Access the full text.
Sign up today, get DeepDyve free for 14 days.
(2015)
Monitoring and measuring hybrid behaviors
Stefan Jakšić, E. Bartocci, R. Grosu, R. Kloibhofer, Thang Nguyen, D. Ničković (2015)
From signal temporal logic to FPGA monitors2015 ACM/IEEE International Conference on Formal Methods and Models for Codesign (MEMOCODE)
E. Bartocci, R. Grosu, A. Karmarkar, S. Smolka, S. Stoller, E. Zadok, Justin Seyster (2012)
Adaptive Runtime Verification
Alexandre Donzé, E. Fanchon, Lucie Gattepaille, O. Maler, P. Tracqui (2011)
Robustness Analysis and Behavior Discrimination in Enzymatic Reaction NetworksPLoS ONE, 6
D. Bianculli, C. Ghezzi, P. Pietro (2012)
The Tale of SOLOIST: A Specification Language for Service Compositions Interactions
O. Maler, D. Ničković (2012)
Monitoring properties of analog and mixed-signal circuitsInternational Journal on Software Tools for Technology Transfer, 15
E. Asarin, P. Caspi, O. Maler (2002)
Timed regular expressionsJ. ACM, 49
J. Kapinski, Jyotirmoy Deshmukh, Xiaoqing Jin, Hisahiro Ito, K. Butts (2016)
Simulation-Based Approaches for Verification of Embedded Control Systems: An Overview of Traditional and Advanced Modeling, Testing, and Verification TechniquesIEEE Control Systems, 36
T. Dreossi, T. Dang, Alexandre Donzé, J. Kapinski, Xiaoqing Jin, Jyotirmoy Deshmukh (2015)
Efficient Guiding Strategies for Testing of Temporal Properties of Hybrid Systems
Alexandre Donzé, O. Maler, E. Bartocci, D. Ničković, R. Grosu, S. Smolka (2012)
On Temporal Logic and Signal Processing
Dejan Nickovic (2008)
Checking Timed and Hybrid Properties: Theory and Applications. (Vérification de propriétés temporisées et hybrides: théorie et applications)
Alexey Bakhirkin, Nicolas Basset (2019)
Specification and Efficient Monitoring Beyond STL
Thang Nguyen, D. Ničković (2014)
Assertion-based monitoring in practice - Checking correctness of an automotive sensor interface
Georgios Fainekos, George Pappas (2006)
Robustness of Temporal Logic Specifications
D. Ničković, Olivier Lebeltel, O. Maler, Thomas Ferrère, Dogan Ulus (2018)
AMT 2.0: qualitative and quantitative trace analysis with extended signal temporal logicInternational Journal on Software Tools for Technology Transfer, 22
K. Selyunin, Stefan Jakšić, Thang Nguyen, C. Reidl, Udo Hafner, E. Bartocci, D. Ničković, R. Grosu (2017)
Runtime Monitoring with Recovery of the SENT Communication Protocol
D. Bianculli, C. Ghezzi, C. Pautasso, Patrick Senti (2012)
Specification patterns from research to industry: A case study in service-based applications2012 34th International Conference on Software Engineering (ICSE)
Hesheng Liu, T. Zhang, Fusheng Yang (2002)
A multistage, multimethod approach for automatic detection and classification of epileptiform EEGIEEE Transactions on Biomedical Engineering, 49
B. Kanso, Safouan Taha (2012)
Temporal Constraint Support for OCL
Alexey Bakhirkin, Thomas Ferrère, T. Henzinger, D. Ničković (2018)
The first-order logic of signals: keynote
E. Bartocci, Jyotirmoy Deshmukh, Alexandre Donzé, Georgios Fainekos, O. Maler, D. Ničković, S. Sankaranarayanan (2018)
Specification-Based Monitoring of Cyber-Physical Systems: A Survey on Theory, Tools and Applications
Bardh Hoxha, Adel Dokhanchi, Georgios Fainekos (2015)
Mining parametric temporal logic properties in model-based design for cyber-physical systemsInternational Journal on Software Tools for Technology Transfer, 20
Jyotirmoy Deshmukh, Alexandre Donzé, Shromona Ghosh, Xiaoqing Jin, Garvit Juniwal, S. Seshia (2015)
Robust online monitoring of signal temporal logicFormal Methods in System Design, 51
L. Nguyen, J. Kapinski, Xiaoqing Jin, Jyotirmoy Deshmukh, K. Butts, Taylor Johnson (2017)
Abnormal Data Classification Using Time-Frequency Temporal LogicProceedings of the 20th International Conference on Hybrid Systems: Computation and Control
L. Bortolussi, D. Milios, G. Sanguinetti (2015)
U-Check: Model Checking and Parameter Synthesis Under Uncertainty
Chaima Boufaied, C. Menghi, D. Bianculli, Yago Parache (2020)
Trace-Checking Signal-based Temporal Properties: A Model-Driven Approach2020 35th IEEE/ACM International Conference on Automated Software Engineering (ASE)
E. Bartocci, F. Corradini, E. Merelli, L. Tesei (2009)
Model Checking Biological Oscillators
D. Giannakopoulou, T. Pressburger, Anastasia Mavridou, J. Schumann (2020)
Generation of Formal Requirements from Structured Natural Language
A. Dingle, Richard Jones, Grant, Carroll, Richard Fright (1993)
A multistage system to detect epileptiform activity in the EEGIEEE Transactions on Biomedical Engineering, 40
E. Bartocci, L. Bortolussi, L. Nenzi (2013)
A Temporal Logic Approach to Modular Design of Synthetic Biological Circuits
Reza Matinnejad, S. Nejati, L. Briand, T. Bruckmann (2019)
Test Generation and Test Prioritization for Simulink Models with Dynamic BehaviorIEEE Transactions on Software Engineering, 45
Szymon Stoma, Alexandre Donzé, F. Bertaux, O. Maler, Grégory Batt (2013)
STL-based Analysis of TRAIL-induced Apoptosis Challenges the Notion of Type I/Type II Cell Line ClassificationPLoS Computational Biology, 9
Chaima Boufaied, D. Bianculli, L. Briand (2019)
A Model-driven Approach to Trace Checking of Temporal Properties with AggregationsJ. Object Technol., 18
Takumi Akazaki, I. Hasuo (2015)
Time Robustness in MTL and Expressivity in Hybrid System Falsification
O. Maler, D. Ničković, A. Pnueli (2008)
Checking Temporal Properties of Discrete, Timed and Continuous Behaviors
L. Brim, Tomás Vejpustek, David Šafránek, J. Fabriková (2013)
Robustness Analysis for Value-Freezing Signal Temporal Logic
D. Bianculli, C. Ghezzi, S. Krstic (2014)
Trace Checking of Metric Temporal Logic with Aggregating Modalities Using MapReduceArXiv, abs/1406.3661
S. Dumpala, S. Reddy, S. Sarna (1982)
An algorithm for the detection of peaks in biological signals.Computer programs in biomedicine, 14 3
Dogan Ulus, Thomas Ferrère, E. Asarin, O. Maler (2014)
Timed Pattern Matching
Nurettin Acır, I. Öztura, M. Kuntalp, B. Baklan, C. Güzelı̇ş (2005)
Automatic detection of epileptiform events in EEG by a three-stage procedure based on artificial neural networksIEEE Transactions on Biomedical Engineering, 52
D. Ničković, Xin Qin, Thomas Ferrère, Cristinel Mateis, Jyotirmoy Deshmukh (2019)
Shape Expressions for Specifying and Extracting Signal Features
D. Ničković, O. Maler (2007)
AMT: A Property-Based Monitoring Tool for Analog Systems
Thomas Ferrère, O. Maler, D. Ničković, Dogan Ulus (2015)
Measuring with Timed Patterns
B. Meyers, H. Vangheluwe, J. Denil, Rick Salay (2020)
A Framework for Temporal Verification Support in Domain-Specific ModellingIEEE Transactions on Software Engineering, 46
Nurettin Acır, C. Güzelı̇ş (2004)
Automatic spike detection in EEG by a two-stage procedure based on support vector machinesComputers in biology and medicine, 34 7
Simone Silvetti, L. Nenzi, E. Bartocci, L. Bortolussi (2018)
Signal Convolution Logic
M. Chechik, Dimitrie Paun (1999)
Events in Property Patterns
T. Hägglund (1995)
A Control-Loop Performance MonitorControl Engineering Practice, 3
Houssam Abbas, Alena Rodionova, E. Bartocci, S. Smolka, R. Grosu (2016)
Quantitative Regular Expressions for Arrhythmia Detection Algorithms
Adel Dokhanchi, Bardh Hoxha, Georgios Fainekos (2014)
On-Line Monitoring for Temporal Logic Robustness
M. Pajic, Rahul Mangharam, O. Sokolsky, D. Arney, Julian Goldman, Insup Lee (2014)
Model-Driven Safety Analysis of Closed-Loop Medical SystemsIEEE Transactions on Industrial Informatics, 10
Wei Dou, D. Bianculli, L. Briand (2014)
OCLR: A More Expressive, Pattern-Based Temporal Extension of OCL
Aaron Kane (2015)
Runtime Monitoring for Safety-Critical Embedded Systems
Georgios Fainekos, S. Sankaranarayanan, Koichi Ueda, H. Yazarel (2012)
Verification of automotive control applications using S-TaLiRo2012 American Control Conference (ACC)
F. Cameron, Georgios Fainekos, D. Maahs, S. Sankaranarayanan (2015)
Towards a Verified Artificial Pancreas: Challenges and Solutions for Runtime Verification
Thomas Ferrère (2016)
Assertions and measurements for mixed-signal simulation
S. Sankaranarayanan, Georgios Fainekos (2012)
Falsification of temporal properties of hybrid systems using the cross-entropy method
Adel Dokhanchi, Bardh Hoxha, Georgios Fainekos (2015)
Metric interval temporal logic specification elicitation and debugging2015 ACM/IEEE International Conference on Formal Methods and Models for Codesign (MEMOCODE)
L. Brim, Petr Dluhos, David Šafránek, Tomás Vejpustek (2014)
STL⁎: Extending signal temporal logic with signal-value freezing operatorInf. Comput., 236
O. Maler, D. Ničković (2004)
Monitoring Temporal Properties of Continuous Signals
Stefan Jakšić, E. Bartocci, R. Grosu, D. Ničković (2018)
Quantitative monitoring of STL with edit distanceFormal Methods in System Design, 53
Truong Nghiem, S. Sankaranarayanan, Georgios Fainekos, Franjo Ivancic, Aarti Gupta, George Pappas (2010)
Monte-carlo techniques for falsification of temporal properties of non-linear hybrid systems
Aurélien Rizk, Grégory Batt, F. Fages, S. Soliman (2008)
On a Continuous Degree of Satisfaction of Temporal Logic Formulae with Applications to Systems Biology
Alexandre Donzé (2010)
Breach, A Toolbox for Verification and Parameter Synthesis of Hybrid Systems
Houssam Abbas, Georgios Fainekos, S. Sankaranarayanan, Franjo Ivancic, Aarti Gupta (2013)
Probabilistic Temporal Logic Falsification of Cyber-Physical SystemsACM Trans. Embed. Comput. Syst., 12
Nurettin Acır (2005)
Automated system for detection of epileptiform patterns in EEG by using a modified RBFN classifierExpert Syst. Appl., 29
Matthew Dwyer, G. Avrunin, J. Corbett (1999)
Patterns in property specifications for finite-state verificationProceedings of the 1999 International Conference on Software Engineering (IEEE Cat. No.99CB37002)
Hengyi Yang, Bardh Hoxha, Georgios Fainekos (2012)
Querying Parametric Temporal Logic Properties on Embedded Systems
E. Bartocci, L. Bortolussi, L. Nenzi, G. Sanguinetti (2015)
System design of stochastic models using robustness of temporal propertiesTheor. Comput. Sci., 587
Wei Dou, D. Bianculli, L. Briand (2017)
A Model-Driven Approach to Trace Checking of Pattern-Based Temporal Properties2017 ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS)
S. Bufo, E. Bartocci, G. Sanguinetti, M. Borelli, U. Lucangelo, L. Bortolussi (2014)
Temporal Logic Based Monitoring of Assisted Ventilation in Intensive Care Patients
D. Bianculli, C. Ghezzi, S. Krstic, P. Pietro (2014)
Offline Trace Checking of Quantitative Properties of Service-Based Applications2014 IEEE 7th International Conference on Service-Oriented Computing and Applications
S. Konrad, B. Cheng (2005)
Real-time specification patternsProceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005.
