Wednesday, 11 December 2019


Causality is a difficult concept. For a lawyer[1]: did the accused cause the death of the deceased? For a health scientist[2]: does eating red meat cause cancer? For a philosopher[3]: can we reason reliably about necessary and sufficient causes? And for a physicist[4]: was Newton's concept of force a euphemism for the concept of cause that he rejected?

These are difficulties of defining causality and providing a consistent theory and a logic. Software engineers commonly use causal links in models. A state transition from Si to Sj labelled "e1/a3" means that in state Si the event e1 causes both the action a3 and the transition to state Sj: the causal link is implicit in the state-machine formalism. A recent paper [5] reviews some explicit treatments of causality in cyber-physical systems.

For us, the axiomatic model of a triplet's governed world is composed of causal links. Just as a computer's physical semantics define its behaviour in program execution, so the axiomatic model defines the governed world's behaviour in interaction with its triplet's machine. Cause-effect transmission in these axiomatic links is what allows machine behaviour at the sensors and actuators to govern behaviour in the real world.

The basic elements of a causal link are a cause phenomenon, an effect phenomenon, and a physical domain whicheffectuates the link—that is, the domain ensures that when the cause occurs the effect follows. For example, the domain may be an electric motor, the cause an event applyPower, and the effect motorRotating. The cause and effect phenomena are both phenomena in which the effectuating domain participates, and may independently be internal or external phenomena of the domain.

Causality is an informal abstraction. We do not attempt to build a formal logic for it, because its elements do not have the required characteristics: nothing is atomic; no property is mathematically certain; all definitions stumble on hard cases and counterexamples. Nonetheless, in developing and understanding system behaviour, the informal concept provides an essential tool. A causal link poses a bounded question: will this link be effectuated?

The effectuation of a causal link is always contingent. At a finer granularity, the structure of the domain can be seen, and the link itself appears as a chain of sublinks, each contingent on the state of its effectuating subdomain. If the power supply is overloaded, or the winding of the electric motor is burnt out, or the shaft bearing is distorted, the motor will not rotate. These disabling states can be brought about by previously effectuated links, reflecting the rich connectivity of the physical world. The concurrency introduced when behaviours are combined to give the whole system behaviour is another potential source of disabling conditions.

If causal links are so contingent, and so problematical, and so vulnerable, why are we relying on them? We rely on them because they form the axioms—the governed world properties—on which the triplet behaviour design will rely unconditionally. The causal link abstraction bounds the checking of these axioms: each link is the smallest element of system behaviour, in one constituent behaviour. If the system fails, the failure can be initially located at a causal link that should have been—or should not have been—effectuated, and pursued from there along the structures of causal chains that implement the system's operational principle.

[1] Joseph Y Halpern; Actual Causality; MIT Press, 2016.
[2] J L Mackie; The Cement of the Universe: A Study of Causation, Oxford University Press, 1974.
[3] Judea Pearl and Dana Mackenzie; The Book of Why: The New Science of Cause and Effect; Penguin, 2018.
[4] David Bohm; Causality and Chance in Modern Physics; Taylor and Francis, 2005.
[5] Ibrahim et al; Practical Causal Models for Cyber-Physical Systems; in Proc NASA Formal Methods Symposium, 2019.

Links to other posts:
 ← Triplets: Triplets (Machine+World=Behaviour) are system behaviour elements
 → Axiomatic Models:  Capturing basic assumptions for a behaviour

No comments:

Post a comment