This article was downloaded by: [York University Libraries]On: 10 November 2014, At: 16:48Publisher: Taylor & FrancisInforma Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House,37-41 Mortimer Street, London W1T 3JH, UK

Cybernetics and Systems: An International JournalPublication details, including instructions for authors and subscription information:http://www.tandfonline.com/loi/ucbs20

TYPED TIMED INPUT/OUTPUT AUTOMATA IN REAL-TIME,CYBERNETIC EXPLANATIONJ. F. PETERS III aa Department of Computer Science , University of Arkansas , SCEN 232, Fayetteville,Arkansas, 72701, USAPublished online: 21 May 2007.

To cite this article: J. F. PETERS III (1993) TYPED TIMED INPUT/OUTPUT AUTOMATA IN REAL-TIME, CYBERNETIC EXPLANATION,Cybernetics and Systems: An International Journal, 24:2, 115-137, DOI: 10.1080/01969729308961703

To link to this article: http://dx.doi.org/10.1080/01969729308961703

PLEASE SCROLL DOWN FOR ARTICLE

Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained in thepublications on our platform. However, Taylor & Francis, our agents, and our licensors make no representationsor warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the Content. Anyopinions and views expressed in this publication are the opinions and views of the authors, and are not theviews of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and should beindependently verified with primary sources of information. Taylor and Francis shall not be liable for any losses,actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever or howsoevercaused arising directly or indirectly in connection with, in relation to or arising out of the use of the Content.

This article may be used for research, teaching, and private study purposes. Any substantial or systematicreproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in anyform to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://www.tandfonline.com/page/terms-and-conditions

Cybernetics and Systems: An International Journal, 24: 115-137, 1993

TYPED TIMED INPUT/OUTPUT AUTOMATAIN REAL-TIME, CYBERNETIC EXPLANATION

J. F. PETERS, III

Department of Computer Science, University ofArkansas, SCEN 232, Fayetteville, Arkansas. 72701, USA

This paper presents a basis for real-time, cybernetic explanation in terms of

typed timed input/output automata (tTAi/os), These are a form of Muller autom­

ata with typed states. input, and output. The typing of a tTAi/o is carried out

inruitionistically in the tradition begun by Martin-Lof, The explanation of choice

in the behavior specified by a tTAiio is given in terms of the choice operators

from Girard's linear logic. The meaning of a timed behavior specified by a tTAi/o

is explained with real-time temporal logic. As a result of this approach to cyber­netic explanation, a framework for reasoning about time for a specified behavior

is given.

INTRODUCTION

The notion of cybernetic explanation has been investigated by Bateson (1972,

1979), Thrner (1971) and Winburn (1991). By cybernetic explanation is meant

an accounting of observables in terms of underlying structure. Winburn (1991)suggests that automata can be used to explain the behavior of diverse phenom­

ena and the value of logical typing in future cybernetic modeling. In this paper,we suggest how typed timed input/output automata (tTAvos) can be used to

specify the behavior of communicating real-time systems. These automata arerepresented by finite, directed, labeled graphs like the one shown later in Fig.

2. A tTAvo is the typed, timed extension of a predicate input/output automatonintroduced in Peters (1991). It is the typing ,of the states, input and output ofthese automata, that provides a basis for real-time, cybernetic explanation

(RTCE). By RTCE is meant an accounting of observed behavior of communi­cating processes in the context of real-world clocks as in Peters (1991a) and

Copyright © 1993 Taylor & Francis0196-9722/93 $10.00 + .00

115

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

116 J. F. PETERS, III

Peters and Starling (1992). As part of a reliable computational approach to

RTCE, we are interested in typing automata in the intuitionistic tradition be­gun by Martin-Lof (1971, 1975, 1984), implemented as a programming lan­

guage by Nordstrom (1990), and providing the basis for constructive type

theory used by the Nuprl Proof Assistant (Constable, 1986). The expression of

choice in the behavior specified by a typed automaton is captured with the

choice operators from linear logic (Girard, 1987). The meaning of a specifica­tion provided by a typed automaton is enunicated with real-time temporal logic

(Henzinger, 1991). The contribution made in this paper is the formulation of

real-time, cybernetic explanation in the context of constructive type theory andreal-time temporal logic.

In this paper, a typing discipline for time automata in the tradition ofMartin-Lof's type theory (Martin-Lot, 1971, 1975, 1984) is presented. A

typed timed inputJoutput automaton (tTAvo) is a predicate automaton used to

specify the behavior of real-time systems. There is a correspondence betweentypes as sets and propositions. A type A is a proposition, which is defined

when a prescription for constructing a proof of A is given. This idea providesthe basis for typing timed automata. Typed automata provide many importantadvantages. First, they are communicating automata, so we can model com­

munication between processes in a real-time system (peters, 1992). second,

the predicates used to label the nodes and arcs of these automata make it

possible to construct reliable controller software from proofs of the specifica­tions embodied in these automata (peters, 1991a, 1991b). Third, these autom­ata provide a basis for a visual programming environment for real-time sys­tems (Peters, 1991c). Fourth, the typing system we introduce is an applicationof constructive type theory (Murthy, 1990), which allows us to use a proof

assistant such as Nuprl (Constable et al., 1986) to partially automate correct­ness proofs of specifications embodied in tTAvos. This typing system is con­structive, since computational content can be extracted during a proof of a

specification. Finally, these automata are defined in terms of a set of clocks,which make it possible to write hard, real-time constraints which specify thatactions by a system must be performed within a fixed number of time units.

EXAMPLE OF A TYPED TIMED AUTOMATON

Timed Muller automata have been shown to be suitable for modeling real­time systems (Alur and Dill, 1990; Peters, 1991a) and have been extendedby de Jong (1991) to model temporal logic formulas. The automata intro­duced by de Jong belong to the class of predicate automata, which have been

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

REAL·TIME CYBERNETIC EXPLANATION 117

used to specify and verify concurrent programs (Alpern, 1986; Murthy,1990; Peters and Ramanna, 1991a) and to model the behavior of real-timesystems (Alur and Dill, 1990; Henzinger, 1990, 1991; Peters, 1990,1991a.b.c. 1992). In this paper, we illustrate the use of typed timed automatain real-time cybernetic explanation in terms of air-traffic landing strip con­trollers, which are communication and control systems at an airport havinglanding strips used by multiple incoming and outgoing aircraft.