M. Bersani, D. Bianculli, C. Ghezzi, S. Krstic, P. Pietro (2014)
SMT-Based Checking of SOLOIST over Sparse Traces
Xiaoqing Jin, Alexandre Donzé, Jyotirmoy Deshmukh, S. Seshia (2013)
Mining Requirements From Closed-Loop Control ModelsIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, 34
Alexandre Donzé, O. Maler (2010)
Robust Satisfaction of Temporal Logic over Real-Valued Signals
D. Ničković, Tomoya Yamaguchi (2020)
RTAMT: Online Robustness Monitors from STL
Edward Lee, S. Seshia (2013)
Introduction to Embedded Systems - A Cyber-Physical Systems Approach
The behavior of a cyber-physical system (CPS) is usually defined in terms of the input and output signals processed by sensors and actuators. Requirements specifications of CPSs are typically expressed using signal-based temporal properties. Expressing such requirements is challenging, because of (1) the many features that can be used to characterize a signal behavior; (2) the broad variation in expressiveness of the specification languages (i.e., temporal logics) used for defining signal-based temporal properties. Thus, system and software engineers need effective guidance on selecting appropriate signal behavior types and an adequate specification language, based on the type of requirements they have to define. In this paper, we present a taxonomy of the various types of signal-based properties and provide, for each type, a comprehensive and detailed description as well as a formalization in a temporal logic. Furthermore, we review the expressiveness of state-of-the-art signal-based temporal logics in terms of the property types identified in the taxonomy. Moreover, we report on the application of our taxonomy to classify the require- ments specifications of an industrial case study in the aerospace domain, in order to assess the feasibility of using the property types included in our taxonomy and the completeness of the latter. Keywords: signals, signal-based properties, temporal logic, taxonomy 1. Introduction Cyber-physical systems (CPSs) are systems characterized by a complex interweaving of hardware and software [1]. They are widely used in many safety-critical domains (e.g., aerospace, automotive, medical) where validation and verification (V&V) activities [2] of the system’s intended functionality play a crucial role to guarantee the reliability and safety of the system. A typical CPS consists of a mix of analog and digital components, such as sensors, actuators, and control units, which process input and output signals. System engineers specify the desired system behavior by defining requirements in terms of the signals obtained from these components. Such requirements can be specified using signal-based temporal properties, which characterize the expected behavior of signals. For example, a property may require that a signal must not exhibit an abrupt increase of amplitude (i.e., a spike or bump) within a certain time interval, or that the signal shall manifest an oscillatory behavior with a particular period. Expressing requirements in terms of signal-based temporal properties poses a number of challenges for system and software engineers. First, a signal behavior (e.g., a spike) can be characterized using a number of Corresponding author Email addresses: chaima.boufaied@uni.lu (Chaima Boufaied), maris.jukss@gmail.com (Maris Jukss), domenico.bianculli@uni.lu (Domenico Bianculli), lionel.briand@uni.lu (Lionel Claude Briand), Isasi@luxspace.lu (Yago Isasi Parache) This work was done while the author was affiliated with the Interdisciplinary Centre for Security, Reliability and Trust (SnT), University of Luxembourg, Luxembourg. Preprint submitted to Elsevier December 29, 2020 arXiv:1910.08330v3 [eess.SP] 28 Dec 2020 features (e.g., amplitude, slope, width); for example, a total of 16 different features (and eight parameters) have been identified in the literature [3] to detect (and thus characterize) a spike in a signal. Engineers may decide to choose various subsets of features; without proper guidelines for selecting the features most appropriate in a certain context and without their precise characterization, the resulting specification of a signal behavior may become ambiguous or inconsistent. The second challenge is related to the expressiveness of the specification languages used for defining signal-based temporal properties. Starting from the seminal work on STL [4] (Signal Temporal Logic), there have been several proposals of languages that extend more traditional temporal logics like LTL (Linear Temporal Logic) to support the specification of signal- based behaviors. Such languages have different levels of expressiveness when it comes to describing certain signal behaviors. For example, STL cannot be used to express properties (like those related to oscillatory behaviors) that require to reference the concrete value of a signal at an instant in which a certain property was satisfied [5]. This means that engineers need guidance to carefully select the language to use for defining signal-based properties, based on the type of requirements they are going to define, the expressiveness of the candidate specification languages, and the availability of suitable tools (e.g., trace checker) for each language. We remark that these challenges for the specification of signal-based temporal properties have implica- tions also in terms of V&V. The lack of precise descriptions of signal behaviors (and their features) and the use of specification languages with limited expressiveness, may lead engineers to resort to manual checking (e.g., visual inspection of signal waveforms) of properties on signals. Although an anomalous spike in ampli- tude can be easily spotted by visual inspection of the waveform of a signal that is mostly stable, manually detecting complex signal behaviors on waveforms with intricate shapes is a cumbersome and error-prone process. In this paper, we tackle these two challenges by proposing a taxonomy of the most common types of signal-based temporal properties and a logic-based characterization of such properties. Based on industrial experience and a thorough review of the literature, our goal is to provide system and software engineers, as well as researchers working on CPSs, with a reference guide to systematically identify and characterize signal behaviors, to support both requirements specification and V&V activities. More specifically, we address the first challenge by providing, through the taxonomy, a comprehensive and detailed description of the different types of signal-based behaviors, with each property type precisely characterized in terms of a temporal logic. As a result, an engineer can be guided by the precise characterization of the property types included in our taxonomy, to derive—from an informal requirements specification—a formal specification of a property, which can then be used in the context of V&V activities (e.g., as test oracle). We take on the second challenge by reviewing the expressiveness of the main temporal logics that have been proposed in the literature for specifying signal-based temporal properties (i.e., STL, STL* [5], SFO [6] - Signal First-Order Logic), in terms of the property types identified in the taxonomy. In this way, we can guide engineers to choose a specification formalism based on their needs in terms of property types to express. We developed our taxonomy of signal-based properties based on practical experience in analyzing tem- poral requirements in CPS domains like the aerospace industry, and by reviewing the literature in the area of verification of cyber-physical systems, starting from the recent survey of specification formalisms in reference [2]. We identified and included in our taxonomy the following property types: • Data assertion, which specifies constraints on the signal value; • Signal behavior, representing a signal behavior in terms of a particular waveform, such as spikes and oscillations; • Relationship between signals, a type that includes functional relationship properties, based on the application of a transformation (e.g., differentiation) on signals, and order relationship properties, stating constraints on the order of events/states related to signal behaviors. The order relationship type also includes properties describing the transient behavior of a signal when changing from the current value to a new target value (i.e., rising/falling, overshooting/undershooting behaviors). For each of these types, we provide a logic-based characterization using SFO and also discuss alternative formalizations—when applicable—using also STL and STL*. In this way, we are able to report on the ex- 2 pressiveness of state-of-the-art temporal logics with respect to the property types included in our taxonomy: SFO is the only language among the three we considered in which we can express all the property types of our taxonomy. We also report on the application of our taxonomy to classify the requirements specifications of an industrial case study in the aerospace domain. Through this case study we show: • The feasibility of expressing requirements specifications of a real-world CPS using the property types included in our taxonomy. Indeed, in the vast majority of the cases, the mapping from a specification written in English to its corresponding property type defined in the taxonomy was straightforward. • The completeness of our taxonomy: all requirements specifications of the case study could be defined using the property types included in our taxonomy. To summarize, the main contributions of this paper are: • a taxonomy of signal-based properties; • a logic-based characterization of the various property types included in the taxonomy; • a discussion on the expressiveness of state-of-the-art temporal logics with respect to the property types included in our taxonomy; • the application of our taxonomy to classify the requirements specifications of an industrial case study in the aerospace domain. The rest of the paper is structured as follows. Section 2 provides background concepts on signals and temporal logics for signal-based properties. Section 3 illustrates our taxonomy of signal-based properties and provides a logic-based characterization of each property type. In section 4 we discuss the expressiveness of state-of-the-art temporal logics with respect to the property types included in our taxonomy. Section 5 presents the application of our taxonomy to an industrial case study. Section 6 discusses how the paper contributions can support the research community and practitioners. Section 7 discusses related work. Section 8 concludes the paper, providing directions for future work. 2. Background 2.1. Signals A finite length signal s over a domain D is a function s: T → D, where T is the time domain and D is an application-dependent value domain. In the context of CPSs, we need to differentiate between analog, discrete, and digital signals [7]. An analog signal is a signal that is continuous both in the time and in the value domains. The time domain T of an analog signal is thus the set of non-negative real numbers R and the value domain D ≥0 is the set of real numbers R. More formally, we define an analog signal s as s : T → R. The domain of a a definition of s is the interval I = [0, r), with r ∈ Q ; the length of s is defined as |s | = r; undefined a s ≥0 a a signal values are denoted by s (t) = ⊥,∀t ≥ |s |. a a In a discrete signal, the value domain is continuous whereas the time domain is the set of natural numbers N. More specifically, a discrete signal can be obtained from an analog signal through sampling, which is the process of converting the continuous-time domain of a signal to a discrete-time domain. Throughout this process, the analog signal is read at a regular time interval Δ called the sampling interval. The resulting discretized signal s can be represented by the values of an analog signal s read at the following time dsc a points: 0, Δ, 2× Δ, . . ., k× Δ. A digital signal has the set of natural numbers N as time domain and a finite discrete set as value domain. Such a signal can be obtained from a discrete signal by quantization, which is the process of transforming continuous values into their finite discrete approximations. In the rest of the paper we will consider analog signals, simply denoted by s, unless a specific signal type is explicitly mentioned. This choice is motivated by the context in which this work has been developed, which 3 is the domain of CPS [8]. In such a domain, model-driven engineering is used throughout the development process and simulation is used for design-time testing of system models; simulation models (e.g., those defined in Simulink ) capture both continuous and discrete system behaviors and, when executed, produce traces containing analog signals [9]. 2.2. Temporal Logics for Signal-based Properties In this section, we provide a brief introduction to the main temporal logics that have been proposed in the literature for specifying signal-based temporal properties. They will be used in the next section to present the formalization of signal-based properties. 2.2.1. Signal Temporal Logic ( STL) STL [4] has been one of the first proposals of a temporal logic for the specification of temporal properties over dense-time (i.e., T = R ), real-valued signals. ≥0 Let Π be a finite set of atomic propositions, X be a finite set of real variables, and I be an interval [a, b] over R with a, b ∈ Q such that 0 ≤ a < b. The syntax of STL with both future and past operators [10] is ≥0 defined by the following grammar: ϕ ::= p | x ∼ c | ¬ϕ | ϕ ∨ ϕ | ϕ U ϕ | ϕ S ϕ 1 2 1 I 2 1 I 2 where p ∈ Π, x ∈ X, ∼∈ {<,≤, =,≥, >}, c ∈ R, U is the metric “Until” operator, and S is the metric I I “Since” operator. Additional temporal operators can be derived using the usual conventions; for example, “Eventually” F ϕ ≡ ⊤ U ϕ; “Globally” G ϕ ≡ ¬F ¬ϕ; “Once (Eventually in the Past)” P ϕ ≡ ⊤ S ϕ; I I I I I I “Historically” H ϕ ≡ ¬P ¬ϕ. I I The semantics of STL is defined through a satisfaction relation (s, t) |= ϕ, which indicates that signal STL s satisfies formula ϕ starting from position t in the signal. The satisfaction relation is defined inductively as follows: (s, t) |= p iff p holds on s in t, for p ∈ Π STL (s, t) |= x ∼ c iff x ∼ c holds on s in t, for x ∈ X and c ∈ R STL (s, t) |= ¬ϕ iff (s, t) 6|= ϕ STL STL (s, t) |= ϕ ∨ ϕ iff (s, t) |= ϕ or (s, t) |= ϕ STL 1 2 STL 1 STL 2 ′ ′ ′ (s, t) |= ϕ U ϕ iff ∃t .