27] T. M. M itchell, S. M ahadevan, and L.I. Steinberg. Leap: A learning apprentice, for vlsi design. In Proceedings o f the Tenth International Joint Conference on \ I Artificial Intelligence, 1985. j [28] T. M. M itchell, L. I. Stienberg, S. Kedar-Cabelli, V. E. Kelly, J. Shulm an, and j T. Weinrich. An intelligent aid for circuit redesign. In Proceedings o f A A A I-83, 1983. I [29] J. Mostow. Design by derivational analogy: Issues in the autom ated replay of > design plans. Artificial Intelligence, 1989. ' I [30] S. S. M urthy and S. Addanki. Prom pt: An innovative design tool. In Proceed ings o f A A A I-87, 1987. '[31] D. N avinchandra. Exploration and Innovation in Design. New York: Springer j Verlag, 1991. \ [32] D. N avinchandra, K. P. Sycara, and S. N arasim han. Behavioral synthesis in i cadet: A case-based design tool. In Artificial Intelligence Approaches To Engi- \ neering Design, 1993. ! i [33] P. P. Nayak, L. Joskowicz, and S. Addanki. A utom ated model selection using j context dependent behaviors. In Proceedings o f the 5th International Workshop on Qualitative Reasoning, 1991. J [34] D. Neville and D. S. Weld. Innovative design as system atic search. In Proceed ings o f the A A A I Fall Sym posium on Design from Physical Principles, 1992. I [35] S. L. Newsome and W. R. Spillers. Tools for expert designers: Supporting! conceptual design. In Proceedings o f the 1988 N SF Grantee Workshop on Design ! Theory and Methodology, 1989. I ! [36] H. Petroski. Failure as a unifying them e in design. Design Studies, 1989. [37] R. Reiter. A logic for default reasoning. Artificial Intelligence, 1980. [38] A. Ressler. A Circuit Grammar fo r Operational Am plifier Design. TR-807, j M IT AI Lab, Cam bridge, MA, 1984. j [39] R. C. Rosenberg and D. C. Karnopp. Introduction to Physical System D ynam ics. McGraw-Hill Book Co., New York, 1983. . ! [40] G. Roylance. A Simple Model o f Circuit Design. M IT AI Lab TR-703, 1980. 1 I [41] Y. Shoham. Tim e and Causation from the Standpoint o f Artificial Intelligence. 1 M IT Press, 1988. I 7 | I [42] R. Simmons. Representing and Reasoning about Change in Geologic In terp ret tation. TR-749, M IT AI Lab, Cambridge, MA, 1988. j [43] R. M. Stallm an and G. J. Sussmann. Forward reasoning and dependency- { directed backtracking. Artificial Intelligence, 1977. ! j [44] L. A. Stauffer. A n Em pirical Study on the Process o f Mechanical Design. PhD thesis, Oregon State University, 1987. [45] L. A. Stauffer, D. G. Ullman, and T. G. D ietterich. Protocol analysis of me- chanical engineering design. In Proceedings o f the International Conference on j Engineering Design, 1987. [46] M. Stefik. Planning w ith constraints (molgen: P art 1). Artificial Intelligence, j 1981. i [47] L. I. Steinberg. Design as refinement plus constraint propagation: The vexed experience. In Proceedings o f the 6th National Conference on Artificial Intelli gence, 1987. [48] J. D. Storer. A Simple H istory o f the Steam Engine. John Baker Publisher, London, 1969. | [49] G. Sussmann. A Computer Model o f Skill Acquisition. Elsevier Inc., New York, 1975. [50] C. Tong and D. Sriram. Artificial Intelligence Approaches To Engineering De- j sign. Addison-Wesley, Reading, MA, 1993. I > [51] K. T. Ulrich. Computation and Pre-Parametric Design. AI-TR-1043, M IT A I , Lab, Cam bridge, MA, 1988. j [52] D. S. Weld and J. de Kleer. Readings in Qualitative Reasoning about Physical, System s. M organ Kaufm ann Publishers, 1990. [53] D. E. W ilkins. Practical Planning: Extending the Classical Artificial Intelli- \ gence Planning Paradigm. M organ Kaufm an, San M ateo, CA, 1988. i [54] B. C. W illiams. Invention from F irst Principles via Topologies o f Interaction. PhD thesis, M IT AI Lab, Cambridge, MA, 1989.
Abstract (if available)
Linked assets
University of Southern California Dissertations and Theses
Conceptually similar
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
PDF
00001.tif
Asset Metadata
Core Title
00001.tif
Tag
OAI-PMH Harvest
Permanent Link (DOI)
https://doi.org/10.25549/usctheses-oUC11255748
Unique identifier
UC11255748
Legacy Identifier
DP22859