Aircraft Landing Strip Controllers

The specification of an aircraft landing strip controller (ALSC) with a typed

automaton is inspired by the PSDd (process specification formalism) specifi­cation of an ALSC in Mauw and Veltnik (1990). A sketch of a system of

. ALSCs is shown in Fig. 1.

Ordinary-Language Description of Landing StripController Behavior

It is assumed that the ALSC in Fig. 1 operates .in parallel with a distributioncontroller (indicated by Dir in Fig. I), which forwards requests from incom-

N

s

FIGURE 1. System of aircraft landing strip controllers.

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

118 J. F. PETERS, III

ing and outgoing aircraft to an appropriate ALSC. We also assume that eachALSC is connected to the distribution controller by an input/output channel.The notation output! (req ... "land," id - A) in Fig. 1 indicates a messagesent by ALSC1 to the distribution controller. This serves as a precondition forthe read, (req, s, id) operation by the ALSC (the io subscript on read; indi­cates that read, (req, s, id) is an input/output channel operation). The notation"input? (req, s, id)" specifies a discrete event containing a request req,landing strip s. and aircraft id that are received by the ALSC. We furtherassume that a request is either "land" (aircraft wishes to land) or "fly" (air­craft wishes to take oft). In simplest terms, after preparing a landing strip forusage by aircraft, the ALSC performs two sequences of actions infinitelyoften: read followed by either a timed land;.,<:2.1 or timed disembark;o<:200 in­struction communicated to an aircraft.

Visualization of ALSC Behavior with a TypedTime Automaton

The behavior of an ALSC shown in Fig. 1 is specified with a typed timeautomaton in Fig. 2. State ql in Fig. 2 is a choice state that is recurrent andis a visualization of a recurrent behavior (one that is repeated infinitelyoften).

Notation: The automaton in Fig. 2 utilizes the following notation:

• qo ... Oth (start) state of behavior.• State qo is part of a sequence of states (qo, ql)' so Qo is of type seq. The

specified activity of an ALSC in its initial state is "prepare(s)," i.e.,prepare landing strip s for use by aircraft. This information is summarizedwith the notation qseq : prepare{s).

• State q. is a recurrent state (indicated by the superscript 00), since it isrevisited infinitely often in the behavior of an ALSC. State q, is also achoice state (indicated by subscript E&) in

00

q"" .w· readio (req, s. id)

• read., (req, s, id) ... specified activity in state q. ("reading input fromdirector of all airport traffic"). The io subscript indicates that "read" isan activity that depends on the use of an input/output channel connected tothe Dir (in Fig. 1) for the information it receives.

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

REAL-TIME CYBERNETIC EXPLANATION

, , , , ,input? (req, s, id) , , , , , , ,

00

qm: read io (req, s,

qseq:prepare(s)

qseq: land io<25 (s, id)

req = "land"

A IsClear(s)

req ="fly"A IsClear(s)

qseq: disembark io<200 (5, id)

119

FlGURE 2. Aircraft landing strip controller automaton.

• State q2 is a sequence state responsible for communicating landing instruc­tions to an incoming aircraft; this is denoted by qSl:lj : lan~o<lI(s, id).

• lan~o<lI(s, id) indicates that the specified activity ("landing") occurs be­

fore 25 time units have elapsed after the clock starts ticking in state q2(this is an example of an upper bound on the duration of a state activity).

• State q, is a sequence state responsible for communicating disembarkinginstructions to an outgoing aircraft; this is denoted by qStq: disern­bark;o<200(S, id), which has a deadline of 200 ticks of an external clock.

• input? (req, s, id) ... input from the environment to automaton. In thiscase, the ALSC receives a message from a hidden airport director, whichhas sent the ALSC a request (req) from an aircraft (identified by id) to uselanding strip s.

• req ... "land" A IsClear(s) "" arc label indicating an enabling conditionthat must be satisfied before a transition from state q. to q2 can be made.That is, a transition from state q. to q2 by an ALSC can be made if a"land" request has been received from the airport director and its landingstrip s is clear.

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

120 J. F. PETERS, III

The predicates on the nodes and arcs of the automaton in Fig. 2 providea specification of sequences of actions that are temporally ordered in realtime. To see this, let the notation seq(a, b) indicate that predicate a evaluatesto true before predicate b evaluates to true. Then we can extract the follow­ing timed sequences from the behavior specified in Fig. 2: seq(prepare(s),read;o(req, s, id) 1\ req co "land" 1\ IsClear(s), land;o<:2S(s, id), ...),seq(prepare(s), readw(req, s, id) 1\ req co "fly" 1\ IsClear(s), disem­bark;.,<:200(s, id), ...).

In the first sequence, for example, we have the following temporal or­dering: "preparing" occurs before "reading," which occurs before changingto the "landing" state. The action of landing has a hard timing constraint("landing" must be completed before 25 clock ticks have elapsed). Later,we show how this idea can be expressed more formally with real-time tem­porallogic. It is obvious that many other behaviors (and corrections) can beadded to the automaton in Fig. 2 to provide an explanation of the observedbehavior. A feature of such automata, which we explore in a formal way inthe succeeding sections, is the correctness of the specification provided by atyped automaton.