(t ∈ [t + a, t + b] and (s, t ) |= ϕ STL 1 [a,b] 2 STL 2 ′′ ′′ ′ ′′ and ∀t .(t ∈ [t, t ] and (s, t ) |= ϕ )) STL 1 ′ ′ ′ (s, t) |= ϕ S ϕ iff ∃t .(t ∈ [t− a, t− b] and (s, t ) |= ϕ STL 1 [a,b] 2 STL 2 ′′ ′′ ′ ′′ and ∀t .(t ∈ [t, t ] and (s, t ) |= ϕ )) STL 1 We say that a signal s satisfies an STL formula ϕ iff (s, 0) |= ϕ. STL Several extensions of STL have been proposed in the literature. For example, STL/PSL [11] adds an analog layer to STL that enables the application of (low-level) signal operations; xSTL [12] adds support for Timed Regular Expressions [13]. The STL expressions that we will present in the rest of the paper can be written in the same form also in STL/PSL or xSTL since they only rely on the core operators of STL. 2.2.2. STL* STL* [5] is an extension of STL that adds a signal-value freezing operator that binds the value of a signal to a precise instant of time. Let J be a finite index set (e.g., the set {1, . . ., n}, n ∈ N) and let the function t : J → [0,|s|] be the ∗ ∗ frozen time vector; the i-th frozen time can then be referred to with t = t (i). As in the case of STL, let Π be a finite set of atomic propositions, X be a finite set of real variables, and I be an interval [a, b] over R with a, b ∈ Q such that 0 ≤ a < b. The syntax of STL* is defined by the following grammar: ≥0 ϕ ::= p | x ∼ c | ¬ϕ | ϕ ∨ ϕ | ϕ U ϕ | ∗ [ϕ] 1 2 1 I 2 i The restriction on the non-punctual interval I for STL has been lifted in reference [10]. 4 where p ∈ Π, x ∈ X, ∼∈ {<,≤, =,≥, >}, c ∈ R, U is the metric “Until” operator, and ∗ is the unary I i signal-value freezing operator for all i ∈ J . Additional operators like Eventually and Globally can be defined as done above for STL. The semantics of STL* is defined through a satisfaction relation (s, t, t ) |= ϕ, which indicates that STL∗ signal s satisfies formula ϕ starting from position t in the signal, taking into account the frozen time vector ∗ J t ∈ [0,|s|] . The satisfaction relation is defined inductively as follows: ∗ ∗ (s, t, t ) |= p iff p holds on s in t, for p ∈ Π, with the frozen time vector t STL∗ ∗ ∗ (s, t, t ) |= x ∼ c iff x ∼ c holds on s in t, for x ∈ X and c ∈ R, with the frozen time vector t STL∗ ∗ ∗ (s, t, t ) |= ¬ϕ iff (s, t, t ) 6|= ϕ STL∗ STL∗ ∗ ∗ ∗ (s, t, t ) |= ϕ ∨ ϕ iff (s, t, t ) |= ϕ or (s, t, t ) |= ϕ STL∗ 1 2 STL∗ 1 STL∗ 2 ∗ ′ ′ ∗ (s, t, t ) |= ϕ U ϕ iff ∃t .(t ∈ [t + a, t + b] and (s, t, t ) |= ϕ STL∗ 1 I 2 STL∗ 2 ′′ ′′ ′ ′′ ∗ and ∀t .(t ∈ [t, t ] and (s, t , t ) |= ϕ )) STL∗ 1 ∗ ∗ (s, t, t ) |= ∗ [ϕ] iff (s, t, t [i ← t]) |= ϕ STL∗ i STL∗ where [i ← t] is the operator substituting t with the i-th position in the frozen time vector, defined as t, i = j t [i ← t] = . t (j), i 6= j We say that a signal s satisfies the STL* formula ϕ iff (s, 0, 0) |= ϕ. STL∗ 2.2.3. Signal First-Order Logic ( SFO) SFO [6] is a formalism that combines first order logic with linear real arithmetic and uninterpreted unary function symbols; the latter represent real-valued signals evolving over time. Let F be a set of function symbols and let X = T ∪ R be a set of variables, where T is the set of time variables and R is the set of value variables. Let Σ = hf , f , . . .,Z,−, +, <i be a (first-order) signature 1 2 where f , f ,··· ∈ F are uninterpreted unary function symbols, Z are integer constants, and −, +, < are 1 2 the standard arithmetic functions and order relation. The syntax of SFO over Σ is defined by the following grammar: ϕ ::= θ < θ | ¬ϕ | ϕ ∨ ϕ | ∃r: ϕ | ∃t ∈ I : ϕ 1 2 1 2 θ ::= τ | ρ τ ::= t | n | τ − τ | τ + τ 1 2 1 2 ρ ::= r | f(τ) | n | ρ − ρ | ρ + ρ 1 2 1 2 where r ∈ R, t ∈ T , n ∈ Z, f ∈ F, I is a time interval with bounds in Z∪{±∞}. Notice that a term θ can be either a time term τ or a value term ρ. Additional logical connectors can be derived using the usual conventions; for example, ∀r: ϕ ≡ ¬∃r: ¬ϕ. Let a trace ω be an interpretation of a function symbol f ∈ F as a signal, denoted by JfK ; let a valuation v be an interpretation of a variable x ∈ X as a real number, denoted by JxK . The valuation function for a term θ over the trace ω and the valuation v, denoted as JθK is defined inductively as ω,v r z follows: JxK = JxK , JnK = n for all n ∈ Z, Jf(τ)K = f JτK , Jθ − θ K = Jθ K − Jθ K , ω,v v ω,v ω,v 1 2 ω,v 1 ω,v 2 ω,v ω,v Jθ +θ K = Jθ K + Jθ K . The semantics of SFO is defined through a satisfaction relation (ω, v) |= 1 2 ω,v 1 ω,v 2 ω,v SFO ϕ, which indicates the satisfaction of formula ϕ over the trace ω and the valuation v. The satisfaction relation is defined inductively as follows: (ω, v) |= θ < θ iff Jθ K < Jθ K SFO 1 2 1 ω,v 2 ω,v (ω, v) |= ¬ϕ iff (ω, v) 6|= ¬ϕ SFO SFO (ω, v) |= ϕ ∨ ϕ iff (ω, v) |= ϕ ∨ (ω, v) |= ϕ SFO 1 2 SFO 1 SFO 2 (ω, v) |= ∃r: ϕ iff (ω, v[r ← a]) |= ϕ for some a ∈ R SFO SFO (ω, v) |= ∃t ∈ I : ϕ iff (ω, v[t ← a]) |= ϕ for some a ∈ R SFO SFO Variants of SFO can be defined by opportunely changing the underlying signature Σ. 5 3. Taxonomy of signal-based properties One of the main challenges in using signal-based temporal properties for expressing requirements of CPSs is the lack of precise descriptions of signal behaviors. First, a signal behavior (e.g., a spike or an oscillation) can be “described” in different ways, i.e., it can be characterized using various features; for example, a total of 16 different features (and eight parameters) have been identified in the literature [3] to detect a spike in a signal. Given the large variety of options, (software and system) engineers may choose various subsets of features for characterizing the same type of signal behavior, leading to ambiguity and inconsistency in the specifications. In addition, slightly different features may have similar names (e.g., “peak amplitude” and “peak-to-peak amplitude”), potentially leading to mistakes when writing specifications. It is then important to define proper guidelines for selecting the features most appropriate in a certain context, and provide engineers with a precise characterization of such features. In this section, we tackle this challenge by proposing a taxonomy of the most common types of signal- based temporal properties and a logic-based characterization of such properties. Our goal is to provide system and software engineers, as well as researchers working on CPSs, with a reference guide to systematically identify and characterize signal behaviors, so that they can be defined precisely and used correctly during the development process of CPSs, in particular during the activities related to requirements specification and V&V. Our taxonomy provides a comprehensive and detailed description of the different types of signal-based behaviors, with each property type precisely characterized in terms of a temporal logic. As a result, an engineer can be guided by the precise characterization of the property types included in our taxonomy, to derive—from an informal requirements specification—a formal specification of a property, which can be used in other development activities (e.g., V&V). We developed this taxonomy based on our general understanding of temporal requirements in CPS domains like the aerospace industry, and by reviewing the literature in the area of verification of cyber- physical systems, starting from the recent survey in reference [2]. The taxonomy focuses on properties specified in the time domain; we purportedly leave out properties specified in the frequency domain [14, 15] because in our context (V&V of CPS) the properties of interest are mainly specified in the time domain. The taxonomy (with the acronyms) of signal-based property types is shown in figure 1. At the top level, it includes three main signal-based property types: Data assertion (DA): properties expressing constraints on the value of a signal. Signal behavior (SB): properties on the behavior represented by a signal shape. We further distinguish among two property subtypes: • properties on signals exhibiting spikes (SPK); • properties on signals manifesting oscillatory behaviors (OSC). Relationship between signals (RSH): properties characterizing relationships between signals. This type includes two further property subtypes: • functional, based on the application of a signal transforming function (RSH-F); • order, describing sequences of events/states related to signal behaviors (RSH-F). In this category we also include properties of transient behaviors of a signal when changing from the current value to a new target value, such as: – properties on signals exhibiting a rising (Rise Time - RT) or a falling (Fall Time - FT) behavior; – properties on signals exhibiting an overshoot (OSH) or an undershoot (USH) behavior. In the following subsections we provide the detailed description of each property type, including a mathematical formalization and examples. We use (a variant of) SFO to formalize the various property types; anticipating the results of section 4, the reason for the adoption of SFO is its expressiveness, which 6 Signal-based property Relationship Data Assertion Signal Behavior between signals (DA) (SB) (RSH) Oscillatory Spike Order Functional behavior (SPK) (RSH-O) (RSH-F) (OSC) Transient behavior Rise time Fall time Overshoot Undershoot (RT) (FT) (OSH) (USH) Figure 1: Taxonomy of signal-based properties allows us to express all the property types considered in this paper. We also provide examples of properties in STL and STL* (when applicable).The variant of SFO we use for the formalization has the following signature Σ = hF, A, Rel,Z,Ri, where: • F = Sig ∪ Aux is the set of function symbols, composed of signal functions Sig = {s, s , s , s } and 1 2 tr Be Bs auxiliary functions and predicates Aux = {σ , σ , ξ, checkOsc, local min, local max}; s,P s,P • A is the set of (non-linear) arithmetic functions A = {+,−,×,÷, abs}, where abs represents the absolute value operator; • Rel is the set of relational operators Rel = {<, >,≥,≤, =,6=}; • Z and R are integer and real constants, respectively. 3.1. Data assertion A data assertion specifies a constraint on the value of a signal. This constraint is expressed through a signal predicate of the form s ⊲⊳ expr, where expr is an SFO value term defined over the value domain of the signal s and ⊲⊳ ∈ Rel. A data assertion property holds on the signal if the assertion predicate evaluates to true. Data assertions can be combined to form more complex expressions through the standard logical connectives. We distinguish between untimed data assertions, which are evaluated through the entire domain of definition I of a signal s, and time-constrained data assertions, which are evaluated over one or more distinct sub-intervals of the signal domain of definition. More formally, let H be a set of time intervals H = {I , . . . ,I }, such that I ⊆ I , 1 ≤ k ≤ K, and for 1 K k s all i, j ∈ {1, . . .K}, i 6= j implies I ∩I = ∅. A data assertion defined over the time intervals in H holds on i j a signal s if and only if (iff) the SFO formula ∀i ∈ h: s(i) ⊲⊳ expr evaluates to true. Notice that an h∈H untimed data assertion over a signal s is defined by having H = {I }. For example, let us consider the property pDA: “The signal value shall be less than 3 between 2 tu and 6 tu and between 10 tu and 15 tu”, where “tu” is a generic time unit (which has to be set according to the 7 application domain, e.g., seconds). This property is a time-constrained data assertion over the two intervals [2, 6] and [10, 15]; it can be expressed in SFO as: pDA ∀t ∈ [2, 6] : s(t) < 3∧∀t ∈ [10, 15] : s(t) < 3 Figure 2 shows two signals, s plotted with a thick line ( ), and s plotted with a thin line ( ); the threshold 1 2 on the signal value specified by the property is represented with a dashed horizontal line. Property pDA does not hold for s as its value is above the threshold of 3 in the intervals [2, 6] and [10, 15]; however, it holds for s because its value is below the threshold in both intervals. value time (tu) 0 2 5 6 10 15 20 25 Figure 2: Two signals used to evaluate property pDA: signal s ( ) satisfies the property whereas signal s ( ) violates it. 1 2 3.1.1. Alternative formalizations Data assertion properties like pDA can be also expressed in STL and STL*: pDA ≡ pDA G (s < 3)∧ G (s < 3) [2,6] [10,15] 3.2. Spike A spike can be informally defined as a short-lived, (relatively) large increase or decrease of the value of a signal. Such a signal behavior is typically undesirable [2]. However, there are situations in which a spike characterized by a set of specific features is desirable, as it is the case for the discovery pulse [16] in the discovery mode of the DSI3 protocol [17]. Inspired by the definitions in the bio-medical domain [18], we consider four main features to characterize a spike, based on three extrema of the function corresponding to the signal shape, which are local extrema with respect to an observation interval [f, g] ⊂ I . These three points (with their respective coordinates) are: the peak point (PP, s(PP)) representing the local maximum of the signal and characterizing the actual spike , and the two surrounding valley points (VP , s(VP )) and (VP , s(VP )) representing the local 1 1 2 2 minima (closest to the peak point) of the first and second half of the spike, respectively. These three local extrema are shown in figure 3a; we refer the reader to reference [18] for a detailed description of how to detect these points. The four features (also shown in figure 3a) characterizing a spike are: A spike is also called bump, peak, or pulse in the literature. In the following we only characterize and formalize spikes corresponding to an increase of the signal value; the case of a decrease of the signal value is the dual. SFO STL STL* value value 2.5 s(PP) sp sp 1 2 1.5 s(VP ) s(VP ) w 0.5 time (tu) time (tu) f VP PP VP 1 2 0 10 20 30 40 50 (a) (b) Figure 3: (a) Main features used to define a spike based on [18]. (b) two signals used to evaluate property pSPK1: signal s ( ) satisfies the property, whereas s ( ) violates it. • Amplitude a of the spike, defined as a = ψ(a , a ), where a is the amplitude of the first-half of the 1 2 1 spike shape a = abs (s(PP)− s(VP )), a is the amplitude of the second-half of the spike shape 1 1 2 a = abs (s(PP)− s(VP )), and ψ is a generic amplitude function ; 2 2 • slope sp between the peak point and the valley point of the first half of the spike shape, sp = 1 1 s(PP)−s(VP ) abs ; PP−VP • slope sp between the peak point and the valley point of the second half of the spike shape, sp = 2 2 s(PP)−s(VP2) abs ; PP−VP • spike width w between the two consecutive valley points, w = VP − VP . Note that the width w can 2 1 be also defined as w = w + w , where w = PP − VP and w = VP − PP. 1 2 1 1 2 2 The four features a, sp , sp , and w can be opportunely combined to define a spike of a particular shape . 