\newpage
\subsubsection{Safe defaults}
The next example is from the domain of Qualitative Reasoning
about physical systems. It arises from the goal of constructing
compositionally symbolic models of complex, real-time dependent,
computational electro-mechanical systems, for the purpose of
simulation, control and diagnosis.

The task is to model a portion of the control system for the
paper-path of a reprographics machine, such as a photo-copier. In
general, the paper-path consists of a sequence of baffles,
drives, rollers, gates, and electronic sensors. An electronic
module takes input from the sensors and controls the flow of
power to various motors. Rollers are driven (through gear-trains)
by motors; in normal operation they acquire incoming sheets and
move them down-stream. However, rollers may malfunction under a
variety of conditions --- they may be worn and may slip, or the
paper may be greasy and difficult to acquire. Therefore, sensors
are installed at various locations to detect whether a sheet
dallies unduly at that location. When a sensor signals a jam, the
power module immediately cuts power supply to drives, thus
halting the paper-path. 

We are concerned with building libraries of components models
that may be used to assemble a system model given knowledge of
system components and structure. In particular, we focus on
modeling rollers, sensors and  (the control logic for) the
power-supply.  We would like to use these models to construct a
model of a simple system consisting of a pair of rollers in
series, with a sensor in the middle: 

\begin{ccprogram}
\agent system(R0, S0, R1, M0, M1, M2)::
    \[roller(R0, l0, l1, M0), 
      sensor(S0, l1, M1),
      roller(R1, l1, l2, M2),
      power\_module \]..
\end{ccprogram}
A typical call to {\tt system/5}  would be: {\tt
system(r35,s41,r36,ok,ok,ok)}. 

What should such component models look like? The models for {\tt
roller} and {\tt sensor} are straightforward (uniform extensions
over time of point-wise, time-independent, monotone models):
\begin{ccprogram}
\agent roller(\_R, Before, After, ok):: 
   always\ (power ->  at(Before):paper -> next\ \{at(After):paper\})..

\agent roller(\_R, Before, \_After, slipping):: 
   always\ (power ->  at(Before):paper -> next\ \{at(Before):paper\})..

\agent sensor(\_S, Loc, ok)::
  always \ (power  -> at(Loc):paper -> next\ (at(Loc):paper -> jam))..

\end{ccprogram}

The {\tt power\_module} model is however faced with the problem
of lack of omniscience about its environment. A {\tt jam} may be
signaled in any of various complicated ways, by any of a
collection of subsystems whose identity is not known at
model-construction time. The simplest way to model the subsystem,
then, is as a mechanism that initiates and maintains 
the supply of power, subject to {\em interrupts} by its
environment:
\begin{ccprogram}
\agent power\_module::  watching(jam, always\ \{power\})..
\end{ccprogram}
The example illustrates the basic idea behind what may be termed
{\em safe defaults}: through its very organization, the program
guarantees that any conclusions that are contingent on a default
inference cannot in themselves bring about (causally determine) a
state of affairs that undermines the applicability of the
inference rule. No global reasoning needs to be done, no
``default extensions'' need to be created. On detection of
quiescence, all applicable default rules are fired immediately
and irrevocably.

It should be clear, however, that the use of \tcc{} languages for
system modeling, simulation and diagnosis is a topic in its own
right. Of several remarks possible here, we have space for only
three: 
\begin{itemize}
\item The above model may be used not just for simulation but
  also diagnosis. Here the problem is: we are given observations of
  the system (e.g. {\tt jam}) and have to determine the mode of
  operation of devices consistent with these observations. This is
  a natural motivation for examining the complexity of the {\em
  abduction} problem for \tcc{} programs.

\item The above model is stated in the fragment of \tcc{} that
  can be compiled into FSAs.  This suggests that the compositional
  \tcc{} compilation algorithm can already be used to obtain an
  ``envisionment'' of the physical system (that is, a finite,
  succinct description of all its future behaviors). Standard
  techniques for model-checking finite state systems may then be
  used to analyze both component as well as system models
  constructed in this way.
  
\item It should be clear how some standard problems about
  reasoning with action and change, such as the Yale shooting
  problem \cite{yale-sp} have simple solutions in \tcc. In
  essence, \tcc{} makes it possible to say that the effects of
  certain actions should persist indefinitely {\em unless}
  interrupted by the environment. By computing the least
  solution  above the input supplied by the environment, \tcc{} ensures
  that there is no {\em deus ex machina} (no phantom actions such
  as mysterious ``unloadings'' of guns) --- any deviation from
  defaults arises solely because of input from the environment.
\end{itemize}