TIMED MOLLER AUTOMATA

To model the timed behavior of communicating processes in real-time sys­tems, we introduce a predicate automaton called a typed timed I/O automa-

. ton (tTAilJ, which is an extension of a timed Miiller automaton (TMA). AMiiller automaton (MA) was first introduced in Muller (1963) and was fur­ther investigated in Alur and Dill (1990), de Jong (1991), and Guessarian(1988). An MA is a 5-tuple (~, Q, Qa, ~. A) with an input alphabet ~, finiteset of states Q. start states Qo C Q, accepting states A £ 2Q, and finite setof state transitions given by ~ : Q X ~ - 2Q• Let inf(w) be a set of states ofan MA, which are visited infinitely many times during a run over an infiniteword. A word w is accepted by an MA if inf(w) £ A. In other words, aninfinite computation is accepted by a Miiller automaton if the computationeventually cycles through a set of infinitely recurring states. A TMA is a 6­tuple (~. Q, Qa, Clocks, s, A) with ~. Q. Qo, and A as in an MA and with afinite set Clocks of real-valued clocks, a finite set of timing constraints rJ>

(Clocks), and a finite set of state transitions given by ~ : Q X ~ X 20 0cbX

rJ> (Clocks) - 2Q• In a TMA, arcs are inscribed with predicates (with timing

constraints on the parts of the words that are accepted). A TMA is determin­istic (a dTMA) if Card(Qo) ... 1 and the enabling conditions of the dTMA

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

REAL-TIME CYBERNETIC EXPLANATION 121

are mutually exclusive. In the case where there is only one run over anytimed trace in a dTMA, the class of timed languages accepted by determinis­tic TMAs is closed under union, intersection, and complementation (Alur,1990; Peters, 199Ib). As a result, it is now possible to decide whether animplementation satisfies its specification. It is an extension of the predicateform of Muller automaton found in de long (1991) that we utilize in thispaper; it is the richness of predicate automata in defining transition condi­tions that we wish to exploit. In addition, as suggested in Courcoubetis et al.(1991), labeling of automata with predicates offers the possibility of descrip­tions of communicating processes with fewer states and encodings in thelabels that-facilitate correctness proofs. Finally, as a means of extracting theunderlying meaning (computational content) from the proof of the specifica­tion provided by the predicate form of Muller automata, we introduce typedtime automata in the next section.

TYPED TIMED AUTOMATA

A tTAi/o enforces a constructive typing discipline. The timed actions asso­ciated with a state of a tTAi/o are specified with typed state predicates; arcs oftTAi/0s are inscribed with enabling conditions for transitions. The typingdiscipline enforced by a tTAi/o adheres to the type theory of Martin-Lof(1971, 1984). The constructive interpretation of any predicate P is that P isprovable. The notation p : P denotes that p is of type P. In an attempt toclassify the rich set of node structures in a typed timed automaton, the nodesof atTAi/0 are typed. A node q has state type Q, where Q is the type of itsproof.

Typed TAi/os are communicating automata. When tTAuos are composed,message passing between the automata is made possible by the presence ofhidden input/output channels. As in Bestavros (1991), communication be­tween tTAi/os is asynchronous and nonblocking. The language accepted by atTAi/o is the set of the timed behaviors of an agent. Acceptance of the behav­iors of an agent by a typed TAi/o ensures that each sequence of events in anagent behavior satisfies a property specified by the automaton. A typed TAi/ois a 6-tuple (P, Q, Qo, Clocks, 0, A) with

• P EO {propositions}

• typed states Q• start states Qo £; Q• Clocks = finite set of real-valued clocks

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

122

• 0 : Q X P X P X q> (Clocks) - 2Q (state transition)• Accepting states A s 2Q

• inf(w) ~ A• node labels p E Q X P X I/> (Clocks)• arc labels te E Q x Q x P• I/> (Clocks) eo set of timing constraints• {hidden input/output channels addressable by pEP}

J. F. PETERS, III

The sets Clocks, A, and Qo of a tTAi/o are as in a TMA. A node label of atTAi/o is a state predicate p E Q x P x <t> (Clocks), which specifies a timedactivity that leads to a discrete event. A tTAi/o arc label te E Q x Q x Prepresents an enabling condition, which is denoted by te(q, q') (or simplyte, when it is clear from the context which arc is labeled by te). A tespecifies a Boolean condition that must be satisfied before a transition canoccur. Let I/> be a tTAi/o property that a specified behavior must satisfy. In amanner quite similar to that in Manna and Pnueli (1989), a transition condi­tion is given by pAte A 1/>. A tTAi/o is complete if 0 is defined for all tuples(q, p, te, q> (clock» with state predicate p, enabling condition te, and timingconstraint q, (clock) on state q. In the next section, the classification of statetypes in terms of state, arc predicates, and automaton property is given.

CURRY-HOWARD ISOMORPHISM AND MARTIN-lOF'sTYPE THEORY

The remarkable relationship between sets and propositions recognized byCurry and Feys (1958) and Howard (1980) provides a means of constructingprovably correct specifications of behaviors and the basis for the type ofMartin-Lof (l97!, 1984). In Martin-Lof's type theory, the Curry-Howardisomorphism between types and propositions is interpreted to mean propos i-

, tions as sets, where the element of a set represents the proof of a proposition.

Forms of Judgment about Membership in Sets

The judgment "a is of type A" (written a E A) can be interpreted in avariety of ways as suggested by Martin-Lor (1984). Table 1 summarizes theinterpretations of a judgment about membership of an element in a set oftype A. Interpretation 3 in Thble 1 is due to Heyting (1931); interpretation 4is due to Kolmogorov (1932). In the context of computer science, Kolmo­gorov's interpretation of a E A has interest, since the pair (a, A) is identi­fied with the pair (program, specification). It is the analogy between inter-

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

REAL-TIME CYBERNETIC EXPLANATION

TABLE 1. Interpretations of the Judgment "0 E A"

123

A is a

I. Set2. Proposition3. Intention

4. Problem

aEA

a is member of set A

a proves (constructs) Aa is an algorithm to obtain A

a solves problem A

Evaluation of A

A < > { }A is true

A obtainable from Q

A solvable

pretations 1 and 2 of Table 1 that provides the basis for the Curry-Howardisomorphism and the typing of states and i/o data of timed automata. Firstwe explain how to type automaton states.