1 2 A spike property specifies a constraint on the existence of a spike with certain features; it evaluates to true when the signal exhibits a spike whose features satisfy certain criteria. More specifically, when defining a spike property, an engineer has to specify—for each feature—a predicate with a threshold criterion whose value depends on the application context. The signal predicates of each feature are then logically conjoined for characterizing the spike. Formally, given the threshold criteria for the four features (specified as SFO terms over the value domain of signal s) Γ , Γ , Γ , Γ , a spike property holds on a signal s iff the following SFO formula evaluates a sp sp w 1 2 to true: ∃VP , PP, VP ∈ [f, g]: local min(VP , f, PP)∧ 1 2 1 local max(PP, VP , g)∧ (1) local min(VP , PP, g)∧ a ⊲⊳ Γ ∧ sp ⊲⊳ Γ ∧ sp ⊲⊳ Γ ∧ w ⊲⊳ Γ a sp sp w 1 2 1 2 where ⊲⊳ ∈ Rel, local min and local max ∈ Aux are predicates identifying local extrema, and a, sp , sp , w 1 2 are SFO terms defined as shown above using the three variables VP ,VP , and PP. 1 2 This function depends on the application domain; for example, in the context of bio-medical systems [18], ψ is the minimum function. Although other spike features have been proposed in the spike detection literature—such as different types of width, amplitude, and slope [19, 20, 21, 22, 23], as well as the area under the curve [24]—we decided not to adopt them since the features we have selected are sufficient to describe (and specify) the spike behaviors we consider in this paper. 9 In essence, formula (1) requires a) the existence of the three local extrema in a proper order characterizing the spike shape (i.e., a local minimum followed by a local maximum, followed by another local minimum), and b) the satisfaction of the constraints for all the features. More relaxed formulations can be obtained by omitting some of the spike features from the above definition. The predicate local min(x, y, z) (respectively, local max(x, y, z)) returns true if the time point x is a local minimum (respectively, local maximum) with respect to the interval [y, z]. These predicates can be defined in several ways; below we provide three possible definitions. Definition 1 (local extrema through punctual derivatives). Some specification languages allow for defining expressions corresponding to punctual derivatives. For example, in SFO the punctual derivatives can be defined as language terms as follows: s(t + ǫ)− s(t) ′ ′′ ′ ′ s (t) ≡ and s (t) ≡ s (s (t)) p p p p with ǫ being an arbitrary, small constant . The local extrema predicates can then be defined in SFO as follow: ′ ′′ local min(x, y, z) ≡ ∃x ∈ [y, z]: s (x) = 0∧ s (x) > 0 p p ′ ′′ local max(x, y, z) ≡ ∃x ∈ [y, z]: s (x) = 0∧ s (x) < 0 p p Definition 2 (local extrema - analytical formulation). Another way to characterize local extrema is to write a logical expression corresponding to their analytical definition; in SFO we have local min(x, y, z) ≡ ∃x ∈ [y, z]: ∀t ∈ [y, z], x 6= t: s(x) ≤ s(t) local max(x, y, z) ≡ ∃x ∈ [y, z]: ∀t ∈ [y, z], x 6= t: s(x) ≥ s(t) Definition 3 (local extrema through pre-computed derivatives). When the first and second order derivatives of a signal are available as (pre-computed), separate signals, the local extrema can be characterized ′ ′′ using such signals. Let s and s be the first and second order derivatives of signal s; the local extrema c c predicates can defined in SFO as follow: ′ ′′ local min(x, y, z) ≡ ∃x ∈ [y, z]: s (x) = 0∧ s (x) > 0 c c ′ ′′ local max(x, y, z) ≡ ∃x ∈ [y, z]: s (x) = 0∧ s (x) < 0 c c The choice of which definition to use for defining local extrema predicates depends on the specification language and the application context; as shown above, all three definitions can be used with SFO. For example, let us characterize spikes through features width w and amplitude a, with the latter defined by using the maximum function as the amplitude function ψ; let us consider the evaluation of property pSPK1: “In a signal, there is a spike with a maximum width of 20 tu and a maximum amplitude of 1”. For this property, the parameters of an instance of specification (1) are Γ = 1 and Γ = 20; the resulting SFO a w formula is: ′ ′′ ′ pSPK1 ∃t, t , t ∈ [f, g]: local min(t, f, t )∧ local max(t , t, g)∧ ′′ ′ local min(t , t , g)∧ ′ ′′ ′ ′′ max(abs (s(t )− s(t)), abs (s(t )− s(t ))) ≤ 1∧ abs (t − t) ≤ 20 In figure 3b, we show two signals, s plotted with a thick line ( ) and s plotted with a thin line ( ). 1 2 To evaluate property pSPK1 on these signals, we first need to evaluate the local extrema predicates in spec- ification (1) (according to one of the three definitions above): signal s exhibits a spike where VP = 10, 1 1 In the context of a discrete signal, the ǫ constant can be replaced with the sampling interval Δ. SFO value time (tu) 0 10 20 30 40 50 60 Figure 4: Characterization of the spike in two signals s ( ) and s ( ) based on the definition in [25], with parameters 1 2 m = 0.1, w = 20. PP = 20, and VP = 30, while s exhibits a spike where VP = 10, PP = 25, and VP = 35. In both 2 2 1 2 cases, the three points satisfy the local extrema predicates. The second step is to evaluate the threshold criteria of the spike features. We calculate the amplitude a and the width w of the spike in s as: a = s s 1 s 1 1 1 max(abs (s (PP)− s (VP )), abs (s (PP)− s (VP ))) = max(abs (s (20)− s (10)), abs (s (20)− s (30))) = 1 1 1 1 1 2 1 1 1 1 max(abs (2− 1), abs (2− 1)) = 1 and w = VP − VP = 30− 10 = 20. Signal s satisfies property pSPK1 s 2 1 1 because the expression a ≤ 1∧ w ≤ 20 ≡ 1 ≤ 1∧ 20 ≤ 20 evaluates to true. Following a similar compu- s s 1 1 tation, the amplitude a and the width w of the spike in s are a = max(1.5, 1) = 1.5 and w = 25; s s 2 s s 2 2 2 2 signal s violates property pSPK1 because the expression a ≤ 1∧ w ≤ 20 ≡ 1.5 ≤ 1∧ 25 ≤ 20 evaluates 2 s s 2 2 to false. Another definition, proposed in the context of automotive control applications [25], characterizes a spike using two parameters, w and m = , where w is the spike width and a the spike amplitude. Formally, a signal s exhibits a spike with parameters m and w (defined as numerical constants) iff the following SFO formula evaluates to true: ′ ′ ′ ′ ∃t ∈ I : s (t) > m∧∃t ∈ [t, t + w]: s (t ) < −m (2) ′ ′ where s , denoting the first order derivative of s, can be either a pre-computed, separated signal s or the punctual derivative s introduced above. This characterization identifies two time instants: the first in which the signal derivative is greater than parameter m and another one in which the signal derivative is less than −m; the distance between these two points is the spike width w. The main limitation of this formulation is that it does not allow to express precise constraints on the absolute value of the amplitude of a spike; instead, it uses parameter m that is a quotient between amplitude and width. We illustrate this with the example in figure 4, with the signals s plotted with a thick line ( ) and s plotted with a thin line ( ). Let us consider the evaluation of property pSPK2: “In a signal, there exists a spike with a maximum width of 20 tu and an amplitude greater than 2”. This property cannot be captured by an instance of specification (2), since the latter does not take into account the concept of amplitude; the property needs to be adapted. Based on the desired values of width and amplitude in property pSPK2, the parameters of an instance of specification (2) would be m = 0.1, w = 20. Therefore, instead of property pSPK2, one can consider the following alternative pSPK3: “In a signal, there exists a spike with a maximum width of 20 tu and parameter m equal to 0.1”, which can be captured by an instance of specification (2); the corresponding SFO formula is: ′ ′ ′ ′ pSPK3 ∃t ∈ I : s (t) > 0.1∧∃t ∈ [t, t + 20]: s (t ) < −0.1 This formula will evaluate to true for both s and s . However, signal s should not satisfy the property, 1 2 1 since its peak point does not reach a magnitude (amplitude) of 2 as was required in the original formulation of the property (pSPK2). This spurious spike characterization happens with specification (2) because signal SFO ′ s follows the same shape as signal s in the points in which the signal derivative s is compared to m. 1 2 We remark that the application of specification (1) to the evaluation of property pSPK2 would correctly characterize the spike only in signal s . Given a lack of precision in specification (2), in the following we will consider spikes defined according to specification (1). 3.2.1. Alternative formalizations STL. Our characterization of a spike through the SFO formulation (1) relies on the existence of three extrema in the function corresponding to the signal shape. In STL, the existence of these extrema could be formalized through proper nesting of the “eventually” and “once” operators, in conjunction with a constraint on the width of the spike. However, it would not be possible to include in such a formulation a constraint on the amplitude or on the slope, since in STL one cannot refer to the value of the signal at an arbitrary time point. For all these reasons, we cannot express a property like pSPK1 in STL. On the other hand, spike properties characterized through the SFO formulation (2) can be expressed in STL when the pre-computed signal derivatives are available. For example, property pSPK3 can be expressed as ′ ′ pSPK3 F (s > 0.1∧ F s < −0.1) [0,|s|) [0,20] STL* . Differently from STL, STL* can refer to the value of the signal at a certain time point in which a local formula holds thanks to the freeze operator; below we discuss how it can be used to express properties pSPK1 and pSPK3. (Using local extrema expressed through punctual derivatives) Definition 1 for local extrema uses the values of the signal at two consecutive time points, within a small distance ǫ. However, in STL* it is not possible to explicitly reference the signal value at time points that are not associated with the evaluation of a local (sub-)formula; hence, properties defined using punctual derivatives cannot be specified using STL* . (Using local extrema expressed through the analytical formulation) We can characterize local extrema using the analytical formulation (definition 2) by assuming a variant of STL* with past operators and using a 3D frozen time vector. pSPK1 F ∗ (G (s > s ) [f,g] 1 [0,w ] ∧ F ∗ (H (s < s ) [0,w ] 2 [0,w ] 1 1 ∧ F ∗ (H (s > s ) [0,w ] 3 [0,w ] 2 2 ∗ ∗ ∗ ∗ 1 2 2 3 ∧ max(abs(s − s ), abs(s − s )) ≤ 1∧ w + w ≤ 20))) 1 2 In the formula above, the expression in the first row states the existence of the first local minimum by checking for the existence, within the observation interval [f, g], of a point (whose time instant is frozen in the first component of the frozen time vector) for which the corresponding signal value is smaller than all other signal values in the interval [0, w ]; this condition is captured by the sub-formula with the “globally” operator. The expression on the second row, nesting the “historically” operator within the “eventually”, states the existence of the local maximum (whose time instant is frozen in the second component of the frozen time vector), such that all the signal values between the first local minimum and such a point are indeed smaller than the local maximum. Notice that the distance between the first local minimum and the local maximum is equal to w . The expression on the third row checks in a similar way for the existence Such a restriction could be lifted when using discrete signals, since the distance between two consecutive time points is known and is equal to the sampling interval Δ. Although the version of STL* presented in [5] does not use past operators, the addition of such operators would be done along the lines of the definition of STL with past operators in [10]. If the spike shape is symmetrical, the distance between all local extrema is equal to . STL* STL value p p p 1 3 5 oscP oscA ref p p 2 4 time (tu) Figure 5: A signal exhibiting an oscillatory behavior; the reference value ref is shown in red. of the second local minimum within an interval [0, w ] from the local maximum. The expression on the fourth row checks the constraints on the spike amplitude and on the spike width. For the former, it uses ∗ ∗ 1 2 the values of the signal in correspondence of the first local minimum (s ), of the local maximum (s ), and of the second local minimum (s ). Note that this property relies on a particular sequence of local extrema (i.e., valley-peak-valley); other variants of this property can be specified by changing the order of the sub-formulae stating the existence of a certain extremum. Furthermore, we remark that the specification of this property assumes the knowledge of the signal shape, since it uses the two components of the width w and w as defined on page 8. However, 1 2 making such an assumption in practice is not reasonable because typically the shape of a spike is unknown. (Using local extrema defined through pre-computed derivatives) Property pSPK1 can be ′ ′′ expressed using definition 3 for local extrema, assuming the existence of signals s and s and a 3D frozen time vector. ′ ′′ ′ ′′ ′ ′′ pSPK1 F ∗ s = 0∧ s > 0∧ F ∗ (s = 0∧ s < 0∧ F ∗ (s = 0∧ s > 0 [f,g] 1 [0,w ] 2 [0,w ] 3 1 2 ∗ ∗ ∗ ∗ 1 2 2 3 ∧ max(abs(s − s ), abs(s − s )) ≤ 1∧ w + w ≤ 20)) 1 2 The structure of the formula above is similar to the one for the case of using definition 2 for local extrema, except for the direct use of the first and second order derivatives, available as pre-computed signals. The same remarks made above in terms of assuming the knowledge of the signal shape also apply in this case. Furthermore, pre-computed derivative signals can be used to specify property pSPK3 in STL* in the same way as it was done above using STL. 3.3. Oscillation An oscillation can be informally described as a repeated variation over time of the value of a signal, possibly with respect to a reference value; often, in the context of CPS, oscillations represent an undesirable signal behavior. Figure 5 depicts an analog signal s exhibiting an oscillatory behavior with respect to a reference value ref , within an observation interval oscI = [a, b] ⊂ I . Such a behavior is characterized by the existence, within the observation interval, of M extrema of the function corresponding to the signal shape; these points are marked with blue squares ( ) in the figure. A cycle (i.e., a complete oscillation) occurs when the signal STL* value swings from one extremum to the adjacent extremum of the same type, by traversing an extremum of the other type; for example, in the figure there is one complete oscillation when the signal goes from p to p (two peak points) through p (a valley point). The figure also shows two additional features typically 5 4 used to characterize oscillations: • the (peak) amplitude, denoted by oscA, is the distance between the maximum magnitude of the signal and its reference value; • the period, denoted by oscP, is the time required to complete one cycle. Its reciprocal, called frequency, represents the number of complete oscillations occurring in a unit of time. An oscillation property specifies a constraint on the existence, in a signal, of an oscillatory behavior with certain features; it evaluates to true when the signal exhibits an oscillatory behavior whose features satisfy certain criteria. More specifically, these criteria are expressed as relational expressions, on the oscillation amplitude and/or period, with an application-specific threshold. More formally, given the SFO terms representing the threshold criteria Γ (for the period) and Γ (for the amplitude), an oscillation oscP oscA property holds on a signal s in the observation interval [a, b] iff the following SFO formula evaluates to true: ′ ′′ ∀t ∈ [a, b]: (∃t , t ∈ [t, b]: local min(t, a, t ) → ′ ′′ ′ (local max(t , t, b)∧ local min(t , t , b) ′ ′′ ∧ checkOsc(t, t , t , ⊲⊳ , Γ , ⊲⊳ , Γ )) (3) P oscP A oscA ∧ local max(t, a, t ) → ′ ′′ ′ (local min(t , t, b)∧ local max(t , t , b) ′ ′′ ∧ checkOsc(t, t , t , ⊲⊳ , Γ , ⊲⊳ , Γ ))) P oscP A oscA where local min(x, y, z) (respectively, local max(x, y, z)) is a predicate that returns true if the time point x is a local minimum (respectively, local maximum) with respect to the interval [y, z] (see section 3.2); ′ ′′ checkOsc(t, t , t , ⊲⊳ , Γ , ⊲⊳ , Γ ) is a predicate that returns whether the expression oscA ⊲⊳ Γ ∧ P oscP A oscA A oscA oscP ⊲⊳ Γ evaluates to true for the oscillation (with amplitude oscA and period oscP) determined by P oscP ′ ′′ its first three arguments t, t , t ; ⊲⊳ and ⊲⊳ are relational operators in Rel of Σ. P A In essence, formula (3) requires a) the existence of the three local extrema in a proper order characterizing the complete oscillation (i.e., either a local minimum followed by a local maximum followed by another local minimum, or a local maximum followed by a local minimum followed by another local maximum), and b) the satisfaction of the constraints on the oscillation features evaluated in the checkOsc predicate. As an example, let us consider property pOSC: “Within an observation interval of 60 time units (starting from the beginning of the signal), in the signal there exist oscillations with a period less than 20 and an amplitude less than 3”. For this property the parameters of an instance of specification (3) are a = 0, b = 60, Γ = 20, Γ = 3, ⊲⊳ =⊲⊳ =<. For evaluating the property, we show two signals in figure 6: s oscP oscA A P 1 (drawn with a thick line) corresponds to a sine wave defined as y = sin( ) + 1; s (drawn with a thin line) is defined by y = sin( ) + 1. In both signals, oscillations have a peak amplitude equal to 1, which satisfies the constraint on the amplitude. The period of signal s , calculated from its sine definition, is equal to 4π; similarly, the period of s is equal to 12π (see figure 6). Signal s satisfies property pOSC because it 2 1 oscillates by exhibiting alternating local minima and maxima, with a period and an amplitude satisfying the thresholds (4π < Γ and 1 < Γ ). However, signal s violates the property because its period is oscP oscA 2 greater than the threshold value of 20 (12π > Γ ). oscP The pure sine wave shown in Figure 5 is characterized by a constant period and by a constant amplitude. However, in the context of CPSs, signals may be noisy; this means that the amplitude and the period of their oscillatory behaviors may vary over time. Furthermore, a reference value may be unknown, making the computation of the oscillation amplitude challenging. In such cases one may use an aggregation function (e.g., average, maximum, minimum) over different amplitude values (e.g., peak-to-peak). In the following, 14 value 12π 4π time (tu) 0 10 20 30 40 50 60 Figure 6: Two signals used to evaluate property pOSC : signal s ( ) satisfies the property, whereas s ( ) violates it. 1 2 we introduce the concepts of average amplitude and average period; these definitions can easily be adapted to take into account other aggregation functions. To deal with situations in which the reference value is not known, we will consider the peak-to-peak amplitude, i.e., the difference between two adjacent extrema, denoted by oscA . The average peak- PP to-peak amplitude oscA can then be computed as the arithmetic mean of the peak-to-peak ampli- PP tude between adjacent extrema. More formally, given the sequence p , . . . , p , p of local extrema, 1 M−1 M M−1 abs (s(p )− s(p )) i i+1 i=1 oscA = . Other definitions of amplitude (such as the root mean square) can PP M − 1 be used too, depending on the application domain. The average period can be defined as the arithmetic mean of the period of each complete oscillation of the signal, computed over pairs of extrema of the same type. More formally, given the sequence p , . . ., p , p 1 M−1 M of local extrema, we define the number oscN of complete oscillations within the observation interval of the oscN abs (p − p ) 2i−1 2i+1 M−1 i=1 signal as oscN = ; the average period oscP is then defined as oscP = . oscN When the concepts of average amplitude and average period are used to characterize an oscillatory behavior, specification (3) has to be adapted accordingly; more precisely, predicate checkOsc has to be redefined to consider the average amplitude oscA and the average period oscP. PP Damped/Driven oscillations. In the real world, oscillatory behaviors may be subject to various forces that reduce or increase their amplitude. More precisely, we distinguish between damped and driven oscilla- tions: for the former the amplitude decays monotonically, whereas for the latter the amplitude increases monotonically. The characterization of these specific behaviors can be done by constraining the change of the amplitude of the oscillatory signal. For example, given the sequence p , . . . , p , p of local extrema, we say that an 1 M−1 M oscillatory signal s (formalized according to specification (3)) exhibits damped oscillations iff the following SFO formula evaluates to true: ∀j ∈ [1, M − 2]: abs (s(p )− s(p )) ≥ abs (s(p )− s(p )) (4) j j+1 j+1 j+2 The case for driven oscillations is similar and can be obtained from the expression above by replacing the relational operator with its dual. The amplitude of signals may not change monotonically; in such cases, statistical trends (e.g., a linear trend) in amplitude changes may be observed. We could account for statistical trends by specifying that, on 15 average, the difference in amplitude tends to decrease/increase; such a constraint would then be included in the formula above. 3.3.1. Alternative formalizations STL. Similar to the case of spike properties (see section 3.2), our formalization in SFO of oscillation prop- erties relies on the existence of local extrema in the signal. Converting such formalization to STL would rely on the use of properly nested “eventually” and “once” operators, in conjunction with a constraint on the oscillation period. However, a constraint on the amplitude could not be expressed because in STL one cannot refer to the value of the signal at an arbitrary time point. STL* . The specification of oscillatory behaviors is one of the main motivations behind the definition of STL*. Below, we discuss how to specify property pOSC1 in STL* using the three local extrema character- ization approaches introduced in section 3.2. (Using local extrema expressed through punctual derivatives) As discussed for the case of spike properties (see page 12), properties referring to local extrema expressed according to definition 1 cannot be specified using STL* because they would require to explicitly reference the signal value at time points that are not associated with the evaluation of a local (sub-)formula. (Using local extrema expressed through the analytical formulation) We can express local extrema using their analytical formulation (definition 2) by assuming a variant of STL* with past operators. Property pOSC can be specified in the following way using a 3D frozen time vector: pOSC G (F (G Γ (s > s ) → [a,b] [0,b]∗ oscP [0, ] F Γ (H Γ (s < s ) oscP oscP [0, ]∗ [0, ] 2 2 ∧F Γ (H Γ (s > s ) oscP oscP [0, ]∗ [0, ] 2 2 ∗1 ∗2 ∧ abs (s − s ) < 3))) ∧F (G Γ (s < s ) → [0,b]∗ oscP [0, ] F Γ (H Γ (s > s ) oscP oscP [0, ]∗2 [0, ] 2 2 ∧F Γ (H Γ (s < s ) oscP oscP [0, ]∗ [0, ] 2 2 ∗1 ∗2 ∧ abs (s − s ) < 3)))) In the formula above, the expression on the first row prescribes the existence of the first local minimum, by checking all points within the observation interval [a, b] for the existence of a point (whose time instant is frozen in the first component of the frozen time vector) for which the corresponding signal value is smaller oscP than all other signal values in the interval [0, ]; this condition is captured by the sub-formula with the second “globally” operator. The expression on the second row, nesting the “historically” operator within the “eventually”, states the presence of a local maximum (whose time instant is frozen in the second component of the frozen time vector), such that all the signal values between the first local minimum and such a point are indeed smaller than the local maximum. Notice that the distance between two neighboring extrema for oscP an oscillation with period Γ is equal to . The expression on the third row checks for the existence oscP of the second local minimum in a similar way; the expression on the fourth row checks the constraint on the peak-to-peak amplitude using the values of the signal in correspondence of the first local minimum and of the local maximum. The remaining part of the formula has the same structure and considers the dual case, in which the first extremum in the oscillatory behavior is a local maximum. We remark that this specification assumes that the oscillation is regular, i.e., its period is constant and the constraint on the period is specified as “oscP=Γ ”. However, making such an assumption in practice oscP is not reasonable because typically the shape of oscillations is unknown. STL* (Using local extrema defined through pre-computed derivatives) Property pOSC can be ex- pressed using definition 3 for local extrema, assuming the existence of pre-computed derivatives as separate ′ ′′ signals s and s and a 3D frozen time vector. c c ′ ′′ pOSC G (F ((s = 0∧ s > 0) → [a,b] [0,b]∗ ′ ′′ F Γ ((s = 0∧ s < 0) oscP [0, ]∗ ′ ′′ ∧F Γ ((s = 0∧ s > 0) oscP [0, ]∗ ∗1 ∗2 ∧ abs (s − s ) < 3))) ′ ′′ ∧F ((s = 0∧ s < 0) → [0,b]∗ ′ ′′ F Γ ((s = 0∧ s > 0) oscP [0, ]∗ ′ ′′ ∧F Γ ((s = 0∧ s < 0) oscP [0, ]∗ ∗1 ∗2 ∧ abs (s − s ) < 3)))) The structure of the formula above is similar to the one for the case of using definition 2 for local extrema, except for the direct use of the first and second order derivatives, available as pre-computed signals. The signal values frozen at the local extrema points are used to compute the peak-to-peak amplitude of the oscillations. The same remarks made above in terms of assuming the knowledge of the signal shape also apply in this case. 3.4. Relationship between signals The property types illustrated in the previous sections deal with only one signal; in this section we present property types characterizing relationships between two (or more) signals. We consider two types of signal relationships: • functional, based on the application of a signal transforming function; • order, describing sequences of events/states related to signal behaviors. 