The governed world of a cyber-physical system is populated by many things, drawn from the limitless variety of the physical world. It may include: mechatronic things—an airplane, an industrial press, a tower crane, or a vending machine; the local natural environment—a body of water, or a part of the moon’s surface or of the earth's atmosphere; the built and engineered environment—a canal or road, a house, a bridge, or a segment of railway track; people and other living creatures, participating in the system behaviour in various roles. These things and their relationships are the infrastructure of the governed world, supporting the behaviour playing out over time in occurrences of events and state changes; we call these things domains.
A domain carries physical states and participates in physical events. States and events may be shared with other domains: this sharing is the medium in which domains interact to form the governed world's behaviour. A domain exhibits characteristic local properties, relating its state and event phenomena. An electromagnetic switching relay, for example, may be identified as a domain in the governed world. It has the property that when power is applied to its coil circuit the relay contacts close and the switched circuit is completed to power a motor. We may think of this relationship as a causal link imputed to the domain: "powering the coil causes completion of the switched circuit". These links, and the sharing of state and event phenomena among domains, enable the machine—through its behaviour at the machine-world interface of sensors and actuators—to govern behaviour in the governed world.
At the scales relevant to cyber-physical systems, effectuation of a causal link is never perfectly reliable, but always contingent. For example, a causal link may fail: the switched circuit to power a motor has been completed, but the motor shaft does not turn. Perhaps the shaft is jammed in its bearings; or the imposed load is too great; or the motor windings are burnt out; or the power relay or the power supply has failed; or another device is using too much current. The set of possible explanations is not clearly bounded. The whole-and-part structure of many domains increases vulnerability in more than one way. Each part—that is, each subdomain—not only contributes its own budget of specific potential failures: it also offers additional interfaces at which other domains to contribute to failure.
Of course, all this is just a rewording of what we all know from our everyday experience and from our interactions with the systems we encounter. But the core purpose of software engineering for cyber-physical systems is governing behaviour in the physical world: some of its challenges are often neglected—mistakenly relegated to a lesser importance than the formal and mathematical aspects of the work. To identify and think seriously about these challenges, and to offer some ways of addressing them, is the core purpose of this blog. It's important, because neglecting them can play a large part in potentially catastrophic system failures.
Links to other posts:
↑ Physical Bipartite System: The nature of a bipartite system
↓ Axiomatic Models: Capturing basic assumptions for a behaviour
→ Causality: Causality provides the explanation of how a system works
→ Reliable Models: Reliability in a world of unreliable physical domains
← The Right-Hand Side: Why the model-reality relationship is problematic
← Not Just Physics: Software Engineering's unique view of the physical world
No comments:
Post a Comment