Typing Automaton States

The interpretation of membership of a state in a set of states is defined interms of a proposition (type) about state predicates, enabling conditions, andautomaton property of a tTA i/o ' Let q : Q assert that state q is of type Q, pthe state predicate labeling q, te the enabling condition labeling arc (q, q'),and ¢ a property to be satisfied by an automaton tTAi/o' Let sat(q, p 1\ te 1\

¢) assert that the conjunction p 1\ te 1\ ¢ is satisfied' in state q. Then theJudgment "state q E Q" is equivalent to the proposition sat(q, p 1\ te 1\ ¢).In the case of the specified behavior in Fig. 2, a desirable automaton prop­erty ¢ is that the behavior always guarantees that access to a landing strip ismutually exclusive. Given the scenario in Fig. I, a collision is possible (thelanding strips shown intersect). This suggests the need to modify the designin Fig. 2 to guarantee mutual exclusion. This can be accomplished by requir­ing input (from the Dir) to the "prepare" state about landing strip usage. Weshow the refined ALSC design later (see Fig. 4).

The set of typed automaton states Q of a tTAi/o can be viewed as a unionof sets of typed states, i.e., Q ... QI U ... U Q; U ... U Qn' The setQi is interpreted constructively as a type. Then it is necessary to prescribeformation rules for type Qi' so that it can be determined when an automatonstate q is a member (read "proof object") of Q;. The membership rule forstate types of a predicate automaton is defined in terms of a function withfixed points. The fixed point of a function f: X - X is an object x in thedomain if! such that

!(x) ... x, where x is a fixed point of! for X E X

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

124 J. F. PETERS, III

Let q be a state of a tTAi/o M. Let p be a state predicate labeling q, enablingcondition te inscribed on an arc (q, q'), and property q" respectively, forautomaton M. Let sat(q, p 1\ te " q,) assert that the conjunction p 1\ te 1\ q,is satisfied in state q, which has a single outgoing arc inscribed with e. Thenfunction iiseq is defined as follows:

iiseq (q) '"

q EO Q.;, if sat(q, p /\ ie /\ 16)

q' E Q' I 0' n Q.j => { }

That is, state q is a fixed point of function iiscq, if the conjunction p 1\ te 1\ q,is satisfied in state q; otherwise, q belongs to some other state type Q' ,where Q' and QI ;u:edisjoint. Functions of the form iiseq are useful in forrnu­lating membership rules for state types.

The key to distinguishing one state type from another is identifying thekinds of transitions that are possible from a given state. For example, we cancollect together all those states having a single choice of a transition (withoutgoing arc labeled e). Let all states with a single outgoing arc be of typeQseq (i.e., as part of a sequence of states beginning with state q). Let (q, q'')odenote that (q, q'') is the only outgoing arc from state q'; similarly, ta',q '')0 is the only outgoing arc from state q' . Then the membership rules fortype Qseq are given by

membership:

q € Qseq

(p' labels q', ~ : <P,ie' inscribes (q', q")O)iiseq(q') € Qseq

q' E \Qseq

Notation: The membership rule for states of type QlCCI has a hypotheticaljudgment in its right-hand premise. That is, p' labels q', q, : lP, te' in­scribes (q', q'')o is needed to deduce the fact that iiseq(q') E QlCCI' The left-

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

REAL-TIME CYBERNETIC EXPLANATION 125

hand premise of the Q..q membership rules says that the set Qscq is inhabited.This is another way of saying that we know beforehand that there is at least

one proof of type ~. This is another way of saying that type Qseq is inhab­ited. In fact, among intuitionists, truth is inhabitation (Mendler, 1987).

Identifying Choice States with Linear Logic

A typed timed input/output automaton has a rich variety of state types. Lin­ear logic is used in typed automata theory to classify state types representingchoice. That is, we utilize the disjoint sum lD and constructive or (writtenpar) operators from linear logic (Girard, 1987) given in Table 2. In Table 2,the notion op. a.b is the prefix form of a op b. In classifying state types, weidentify various choices of transitions that are possible from a given state.These choices of transitions from a state q are based on the evaluation of thestate predicate p on q, enabling condition(s) (one or more arc inscriptionssymbolized by te, te', te", ...) on arc(s) leaving q, and an automatonproperty 4> (it must be satisfied in every state of the automaton!). The identi­fication of states that belong to a state type is carried out in terms of the fixedpoints of an ii, : Q - Q function named in terms of some selection condi­tion a. We give a selection of state types in Table 3.

Cataloguing State Types

Using various functions with fixed points, a catalogue of state types is given inTable 3. The notation sat(q I (q'), ' ..) used in Table 3 to define timeoutstates refers to a sequence of states (q, q') with q at its head and (q') occupy­ing its tail. In other words, a timeout state is explained in terms of whathappened in a previous state. Recurrent states are of particular interest, sincewe invariably need to model behaviors that repeat themselves infinitely often.

The list of state types in Table 3 can be much longer-for example, if weinclude states that involve choice and are recurrent. Figure I gives an illus­tration of this (state qo is a lD state that is recurrent). Finally, notice that an

TABLE 2. Linear Logic Operators

Operator Interpretation

e.a.b Disjoint sum (additive disjunction), where 1&. a.b reads "choice of a single

alternative, independent of other choices."par. a.b Constructive "or" (dual of 1&), where par. a.b expresses dependence between

two types of actions (negation of a implies b or negation of b implies a).

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

126 J. F. PETERS, III

TABLE 3. Catalogue of Stale Types

State

type Fixed point function Explanation

q has a single outgoing arc and qsatisfies pAte A 1/).

q has arcs (q, q'), (q, q") labeledteo te' , respectively, and q satisfies

p A CD. te, te' A 1/).

Qpor iipar(q) - q, if sat(q, p A par. te, te' AI/» q has arcs (q. q'), (q, q") labeled

else q E Q' , Q' n Qpor - { } fi te, te' • respectively, and q satisfies

p A par. te, te' A 1/>.

Qseq ii",q(q) - q, if sat(q, pAte A 1/»

else q E Q', Q' n Qscq - { } fi

Q. ii.(q) - a, if sat(q, p A CD. te, te' A 1/»

else q E Q', Q' n Q. - { } fi

Q.bon ii.bon(q) - q, if sat(q, ..., p)

else q E Q'. Q' n <4m - { } fi

Qtimeout iitj.,..,..t(q') - q', if sat(q I (q'),

seq(P<t<q) A ttimeout (q. q'), q'»else q E Q', Q' n Qti~l - { } fi

q fails to satisfy its state predicate.

q fails to satisfy its stale predicate.

within k ticks, and a transition ismade to q' (timeout state).