3.4.1. Functional Relationship The concept of a functional relationship between two (or more) signals is captured by the application of a signal transforming function to the signals, which yields a new signal based on the semantics of the function. Formally, let ξ : D × D → D (with ξ ∈ Aux) be an application-dependent signal transforming function 1 2 3 and let s and s be two signals (called source signals), with value domains D and D respectively, and 1 2 1 2 domains of definition I = I = I ; the application of ξ to s and s yields a target signal s over the s s s 1 2 T 1 2 value domain D defined as s (t) = ξ (s (t), s (t)) ,∀t ∈ I . The target signal can then be referred to in 3 T 1 2 s the specification of other properties. More precisely, let P be an instance of one of the property types seen in the previous subsections (e.g., a data assertion), with ξ the signal transforming function defined above for the source signals s and s . We say that property P holds on the signal representing the functional 1 2 relationship between s and s captured by ξ iff P holds on the target signal s returned by the application 1 2 T of ξ. For example, let us consider property pRSH-F:“The difference between the values of signal s and signal s shall be equal to 1”, which contains two parts: a functional relationship part “The difference between the values of signal s and signal s . . . ” and a data assertion part “The [difference . . . ] shall be equal to 1 2 1”. This property is expressed in SFO as follows: pRSH-F ∀t ∈ [0,|s|) : abs(s (t)− s (t)) = 1 (5) 1 2 To keep the notation light and without loss of generality, we only consider a signal transforming function with arity 2. SFO STL* value 0 time (tu) 0 10 20 30 40 Figure 7: Signals used to evaluate property pRSH-F: the source signals are s ( ) and s ( ), the target signal is s ( ); 1 2 T Signal s satisfies the property. value value time (tu) time (tu) b c (a) (b) Figure 8: (a) A signal being in the state characterized by property pDAs in the interval [b,c]. (b) A signal changing its value to 2 at time instant c, satisfying property pDAe. Figure 7 shows the two source signals, s plotted with a continuous line ( ) and s plotted with a 1 2 dash-dotted line ( ), as well as the target signal s , plotted with a thick line ( ). Signal s is obtained by T T the application of the signal transforming function ξ defined as ξ(s (t), s (t)) ≡ abs (s (t)− s (t)),∀t ∈ I . 1 2 1 2 s This signal is then used for the actual evaluation of the data assertion contained in property pRSH-F, as if the latter was rewritten as “The value of signal s shall be equal to 1”; since signal s is equal to 1 across T T its domain of definition, property pRSH-F evaluates to true. 3.4.2. Order Relationship This type of signal relationships prescribes a sequence of events/states corresponding to signal behav- iors; in practice, it captures the precedence and response temporal specification patterns proposed in the literature [26], including their real-time extension [27]. More specifically, a precedence property specifies that an event/state (cause) precedes another event/state (effect); dually, a response property requires that an event/state (effect) responds to the occurrence of another event/state (cause). Notice that a response property allows effects to occur without causes, whereas a precedence property allows causes to occur with- out subsequent effects. Furthermore, in the context of real-time systems, both a precedence and a response property can include an additional constraint on the temporal distance between a cause and an effect. When dealing with signals, the events/states used to express order relationships correspond to specific signal behaviors, which can be further expressed (and identified) using one of the property types seen above. More specifically, we define a signal event as a change in the signal value [28] occurring at a specific time instant, whereas a signal state is a signal behavior that holds over an interval delimited by two time boundaries or by the occurrence of two events. In the following, we discuss the concepts of signal events/states in the context of the property types described in the previous sections. 18 12 Data assertions. The typical use of data assertions is to represent signal states, as in property pDAs: “The signal value shall be greater than or equal to 2”. For example, figure 8a shows a signal that satisfies this property in the interval [b,c]. Another formulation of this type of properties corresponds to signal events. As an example, let us consider property pDAe: “The signal value shall become equal to 2”. Informally, this property corresponds to a predicate that captures the event of the signal becoming equal to 2, i.e., changing from a value different from 2 to the actual value of 2. This behavior can be seen in the signal plotted in figure 8b: property pDAe holds at time instant c. Notice that signal events can be used to characterize the boundaries of a signal state: for example, the time instants delimiting the interval in which the state represented by property pDAs holds correspond to the time instants in which the event represented by property pDAe and by its negation (i.e., “signal s becoming different from 2”) occur. Spike. When a signal satisfies a spike property following the specification template (1) on page 9, the spike behavior of the signal can be associated with three different events, corresponding to the time instants in which the peak point and the two valley points of the spike shape (see section 3.2) occur. The actual choice of the most relevant event among these three is application-specific. Furthermore, the state induced by such a property type is defined over the interval [VP , VP ]; such a state lasts for a duration corresponding to 1 2 the spike width w. Oscillation. When a signal satisfies an oscillation property following the specification template (3) in sec- tion 3.3, the oscillatory behavior of the signal can be associated with distinct events, corresponding to the time instants in which the extrema points of the oscillations occur. The choice among these events is application-specific. Moreover, the state induced by such a property type is defined over the interval bounded by the first and last observed extrema of the oscillation. Functional relationship between signals. Similar to data assertions, functional relationship between signals can represent either signal events (captured by a predicate “becomes”) or signal states. Formalization. After defining the concepts of events and states associated with signal property types, we are now ready to formalize the concept of order relationship between signal behaviors. Given a signal s and an instance P of one of the signal property types described above, we define the Be signal event boolean projection of P on s as the predicate σ (t), which evaluates to true iff the event s,P associated with the signal behavior specified in P occurs in signal s at time instant t; similarly, we define Bs the signal state boolean projection of P on s as the predicate σ (t), which evaluates to true iff the state s,P associated with the signal behavior specified in P holds on signal s at time instant t. Given two signals s and s with domains of definition I = I = [0, r) and lengths |s | = |s | denoted 1 2 s s 1 2 1 2 with |s|, and two signal-based properties P and P , we say that the event captured by P in s responds 1 2 2 2 to (following the “response” pattern in [26]) the event captured by P in s iff the following SFO formula 1 1 evaluates to true: Be Be ∀t ∈ [0,|s|): ↑ σ (t) → ∃k ∈ (t,|s|): ↑ σ (k) (6) s ,P s ,P 1 1 2 2 ′ ′ where ↑ denotes the rising edge operator, defined as ↑ s(t) ≡ s(t) = 1∧∃c ∈ (0, t) : ∀c ∈ (0, c) : s(t−c ) = 0. If the relevant behavior captured by a property results in a state instead of an event, the formula above becomes: Bs Bs ∀t ∈ [0,|s|): σ (t) → ∃k ∈ (t,|s|): σ (k) (7) s ,P s ,P 1 1 2 2 Similarly, we say that the event captured by P in s precedes (following the “precedence” pattern in [26]) 1 1 the event captured by P in s iff the following formula evaluates to true: 2 2 Be Be ∀t ∈ [0,|s|): ↑ σ (t) → ∃k ∈ [0, t): ↑ σ (k) (8) s ,P s ,P 2 2 1 1 For simplicity, in the following we consider data assertion properties defined on one time interval. 19 value 2.5 1.5 0.5 0 time (tu) 0 10 20 27 30 40 Figure 9: Signals s ( ) and s ( ) used to evaluate property pRSH-O; the property holds. 1 2 When the relevant behavior captured by a property results in a state instead of an event, the formula above becomes: Bs Bs ∀t ∈ [0,|s|): σ (t) → ∃k ∈ [0, t): σ (k) (9) s ,P s ,P 2 2 1 1 In some cases, an order relationship may prescribe a temporal distance between the cause and the effect. We assume this distance to be specified as a bound of the form ⊲⊳ n, where ⊲⊳ ∈ Rel and n ∈ R. In this case the formulae above have to be extended to take the distance into account, by conjoining the clause abs (k − t) ⊲⊳ n to the consequent. For example, formula (6) will become: Be Be ∀t ∈ [0,|s|): ↑ σ (t) → ∃k ∈ (t,|s|): ↑ σ (k)∧ abs (k − t) ⊲⊳ n (10) s ,P s ,P 1 1 2 2 Notice that when one property induces a state and the other induces an event, the resulting formula for the corresponding order relationship is obtained by opportunely combining the occurrences of the signal boolean projection functions for states and events, following one of the above templates. Order relationship properties can be defined recursively, i.e., when the cause and/or effect sub-property is also an order relationship. In these cases, we consider an event-based interpretation of the cause/effect sub-property. As an example of order relationship property, let us consider the following response property pRSH-O: “If in signal s there is a spike with a maximum width of 30 tu and a maximum amplitude of 1, then—within 10 tu—the value of signal s shall become less than 0.5”. Assuming we use an event-based interpretation of both cause and effect sub-properties, we can rewrite the property as pRSH-O : “If there is an event corresponding to [signal s having a spike with a maximum width of 30 tu and a maximum amplitude of 1] then—within 10 tu—there shall be an event corresponding to [signal s becoming less than 0.5]”. In this instance of the response pattern, the cause is represented by the spike property “In signal s there is a spike with a maximum width of 30 tu and a maximum amplitude of 1”, whereas the effect is represented by the data assertion property “Signal s shall become less than 0.5”; furthermore, the temporal distance between the cause and the effect can be at most 10 tu. We refer to the cause and effect sub-properties as P and P , 1 2 respectively. The specification of property pRSH-O in SFO is the following: Be pRSH-O ∀t ∈ [0,|s |): ↑ σ (t) s ,P 1 1 (11) Be → ∃k ∈ (t,|s |): ↑ σ (k)∧ abs (k − t) ≤ 10 s ,P 2 2 Be Be where σ and σ are the signal event boolean projection predicates. s ,P s ,P 1 1 2 2 We evaluate the property with respect to the two signals shown in figure 9, s plotted with a continuous line ( ) and s plotted with a dash-dotted line ( ). In this example, we assume that the signal boolean projection predicate for spike properties (used for the evaluation of the cause sub-property) is defined such that it is true at the actual time instant at which the spike peak point occurs (i.e., 20 tu). By looking at figure 9, we see that property pRSH-O holds on s and s because the event captured by the effect sub- 1 2 property (the change of value of s happening at time instant 27 tu) responds to the occurrence of the event SFO associated with the cause sub-property within the prescribed time bound (since abs (27 tu− 20 tu) = 7 tu < 10 tu). 3.4.3. Transient Behaviors We consider transient signal behaviors (i.e., behaviors of a signal when changing from the current value to its target value) as a special case of order relationship. This category includes rise time (and fall time) and overshoot (and undershoot) properties. Rise time (Fall time). We say that a signal exhibits a rising (dually, falling) behavior when its value increases (decreases) towards a target value. Informally speaking, a property on the rise (fall) time defines a constraint on the time by which the signal reaches the target value. More specifically, it defines a constraint on the temporal distance between two events: 1) a (generic) cause event, also called trigger event, that coincides with the signal starting to manifest a transient behavior; 2) an effect event that represents the signal reaching the target value. Figure 10a depicts a signal exhibiting a rising behavior starting from time instant st. The signal rises monotonically from the value s(st) and reaches the target value s at time instant c; the time interval target [st, c] is called rise interval. The left bound of the rise interval, also called trigger time, corresponds to the time instant at which the trigger event occurs. The right bound of the rise interval corresponds to the occurrence of the effect event, in which signal s reaches the target value. The trigger time can also be expressed in terms of an absolute time reference value; in such a case, the trigger event is the event in which a special clock signal reaches a certain value. A rise time property defines a constraint on the right bound of the rise interval. More formally, given two signals s and s with domains of definition I = I = [0, r), let P and P be two signal-based properties. tr s s tr tr Property P captures the trigger event defined in terms of the behavior of s ; property P captures the tr tr event of s reaching the target value. A rise time property bounds the rise time of s by a threshold RT ∈ N (indicated by the end-user); such a property holds iff the following SFO formula evaluates to true: Be Be ∀st ∈ [0,|s |): ↑ σ (st) → ∃k ∈ [st, st + RT]: ↑ σ (k) (12) tr s ,P s,P tr tr A stricter definition requiring signal s to rise (strictly) monotonically can be expressed by adding the conjunct ′ ′ ∀j ∈ [st, st + k): ∀j ∈ (j, st + k] : s(j) < s(j ) to the consequent in the formula above. A fall time constraint can be expressed in a similar way, replacing the relational operators with their duals. As an example, let us consider the rise time property pRT: “If signal s becomes greater than 1, then tr signal s shall reach the target value of 2 within at most 8 tu”. The trigger event in this property is represented by the data assertion property P : “The value of signal s becomes greater than 1”. The effect sub-property tr tr of this order relationship property can be specified with the data assertion property P: “The value of signal s shall become greater than 2”. The constraint on the rise time is 8 tu. Property pRT can be expressed in SFO as: Be Be pRT ∀st ∈ [0,|s |): ↑ σ (st) → ∃k ∈ [st, st + 8]: ↑ σ (k) (13) tr str,Ptr s,P We evaluate property pRT with respect to signal s on the two signals shown in Figure 10b: s plotted with a thick line ( ) and s plotted with a thin line ( ). In the figure, an arrow at timestamp 4 tu denotes the trigger time st corresponding to the trigger event captured by property P for signal s drawn with a dash- tr tr dotted line ( ). The maximum allowed