Q'" ii"'(x, q, seq) - seq(q, jj"'(succ(x), q', Recurrent stale.

seq». if q - q' in Tdq, q' else seq(q,

ii"'(x, q', seq), x E Nats

automaton with choice states of type ED or par is presumed to be determinis­tic. This means that great care is needed in identifying the enabling condi­tions labeling the arcs of a tTAi/o' That is, the enabling conditions labelingthe arcs leaving a choice state must be mutually exclusive. For example, theinscriptions req "'" "land" on arc (q., q0 and req "" "fly" on arc (qt, q3) inFig. 2 are mutually exclusive enabling conditions. Finally, notice that a stateq is a recurrent state type provided that the counter x in ii"'(x, a', Seq)approaches infinity over time. This idea is reflected in the following mem­bership rule, which tells how to construct a set of recurrent states:

membership:

q E Qoo

(p' labels q',e' inscribes (q', q")O,

. ; : ¢»

sat(q', p' /\ e' /\ ;)V X E Nats as x ~ 00

in iioo(x, q', seq)

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

REAL·TIME CYBERNETIC EXPLANATION

Typed Input and Output

127

The main idea in typing input or output to a typed automaton is to establishmembership rules for incoming and outgoing data. For example, we mightwant to model the controller for a spacecraft with typed commands receivedfrom a space command center. In that case, each incoming command wouldbe typed so that the acceptance of a command is contingent upon a receivedcommand satisfying all appropriate spacecraft constraints (expressed in amembership rule for constraints of a given type). The typing of the input andoutput of a typed automaton in terms of membership rules is described inPeters and Starling (1992).

REAL-TIME TEMPORAL LOGIC

RTTL (Henzinger, 1991; Ostroff, 1987; Peters and Ramanna, 1991a; Ra­manna and Peters, 1991) provides a concise means of formulating hard,real-time constraints as well as prescribing the timed behavior of a real­time system. In this section, we briefly introduce a linear sequent form ofRTTL called RTfLseq. We limit the presentation of RTTLseq to a discussionof U (until) and temporal operators derived from U: Ow (infinitely often)and, especially, hard timing constraints and seq(Pl, P2' ... , Pn) (a tempo­rally quantified sequence of state predicates where PI holds before P2' andso on), which has been discussed informally in earlier sections of thispaper.

Syntax

For the subset of RTTL'"'l we have chosen, the syntax is defined in terms of adenumerable set of variables: x, Y, ... , a denumerable set of n-ary func­tions: j, g, ... , a denumerable set of n-ary predicate symbols: p, q, ... ,and symbols., ~, ..." lB, par, V, (,), U. Well-formed formulas of RTTLscqare atomic formulas, or in the case where we have formulas A, B or se­quence of formulas I' and variable x, then r, A ~ C, ~ C, V x. A, ..., A,(A lB B), (A par B), (A U B) are well formed. The formulas I', A ~ C, ~C are called sequents. In a sequent I', A ~ C, formulas A, B are calledhypotheses and C is called a conclusion.

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

128 J. F. PETERS, III

Semantics of Temporal Operators

The ., (not) and V (alJ) symbols have the usual semantics. In defining the

semantics of the temporal operators for RITLscq. the notation (qo• . . . • qx)

l= P for x > - 0 asserts that each of the states in the sequence (qo• . . . • qx)

satisfies predicate p. In what follows, let qo represent the current state in a

behavior. Let P. p' • Pl. Pl • . . . • Pn be predicates. The semantics of U aswell as the operators derived from U areas follows:

pU p'p before p'

<>pqk 1= seq(p)

seqtpr , P2. ·...Pn)

ceo P

- 3 k, x: 0 <= x <= k: (qo•... ,qx) 1= P and qk 1= p'

- 3 k: 1 <= k: qo 1= P and·{q1 •...•qk) 1= p U p'

;:; true U p

== qk 1= P

- P1 before seq{P2. P3.···.Pn)

- seq( P. <>W p)

Specification of Real-Time Timing Constraints

Let P be a state predicate. t: Real a rigid variable that records the time atP-state. and k the number of ticks of an external clock. P <Ie is a hard timingconstraint with respect to a state predicate P with an upper time boundk : tv>. beginning state time I : R (reals), later time t + k: R such thatP <Ie(t) 51 (3 I I E [I. t + k [ . p(1 I ». This timing constraint imposes a timelimit of k ticks of an external clock for the successful evaluation of P. Thepredicate P>k(/) - (3 I' > - I + k [ . P(I'» expresses a lower bound onhow long before an attempt to evaluate P can begin.

EXAMPLE: REAL-TIME SPECIFICATION OF A CONTROLLER

In this section. we give an RTTL specification (see Fig. 3) of the aircraftlanding strip controller (ALSC) visualized in Figs. 1 and 2.

Notation: In Fig. 3. lan~o<~ (s, id) specifies that a plane must land within2S ticks of the clock and disembark;o<200 (s, id) specifies that a plane musttake off within 200 ticks of the clock (for simplicity. we have suppressed themechanics of these instructions. which would require some form of acknowl­edgment of successful landing or successful takeoff by an aircraft before thedeadline). The notation 0"'$ indicates that infinitely often there is a choice of

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

REAL-TIME CYBERNETIC EXPLANATION 129

sequences of actions, depending on the request received by the ALSC. No­tice also that the RTIL O'"E& . seq(...), seq(...) specification in Fig. 3 is aprecise prescription for state q.' (a recurrent choice state) in Fig. 2.

CORRECTNESS OF DESIGN

In Fig. 2, the property we wish to prove is that the ALSC controller guaran­tees safe operation of its aircraft landing strip. In the context of time-eriticalprocesses in a busy airport, this means that each ALSC must guaranteemutually exclusive access to its landing strip. In the illustration in Fig. I, thepossibility that aircraft A will cross the landing strip being used for disem­barking by aircraft B must be avoided. The mutual exclusion property of anALSC can be expressed formally as follows: let strip ... {aircraft using strips to land or to take off}. Mutual exclusion holds in the ALSC automaton ifCard(strip) ... 1 in every state of the automaton.