value for the right bound of the rise interval (st +RT = 4+8 = 12 tu) is indicated with a red, vertical dashed line. Signal s satisfies the property because it reaches the target value (2) at time instant 9 tu < st + RT. Signal s violates the property because it does not reach the target value by time instant st + RT = 12 tu. The variant pRT-monot of property pRT with a monotonicity constraint can be expressed in SFO as: Be pRT-monot ∀st ∈ [0,|s |): ↑ σ (st) → tr s ,P tr tr (14) Be ′ ′ ∃k ∈ [st, st + 8]: ↑ σ (k)∧∀j ∈ [st, st + k): ∀j ∈ (j, st + k] : s(j) < s(j ) s,P SFO SFO value value target time (tu) 0 time (tu) st st + RT 0 2 4 6 8 9 10 12 14 (a) (b) Figure 10: (a) Main concepts related to the specification of rise time. (b) two signals used to evaluate property pRT: signal s ( ) satisfies the property, whereas s ( ) violates it. value value max target OI time (tu) time (tu) st b c + OI 0 22 4 5 6 7 8 10 11 12 13 14 (a) (b) Figure 11: (a) Main concepts related to the specification of overshoot. (b) two signals used to evaluate property pOSH : signal s ( ) satisfies the property, whereas s ( ) violates it. 1 2 Overshoot (Undershoot). We say that a signal exhibits an overshoot (dually, undershoot) behavior when it exceeds (goes below) its target value . Informally speaking, an overshoot property specifies the maximum signal value, above the target value, that a signal can reach when overshooting within a certain time interval; an undershoot property is defined dually. Figure 11a depicts a signal exhibiting an overshoot behavior starting from time instant st. This time instant is the trigger time and can be specified in different ways, as discussed above in the context of rise time properties. The signal rises from the value s(st) and overshoots the target value s after time target instant c, reaching the maximum magnitude s at time instant b. The time interval [c, c + OI ] is called max overshoot interval; its width OI is specified by the end-user. This signal overshoots the target value s target by an overshoot value O = s −s . An overshoot property defines a boundary on the overshoot value s max target within the overshoot interval; such a boundary is expressed either with an absolute value or with a relative value with respect to the target value. Similarly to the case of rise time specification, given two signals s and s, let P and P be two signal- tr tr based properties. Property P captures the trigger event defined in terms of the behavior of s ; property tr tr P captures the event of signal s reaching the target value. An overshoot property bounds the overshoot of Other definitions of overshoot also constrain the behavior of the signal after it exceeds (goes below) the target value, e.g., by requiring it to converge back to the target value. 22 s by a threshold OI ∈ N; such a property holds iff the following SFO formula evaluates to true: Be Be ∀st ∈ [0,|s |): ↑ σ (st) → (∃k ∈ [st,|s|): ↑ σ (k) tr s ,P s,P tr tr (15) ∧∀i ∈ [k, k + OI ] : s(i) ≤ s ) max A monotonicity constraint can be added to the formula above in the same way as done for the case of rise time properties. An undershoot constraint can be expressed in a similar way, replacing the relational operators with their duals. As an example, let us consider property pOSH : “If signal s becomes greater than 1, then signal s may tr overshoot the target value of 1 by at most 2 within an overshoot interval of at most 6 tu”. As we did above for the pRT property, the trigger event in pOSH is represented by the data assertion property P . The tr remaining part of the property represents the effect sub-property. The corresponding SFO formula is the following: Be Be pOSH ∀st ∈ [0,|s |): ↑ σ (st) → (∃k ∈ [st, st +|s|): ↑ σ (k) tr s ,P s,P tr tr (16) ∧∀i ∈ [k, k + 6] : s(i) ≤ 3) The variant of property pOSH-monot with a monotonicity constraint can be expressed in SFO as: Be Be pOSH-monot ∀st ∈ [0,|s |): ↑ σ (st) → (∃k ∈ [st, st +|s|): ↑ σ (k) tr s ,P s,P tr tr (17) ′ ′ ∧∀i ∈ [k, k + 6] : s(i) ≤ 3∧∀j ∈ [st, st + k): ∀j ∈ (j, st + k] : s(j) < s(j )) We evaluate property pOSH with respect to signal s on the two signals shown in figure 11b: s plotted with a thick line ( ) and s plotted with a thin line ( ). In the figure, an arrow at timestamp 2 tu denotes the trigger time st corresponding to the trigger event captured by property P for signal s , drawn with tr tr a dash-dotted line ( ). After this time instant, both s and s rise reaching the target value of 1 at time 1 2 instants 7 tu and 5 tu, respectively. We consider a threshold expressed as a relative value with respect to the target value; i.e., s = s + 2 = 1 + 2 = 3. The maximum allowed value for the right bound of max target the overshoot interval for s (7 tu + OI = 7 tu + 6 tu = 13 tu) is indicated with a red, vertical dashed line. Similarly, in the case of s , the right bound for the overshoot interval (5 tu + OI = 5 tu + 6 tu = 11 tu) is drawn with a blue, dotted vertical line. Signal s satisfies the property because its overshoot value is below the threshold within the overshoot interval [7 tu, 13 tu]; signal s violates the property as its overshoot value exceeds the threshold within the overshoot interval [5 tu, 11 tu]. 3.4.4. Alternative formalizations The capability of expressing functional relationship properties in STL and STL* depends on the possi- bility, in the chosen language, of expressing a certain property type on the target signal resulting from the transforming function. Similarly, expressing order relationship properties in STL and STL* requires that the cause and effect sub-properties can be expressed in the chosen formalism. For example, the cause sub-property of property pRSH-O cannot be expressed in STL; however, it can be expressed in STL* as explained in section 3.2 (page 12). The same remarks made above for the general case of order relationships apply also to the case of rise time and overshoot properties. In addition, we remark that the specification of such properties containing a monotonicity constraint requires keeping track of the signal values seen throughout the rise/overshoot interval; this is not supported in STL but can be expressed in STL* using the freeze operator. 4. Expressiveness Another challenge in using signal-based temporal properties for expressing requirements of CPSs is the expressiveness of the specification languages used for defining such properties. Starting from the seminal work on STL, there have been several proposals of languages that extend more traditional temporal logics SFO SFO like LTL to support the specification of signal-based behaviors. For example, in the previous section, we formally specified all property types included in our taxonomy using SFO and, when applicable, also using STL and STL*. All these languages have different levels of expressiveness when it comes to describing certain signal behaviors. In this section, we summarize and discuss the expressiveness of these state-of-the-art temporal logics with respect to the property types included in our taxonomy. We remark that we do not aim to provide a complete and formal treatment of the expressiveness of these temporal logics; our main goal is to guide engineers to choose a specification formalism based on their needs in terms of the property types to express. Table 1 provides an overview of the expressiveness of STL, STL*, and SFO with respect to the property types included in the taxonomy. The “+” and “−” symbols denote, respectively, support (or lack of support) for a certain property type; the “±” symbol indicates that the property type can be expressed under certain assumptions. Note that in the table, we also list property subtypes based on a particular feature. For example, “SPK with amplitude” indicates a spike property type (see figure 1 for the acronyms) with a constraint on the amplitude. In addition, we list as property subtypes (e.g., “SPK pre-computed derivatives”) the three definitions to express the predicates for local extrema for spikes and oscillations (introduced in section 3.2, page 10). In the second column, we provide examples of properties corresponding to the property (sub)type indicated in the first column. At a glance, the table shows that SFO can be used to express all the property types considered in this paper. STL* can be used to express most of the property types included in our taxonomy, provided that some assumptions are made (see below). STL cannot be used to express all the property types; this is due to the lack of support for referring to signal values at an instant in which a certain property was satisfied. This limitation impacts on the specification of properties that constrain signal values at different time instants, such as spike and oscillation properties. In the following, we discuss the expressiveness for the various property types in details, mainly focusing on STL and STL*. Data assertion. All three formalisms can express data assertion properties. This is expected since the three logics we have considered were proposed with the goal of expressing predicates on a signal value. Spike. A formalism supports our definition of spike properties if it allows for the definition of 1) two predi- cates for detecting local extrema, and 2) constraints on features of the signal shape (e.g., amplitude). STL can be used to define the predicates for detecting local extrema only through definition 3 (as indicated with the “+” mark in the table), which assumes the availability of the first and second order derivatives of a signal. Furthermore, it cannot be used to express spike properties that constrain the spike amplitude or slope, since they refer to signal values at different points in the signal timeline. For example, the only spike property among those presented in the previous section that can be expressed in STL is pSPK3, because it uses pre-computed derivative signals and does not constrain the spike amplitude. STL* can be used to define the predicates for detecting local extrema using two of the definitions we propose (definition 2 - analytical formulation, and definition 3 - pre-computed derivatives). Furthermore, it can be used to express constraints on the different features of the signal shape. However, to do so, one has to assume the knowledge of the signal shape, since it uses the two components of the width w and w 1 2 as defined on page 9. However, making such an assumption in practice is not reasonable because typically the shape of a spike is unknown. Finally, since STL* (and STL) cannot refer to the value of the signal at arbitrary time points, properties defined using local extrema expressed according to definition 1 (punctual derivatives) cannot be specified. Oscillation. The expressiveness results in terms of oscillation properties mirror those for spike properties, since the former property type can be seen as an extension of the latter. STL can be used to express oscillation properties when the oscillatory behavior is defined through the sequence of alternating local extrema, in which the latter are expressed using definition 3. However, as in the case of spike properties, STL cannot be used to express constraints on the oscillation amplitude. Again, similarly to the case of spike properties, STL* supports definition 2 and definition 3 for defining local extrema and can be used to express constraints on the different features of an oscillatory behavior. 24 Table 1: Expressiveness of STL, STL*, and SFO with respect to the property types included in the taxonomy in Fig. 1 Formalism Property Type Example STL STL* SFO Data assertions (DA) pDA + + + Spikes SPK with amplitude pSPK1 − + + SPK with slope n/a − + + SPK with width pSPK1 − ± + SPK - punctual derivatives − − + SPK analytical formulation − + + SPK pre-computed derivatives pSPK3 + + + Oscillations OSC with amplitude pOSC − ± + OSC with period pOSC ± ± + OSC punctual derivatives − − + OSC analytical formulation − + + OSC pre-computed derivatives + + + Relationship between signals RSH-F pRSH-F ± ± + RSH-O pRSH-O ± ± + Transient Behaviors RT (FT) with monotonicity pRT-monot − + + RT (FT) pRT + + + OSH (USH) with monotonicity pOSH-monot − + + OSH (USH) pOSH + + + However, such formulations (including the one based on definition 3 for STL) require to assume that 1) the oscillation is regular; 2) its period is known a priori. These assumptions are required to express distance constraints between local extrema. Once again, in practice these assumptions are not realistic because typically the shape of an oscillatory behavior is unknown. Relationship between signals. Expressing functional relationship properties boils down to expressing a certain property type on the target signal resulting from the transforming function. The type of the property in which the target signal is used ultimately affects (e.g., in case of a spike property) the expressiveness for this type of properties. Furthermore, one has to consider whether the transformed (target) signal is available as a pre-computed signal or as function of other signals; in the latter case, only SFO supports function symbols. A necessary requirement to express order relationship properties is the support for temporal operators that can capture the precedence and response temporal specification patterns [26]. This is possible in STL and STL* through the “Until” operator and in SFO by means of explicit quantification on the time variable. Another requirement is that the properties corresponding to the “cause” and “effect” of an order relationship can be expressed in the chosen formalism; as shown in Table 1, only SFO fulfills such a requirement. Transient behaviors. Transient behavior properties without monotonicity constraints can be expressed with all three formalisms, assuming the trigger property can be expressed in the chosen formalism. When a monotonicity constraint is used (as it is the case in properties pRT-monot and pOSH-monot), properties cannot be expressed in STL because one cannot compare the value of the signals at two different time instants. Monitoring algorithms and tools. When discussing the expressiveness of specification languages, it is also important