Mutual Exclusion Property

In its current form, the prescribed behavior given by the automaton in Fig. 2and temporal specification in Fig. 3 appears to satisfy the mutual exclusionproperty. This is so because a transition from state q, ("reading request")either to state q2 ("landing") or to state q) ("disembarking") is made if theenabling condition IsClear(s) holds. That is, landing strip s is verified to be

clear by the ALSC before it is used. However, notice that in the preliminarydesign of the communicating controllers in Figs. 1 and 2 there is no require­ment that the Director inform a strip controller that its strip is being pre­empted for use by another strip controller in the case where two strips inter-

-·Aircraft Landing Strip Controller:seq(prepare(s).

owe.seq(readio(req. 5, id)1\ req .. "land" and IsClear(s).landio<25 (s. id) ),seq(readio(req, 5, id)1\ req .. "fly" and IsClear(s),disembarkio<200 (s, id) ))

·-prepare landing strip for usage

-.input ? (raq.s.id)--read req to land aircra!t.-·strip s is clear for landing--timed landing instruction or«lnput ? (req,s,id)-·read req to fly aircraft.--strip s is clear for take-olf··timed take-off instruction.

FIGURE 3. Explicit clock specification for an ALSC.

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

130 J. F. PETERS, III

sect each other (as they do in Fig. 1!). A collision between aircraft ispossible. The appropriate state to handle this preemption action-by the Direc­tor before it communicates a request for strip usage is in the "prepare" stateof an ALSC. A refined typed automaton that guarantees the mutual exclusionproperty is given in Fig. 4.

Notation: In Fig. 4, the start state is a recurrent notice choice state (this isits type). This is indicated by

00

qm :preparej, (s, StatusOf(s))

The input? (s, StatusOf (s) label on the channel (dashed) arrow on state qoindicates that the ALSC receives messages about the status of its landingstrip s via an i/o channel connected to the Director. The ALSC returns to its"prepare" state (i.e., qo), if StatusOf(s) ~ "busy." Otherwise, if Statu-

qseq: land io<25 (s, id), , , , ,

input? (req, s, id) , , , ,,

. , , , ,, ,in put? ( s, ' ,StatusOffs) , ,

"~Vq;:StatusOf(s) prepare io(s, StatusOf(s))'" "busy"

qseq: disembark io<2DO (s, id)

FIGURE 4. Revised typed timed automaton for an ALSC.

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

REAL-TIME CYBERNETIC EXPLANATION

--Revised Specification for an Aircraft Landing Strip Controller:

131

owe. (seq(prepareio(s. StatusOf(s»1\ StatusOf(s) '" "clear",e. seq (

readio(req, 5, id)1\ req = Oland",landio<25 (5. id)) ,seq(readio(req, s, id)1\ req ~ "fly",

disembarkio<200 (s, id) )) ,

prepare.sts, StatusOf(s»A StatusOf(s) = "busy")

--input ? (s, StatusOf(s»·.Ianding strip is s is clear

«input ? (req,s,id)--Aircrafl wishes to land-·timed landing instruction or

--input ? (req.s.ld)• -read req to fly aircrafl.- -Aircratt wishes \0 take-off--timed take-oil instruetlon.

- - 0 r-vinput ? (5, StatusOf(s»--landing strip is s is busy

FIGURE S. Real-time temporal logic specification for an ALSC.

sOf(s) ~ "clear," the ALSC can proceed to state qt, where it awaits a strip­usage request.

Revised Real-Time Temporal Logic Specification of Controller

The revised RTTL specification of the ALSC visualized in Fig. 4 is given intextual form in Fig. 5.

Informal Proof of Mutual Exclusion

Based on the specification for the behavior of an ALSC in Figs. 4 and 5, wecan now prove the correctness of the design. We do this informally, first.Mutually exclusive use of a landing strip s holds if 0 < - Card(s) < - 1. Inthe new design of an ALSC (see Fig. 4), we know that Card(s) - 0 when­ever a transition is made from qo to ql ("reading" a strip usage request).That is, StatusOf(s) - "clear" must be received from the Director before anALSC makes a transition to state qt. In state qt. an ALSC processes a strip­usage request by proceeding to state q2 or q). In that case, Card(s) - 1.Notice that after an ALSC processes a strip-usage request, it returns to stateqo (its "prepare" state), not its "reading" state (qt) as in Fig. 2. Hence, it isalways the case that 0 < = Card(s) < - 1, which proves that the ALSC inFig. 4 satisfies the mutual exclusion property.

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

132

Formal Proof of Mutual Exclusion

J. F. PETERS. III

The formal proof of the mutual exclusion property for the ALSC in Figs. 4and 5 (we refer only to Fig. 4 in the proof in Fig. 6) relies on the connectionbetween what are known as transductions and transduction rules, introducedin Peters and Ramanna (l991a) and explored further in Peters and Ramanna(1991b, 1992). A transduction Td q.q. ... seq(q, q') specifies that the activityin state q occurs before the activity in state q' and that state q' eventuallyoccurs once we are in state q. Let p, te, and q, represent state predicate,enabling condition relative to seq(q, q') and automaton property, respec­tively. A transduction rule Trq,q' ... sat(q I (q'), p 1\ te 1\ q,) says that for asequence of states seq(q, q'), it is asserted that p 1\ te 1\ q, is satisfied instate q. The relationship between transduction and transduction rules for adeterministic, complete, typed timed automaton is enunciated by Proposi­tion 1.

Proposition 1 (Peters, 1992): In a deterministic, complete typed timed au­tomaton, Td q.q. and sat(q, q,) # Trq.q..

In the proof in Fig. 6, compJetes(a) means "action a completes withinthe prescribed time" and mutex(seq) means "mutual exclusion holds in thesequence of states seq." For example, completes(landio <2s (s, id) asserts thatan aircraft "lands" within 25 ticks of the clock and clears the landing strip.A controller verifies that each of its activities satisfies one or more propertiesby validating each of its transductions before each change of state. For sim­plicity, we prove that the mutual exclusion property holds for the ALSC inFig. 4 for the following case:

seq(qo: preparej, (s) 1\ StatusOf(s) = "clear",

qj : readio (req, 5, id) A req = "land"

q2: landio < 25 (5, id),

qo: preparej, (5) /\ StatusOf(s) = ?)

The proof of the mutual exclusion property now follows the scenario for thisparticular case. The proof of mutual exclusion for the remaining cases issymmetrical with the proof given in Fig. 6.

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

REAL-TIME CYBERNETIC EXPLANATION

o qo 1= prepareio(S)/I. StatusOI (s) os 'c1ear'

1.1 q1 1= readio(req, s, id)1 .2 req co 'Iand'1 .3 landio < 25 (5, id) /I. io < 25

2 q1 E Qe3 He (q,)

4 sattqr , readio(req, s, id)

/I. m.req '" "land", req = "ny",/I. Card(s) .. 0)

5 readio( ) /I. req '" "land'6 Trq1,q26.1 mutex(qo, q1)7 Tdq1,q2

8 Q2 : landio < 25 (5, id) E Qseq9 Card(s) co 110 to < 251 1 Trq2,qo11.1 mutex(qo, q1 , q2)12 Tdq2,qo1 3 completes(landio < 25 (s, id»1 4 Card(s) '" 01 5 Qo: prepareio(s)1 6 Card(s) .. 016.1 mutex(qo)1 7 mutextsaqtqs, q1, q2, qo»

133

assump.

assump.assump.assump.

Ir graph in fig. 4

Ir 1fr 3.2

fr 1, 2 (choice)

fr 0

Ir 1.1, 1.2fr 3, 4, 5, del. of Tr

. Ir 0, 4fr 6, 6.1 Proposition

fr graph in fig. 4

from 8from 1.3fr 8,9,10, del. of Trfr 9, 6.1fr 11, 11 .1, PropositionIr 10, assumed WLOGfr 13fr 12fr 13, 14fr 15, 16fr 0,6.1, 11.1, 14, 16,1

FIGURE 6. Proof of mutual exclusion for controller behavior in time.

REASONING IN TIME

Macleod has observed that imposing deadlines on controller actions addsvaluable information to the control system, information that is useful fordesigners interested in measuring controller performance and in tuning thesystem (Macleod and Lun, 1991). The imposition of timing constraints oncontrol system behavior is somewhat controversial, because there is somedoubt about our ability to formulate reasonable timing constraints on control­ler. activities in the context of an unpredictable environment. An eloquentdiscussion of this issue by Kopetz and Turski is given in Kopetz (1989). Thepersuasive counterargument is that by imposing timing constraints on con­troller behavior, we can develop a profile of controller performance and

adaptiveness in a changing environment.

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

134 J. F. PETERS. III

The specification of ALSC behavior in graphical form in Fig. 4 guaranteesabsence of livelock (one plane not waiting indefinitely long for access to alanding strip) and illustrates how a controller "reasons" in time. In otherwords, the controller behavior should guarantee that there is a time limit onhow long an aircraft may use a landing strip (to avoid livelock). The absenceof livelock is guaranteed by imposing deadlines on landing strip usage. Thisis expressed temporally by the assertions

(dlsembarkj, <200 (5, id))(I) =~~, 3 r E [t, 1+200[. disembark(t')

(Iandio <25 (5, id))(I) =~~, 3 r E [t, t+25[. land(t')

In other words, "disembarking" of an aircraft must occur within 200 ticksof the controller clock. The controller must detect that an aircraft has disem­barked (in effect, Card(s) .. 0) before the deadline, or carry out a recoveryprocedure in the event of a timeout (not shown in Fig. 4). Similarly, "land­ing" of an aircraft must occur within 25 ticks of the controller clock. In thatcase, the controller must detect that an aircraft has landed (in effect,Card(s) ... 1) before the deadline, or carry out a recovery procedure in theevent of a timeout (also not shown in Fig. 4). For simplicity, we omitted therecovery states of an ALSC in the event of a timeout. The main point tonotice in considering deadlines imposed on a controller design is that indefi­nite waiting for a resource is avoided.

CONCLUSION

Modeling the timed behavior of a real-time system as typed timed input!output automata has several design advantages for a cyberneticist: (1) it ispossible to visualize alternative paths (sequences of states) in a behavior overtime, which makes it easier to pinpoint the need for timed actions and con­straints as well as the requirements for synchronization between communi­cating machines; (2) a designer can use the graphical representation of abehavior to formulate transduction rules, which provide a rationale for trans­formations of states into new states; (3) estimating the desired responsive­ness of the system to the environment is made easier because a designer canmore easily estimate the maximum number of ticks after a point of observa­tion (at the instant an external clock starts ticking in a given state) before theobservation becomes obsolescent. Real-time temporal logic is a necessarycounterpart in this modeling process, since it provides a designer with the

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

REAL-TIME CYBERNETIC EXPLANATION 135

essential tools needed to write assertions about timed behaviors and to provethe correctness of system specifications.

REFERENCES

Alpern, B. L. 1986. Proving Temporal Properties of Concurrent Programs: A Non­Temporal Approach. Ph.D. dissertation, Cornell University, TR-86-732.

Alur, R., and D. Dill. 1990. Automata for Modeling Real-Tune Systems. In Auto­mat, Languages and Programming (Lecture Notes in Computer Science, Vol.443), pp. 322-335. New York: Springer-Verlag.

Bateson, G. 1972. Cybernetic Explanation. In Steps to an Ecology of Mind. NewYork, Ballatine.

Bateson, G. 1979. Mind and Nature: A Necessary Unity. New York, Bantam.Bestavros, A. 1991. Specification and Verification of Real-Time Embedded Systems

Using Tune-Constrained Reactive Automata. Proc. 12th IEEE Real-Time Sys­tems Symposium. San Antonio, TX, December.

Constable, R. L., et al. 1986. Implementing Mathematics with the Nuprl Proof De­

velopment System. Englewood Cliffs, NJ: Prentice-Hall.Courcoubetis, C., S. Graf, and J. Sifakis. 1991. An Algebra of Boolean Processes.

Proc. Third Workshop on Computer Aided Verification. Vol. II, pp, 557-565.Curry, H. B., and R. Feys. 1958. Combinatory Logic, Vol. I, pp. 312-315. Amster­

dam: North-Holland.De Jong, G. G. 1991. An Automata Theoretic Approach to Temporal Logic. Proc.

Third Workshop on Computer Aided Verification. Vol. II, pp. 557-565.Girard, G.-Y. 1987. Linear Logic. Theor. Comput. Sci. 50:1-102.Guessarian, I. 1988. A Characterization of Fair Computations of Finite State SCCS

Processes (Lecture Notes in Computer Science, Vol. 386). New York: Springer­Verlag, 234-248.

Henzinger, T. A., Z. Manna, and A. Pnueli. 1990. Temporal Methodologies forReal-Tune Systems. Proc. 18th Annual ACM Symposium on Principles of Pro­gramming Languages, pp. 353-366.

Henzinger, T. A. 1991. The Temporal Specification and Verification of Real-TimeSystems. Ph.D. dissertation, Department of Computer Science, Stanford Uni­versity.

Heyting, A. 1931. Die intuitionistische Grundlagen der Mathematik. Erkenntnis2:106-115.

Howard, W. A. 1980. The Formulae-as-Types Notion of Construction. In To H.B.Curry: Essays on Combinatory Logic. Lambda Calculus and Formalism. Lon­don: Academic Press.

Kolmogorov, A. N. 1932. Zur Deutung der Intuitionistischen Logik. MathematischeZ. 35:58-65.

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

136 J. F. PETERS. III

Kopetz, H. 1989. Design of a Real-Time Computing System. Proc. Joint Univ. of

Newcastle Upon Tyne/lns. Computers Ltd Seminar. pp. IV.25-IV.58.

MacLeod, I. M., and V. Lun. 1991. Towards Distributed Real-Tune Intelligence.

Preprints, 3rd IFAC International Rbrkshop on Artificial Intelligence in Real­Time Control.

Manna, Z., and A. Pnueli. 1989. Specification and Verification of Concurrent Pro­

grams by V-Autonuua (Lecture Notes in Computer Science, Vol. 398), pp. 125­164. New York: Springer-Verlag.

Martin-LOf, P: 1971. A Theory of Types. Research Report, Department of Mathe­matics, University of Stockholm.

Martin-LOf, P. 1975. An Intuitionistic Theory of Types: Predicative Part. Proceed­

ings of Logic Colloquium '73. pp. 73-118. Amsterdam: North-Holland.Martin-LOf, p. 1984. Intuitionistic Type Theory. Napoli, Italy: Bibliopolis.

Mauw, S., and G. J. Veltnik. 1990. A Process Specification Formalism. FundamentaInformaJicae xm.85-139.

MendJer, P. F. 1987. Inductive Definition in Type Theory. Ph.D. dissertation, De­partment of Computer Science, Cornell University, Itaca, NY.

Mill1er, D. E. 1963. Infinite sequences and finite machines. Proc. 4th IEEE Symp. onSwitching Circuit Theory and Logical Design, New York, pp. 3-16.

Murthy, C. 1990. Extracting Constructive Content from Classical Proofs. Ph.D.

dissertation Report 90-115, Cornell University.Nordstrom, B., K. Petersson, and J. M. Smith. 1990. Programming in Martin-Lol's

Type Theory; An Introduction. Oxford, UK: Oxford University Press.Ostroff, J. S. 1987. Temporal Logic of Real-Tune Systems. Ph.D. dissertation, Uni­

versity of Toronto.

Peters. J. F. 1991. Constructive Specification of Communicating Processes UsingTemporal Logic. Ph.D. dissertation, Computing & Information Sciences, Kan­

sas State University.Peters, J. F. 1991a. Constructively Typed lime Automata. Report No. SU-CIS-91­

23, School of Computer & Information Science, Syracuse University.Peters, J. F. 1991b. Martin-Lof's Theory of Types in Typing Tuned Automata.

Report No. CSCI-TR-91-Q3, Department of Computer Science, University of

Arkansas, Fayetteville.Peters, J. F. 1991c. Visualizing Real-rune Systems with Typed Tuned Automata.

Technical Report CSCI-TR-91-Q4, Computer Science Department, University of

Arkansas. Fayetteville.Peters, J. F. 1992. Typed Tuned Automata in Specifying Provably-Correct Real­

Tune Systems. CSCI-TR-92-Ql, Department of Computer Science, University

ofArkansas, Fayetteville.Peters, J. F., and S. Ramanna. 1991a. Modelling Tuned-Behavior of Real-Time

Systems with Temporal Logic. Cybemet. Syst. Int. J. 22:585-610.Peters, 1. F., and S. Ramanna. 1991b. Constructing Real-Tune Systems "fromTempo-

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14

REAL-TIME CYBERNETIC EXPLANATION 137

ral 110 Automata. Report No. SU-CIS-91-22, School of Computer & Informa­tion Science, Syracuse University.

Peters, J. E, and S. Ramanna. 1992. Adaptive Controllers as Typed Timed Input!Output Automata. Proc. 1992 lFACIIFlPIIMACS Int. Symp. on Anificial Inselli­gence in Real-Time Control, Special Session on Aspects of Temporal Reasoning,pp. 145-162, Delft, The Netherlands. In press.

Peters, J. E, and G. Starling. 1992. A Category of Transition Diagrams over Timefor Concurrent Typed Automata. Proc. 23rd Int. Con! on Combinatorics,

Graph Theory, and Computing. Boca Raton, FL.Ramanna, S., and J. E Peters. 1991. Explicit Clock Logic in Constraints Checking

in Real-Time Systems. Prepritus, IFAC JJbrkshop on Artificial Intelligence inReal-Time Control (AlRTC9/J, Sonoma, CA.

Turner, M. B. 1971. Realism and the Explanation ofBehavior: New York: Meredith.Winburn. W. R. 1991. Cybernetics. Teleology, and Science. Cybemet. Syst. Int. J.

22:553-582.

Requests for reprints should be sent to J. E Peters. m.

Dow

nloa

ded

by [

Yor

k U

nive

rsity

Lib

rari

es]

at 1

6:48

10

Nov

embe

r 20

14