to review the complexity of the corresponding verification algorithms and the availability of tools 25 implementing them. Below we discuss the computational complexity of tools for (offline) monitoring of STL, STL*, and SFO properties; we focus on monitoring because it is one of the most used V&V techniques for CPSs [2]. The complexity of monitoring STL is O(k·n) where k is the number of sub-formulae and n is the number of intervals on which the signal is defined [4]. For STL*, the monitoring complexity is (similarly to STL) polynomial in the number of intervals on which the signal is defined and the size of the syntactic parse tree of the formula; however, it is exponential in the number of nested freeze operators in the formula [5]. O(k+l) (m+n) The monitoring complexity of SFO is 2 , where n is the length of the trace, m is the length of the formula, k is the number of quantifiers in the formula, and l is the number of occurrences of function symbols in the formula; for a fragment of SFO in which intervals have bounded duration, the complexity O(k+l) (m+j) is n· 2 , where n, m, k, l are defined as above, and j is the maximum number of linear segments in the trace during any time period as long as the sum of the absolute values of all time constants in the formula [6]. In general, one can see that the complexity of the monitoring problem becomes harder for more expressive languages like STL* and SFO. In terms of monitoring tools, STL is supported both by offline tools—such as AMT [12, 11] (a stand-alone GUI tool with qualitative semantics), Breach [29] and S-Taliro [30] (two Matlab plugins with quantitative semantics)—and by online tools, such as the rtamt library [31], which automatically generates online mon- itors with robustness semantics from STL specifications. For STL*, a prototype implementation in Matlab is mentioned in the original paper [5] but it has not been made available; furthermore, robustness analysis is supported by an extension of the Parasim tool [32]. No tool implementation is available for SFO at the time of writing this paper. Recently, some of the authors have developed SB-TemPsy [33], a model-driven trace checking approach for the property types included in the taxonomy proposed in this paper. SB-TemPsy includes SB-TemPsy- DSL, a domain-specific specification language for signal-based properties, as well as the corresponding mon- itoring algorithm and tool, called SBTemPsy-Check. The complexity of the pattern-specific trace checking algorithm implemented in SBTemPsy-Check is polynomial in the size of the trace for all property types included in this taxonomy except for data assertions, for which the complexity is linear (in the size of the trace). In conclusion, with respect to the property types identified in our taxonomy, STL has limited expressive- ness, restricting its application in practice to simple property types (e.g., data assertion); nevertheless, it has a good support from a number of tools. STL* is more expressive than STL provided that some assumptions (e.g., on the signal shape) are made; however, such assumptions are impractical. In addition, STL* suffers from the limited tool support. SFO is the most expressive language for the property types defined in our taxonomy; however, its application in V&V activities is still challenging given the computational complexity of associated monitoring algorithms and the lack of tools. 5. Application to an Industrial Case Study We applied our taxonomy of signal-based properties to classify the requirements specifications of a case study provided by our industrial partner LuxSpace Sa`rl , a system integrator of micro-satellites. Our goal is to show (1) the feasibility of expressing requirements specifications of a real-world CPS using the property types included in our taxonomy; (2) the completeness of our taxonomy, so that all requirements specifications of the case study can be defined using the property types included in our taxonomy. The case study deals with a satellite sub-system called Attitude Determination and Control System (ADCS), which is responsible for autonomously controlling the attitude of the satellite, i.e., its orientation with respect to some reference point. The ADCS is mainly composed of sensors (e.g., gyroscope, sun sensors), actuators (e.g., reaction wheels, magnetic torquer), and on-board software (e.g., control algorithms). During flight, the ADCS can be in four different modes (represented with an enumeration as integer values), which https://luxspace.lu/ 26 Table 2: Distribution of property types in the case study Property Type Total (Main) Total (Sub) Data assertion 7 49 Spike 1 1 Oscillation 1 0 Functional relationship 17 0 Order relationship 15 0 ⊲ Fall Time 0 1 Table 3: Data assertion properties in the case study ID Property Untimed Data Assertions The value of signal currentADCSMode shall be equal to NMC, NMF or SM P1 The value of signal pointing error above 20 shall be equal to 0 or 1 P2 The value of signal pointing error under 15 shall be equal to 0 or 1 P3 The value of signal RWs angular velocity shall be equal to 816.814rad/s P4 Time-Constrained Data Assertions Starting from 2000 s, the value of signal pointing error shall be less than 2° P5 Between 1500 s and 2000 s, the value of signal RWs angular momentum shall be less than 0.35 N· m· s P6 At 2000s the value of signal pointing error shall be between 0° and δ° P7 determine the capabilities of the satellite: idle (IDLE), Safe Mode (SM), Normal Mode Coarse (NMC), and Normal Mode Fine (NMF); the logic controlling the switch among modes is encoded in a state machine. Overall, this sub-system has the typical characteristics of a CPS, with a deep intertwining of hardware and software. The documentation of the ADCS includes 41 specifications written in English. Two of the authors carefully analyzed these specifications, discussed and (in some cases) refined them with a domain expert, and finally classified them using one of the property types in our taxonomy; the resulting classification was then validated by the domain expert. Table 2 shows the number of specifications classified for each property type (column “Total (Main)”); since properties of type functional and order relationship include additional properties as sub-properties (e.g., the type of the “cause” or “effect” sub-property in an order relationship), we indicate their number separately under column “Total (Sub)”. From the table we can conclude that all requirements specifications of the case study could be classified using the property types included in our taxonomy; this is an indication of the completeness of our taxonomy. In the following we provide some insights for each property type, derived from our classification exercise. We remark that the signal names used in the specifications correspond to the signals of a FES (Functional Engineering Simulator) in Matlab; when possible, we preserved the original signal name. 27 Table 4: Spike and oscillation properties in the case study ID Property Spike Between 2000 s and 7400 s, in signal pointing error there shall exist a spike with a maximum P8 width of 20 s Oscillation Between 2000 s and 7400 s, signal pointing error shall exhibit oscillations with a period greater P9 than or equal to 0.01 s Table 5: Properties of type “functional relationship” in the case study ID Property Subtype The modulus of signal sat init angular velocity degree shall be less than or equal to DA P10 3 °/s After 2000s, the modulus of signal sat real angular velocity shall be less than or equal DA P11 to 1.5 °/s The modulus of signal sat target attitude shall be equal to 1 DA P12 After 2000 s, the modulus of signal sat target angular velocity shall be less than or DA P13 equal to 1.5 °/s The modulus of signal sat estimated attitude shall be equal to 1 DA P14 After 2000 s, the modulus of signal sat estimated angular velocity shall be less than or DA P15 equal to 1.5 °/s The modulus of signal sat angular velocity measured shall be less than or equal to DA P16 1.5 °/s The modulus of signal earth mag field in body measured shall be less than or equal to DA P17 60 000nT The modulus of signal sun direction ECI shall be equal to 1 DA P18 After 2000 s, the modulus of signal sat target angular velocity safe spin mode shall be DA P19 less than or equal to 1.5 °/s The modulus of signal RWs torque shall be less than or equal to 0.015 N· m DA P20 The elements sum of vector sun sensor availability shall be at most 3 DA P21 At 2000 s, the angular difference between signals q real and q estimate attitude shall DA P22 be between 0° and δ° At 2000 s, the angular difference between signals q target attitude and q estimate shall DA P23 be between 0° and δ° The difference between signal sat estimated angular velocity and signal DA P24 sat real angular velocity shall be between 0 °/s and δ°/s The difference between signal sat angular velocity measured and signal DA P25 sat real angular velocity shall be between 0 °/s and δ°/s The difference between signal RWs torque and the derivative of signal DA P26 RWs angular momentum shall be equal to 0 N· m 28 Table 6: Properties of type “order relationship” in the case study ID Property SubType If the value of signal not Eclipse is equal to 0, then the value of signal sun currents shall DA-DA P27 be equal to 0 If the value of signal pointing error under 15 is equal to 1, then the value of signal point- DA-DA P28 ing error above 20 shall be different from 1 If the value of signal pointing error above 20 is equal to 1, then the value of signal point- DA-DA P29 ing error under 15 shall be different from 1 If the value of signal RWs command is equal to 0, then the value of signal DA-FT P30 RWs angular velocity shall monotonically decrease to 0 rad/s within 60 s If the value of signal RWs angular momentum is greater than 0.35 N· m· s, then the value DA-DA P31 of signal RWs torque shall be equal to 0 N· m If the value of signal currentADCSMode is equal to NMC, then the value of signal con- DA-DA P32 trol error shall be greater than or equal to 10° If the value of signal control error is less than 10°, then the value of signal currentADC- DA-DA P33 SMode shall be equal to NMF If the value of signal currentADCSMode is equal to NMF, then the value of signal con- DA-DA P34 trol error shall be less than or equal to 15° If the value of signal currentADCSMode is equal to NMF, then if the value of signal DA-DA-DA P35 RWs command becomes greater than 0, then the value of signal pointing error shall be less than 2° within 180 s If the value of signal currentADCSMode is equal to NMF, then if the value of signal DA-DA-DA P36 RWs command becomes greater than 0, then the value of signal control error shall be less than 0.5° within 180 s If the value of signal currentADCSMode is equal to NMF, then if the value of signal DA-DA-DA P37 Not eclipse becomes 1, then the value of signal knowledge error shall be less than 1 within at most 900 s If the value of signal currentADCSMode is equal to SM, then if the value of signal DA-DA-DA P38 RWs command becomes greater than 0, then the value of signal RWs angular momentum shall be less than 0.25 N· m· s within at most 900 s If the value of signal currentADCSMode is equal to SM, then the difference between signal DA-DA P39 real Omega and signal target Omega shall be equal to 0 within at most 10 799 s If the value of signal not Eclipse is equal to 1, then the value of signal sun angle shall be DA-DA P40 less than 45° If, starting from 16 200s, the value of signal pointing error goes below the pointing accuracy DA-SPK P41 threshold of 2°, then in signal pointing error there shall exist a spike with a maximum width of 600 s in an interval of 5400 s 29 Data assertion properties (Table 3). This is the most represented category, if one considers the sub-properties included in the properties of type functional and order relationship. The three time-constrained data asser- tions show different interval types used in such properties. For example, in property P6 both boundaries of the interval are explicitly mentioned. In property P5, only the left boundary is explicitly indicated (with the expression “Starting from 2000 s”), whereas the right boundary is implicit and is assumed to be the end of the (finite) signal. Finally, in property P7 the interval is singular (i.e., the two boundaries coincide) and corresponds to a single time point (as in the expression “At 2000 s”). To express the latter using one of the logic-based formalizations illustrated above, which does not allow singular intervals (e.g., STL), one has to rewrite a singular interval [a, a] as [a− ǫ, a + ǫ], for a small ǫ > 0. We remark that time-constrained data assertions can be used to specify system-level properties such as system stabilization. For example, property P5 was originally expressed as “The stabilization time of signal pointing error, when stabilizing below 2 degrees, shall be under 2000 s”; through the interaction with the domain expert, we further refined it into the version shown in Table 3. The refinement step was straightforward and consisted of rewriting the system-level property (i.e., stabilization) into a low-level one (of type “data assertion”), by expanding the definitions of domain concepts. Spike and oscillation properties (Table 4). We identified one spike property (P8); furthermore an additional spike property is included in an order relationship property (P41). Both spike properties refer to one feature (“width”). We also identified one oscillation property (P9), which refers to the “period” feature. Initially, the property was defined in the frequency domain (which we did not discuss in this paper). After discussing it with the domain expert, we converted it into a property defined on the time domain by changing the corresponding constraint. This type of transformation is straightforward as it only requires to convert the units in the property (e.g., a 100 Hz frequency is converted into a 0.01 s period). All three properties include an observation interval. In properties P8 and P9, it is defined explicitly using absolute time boundaries (with the expression “between 2000 s and 7400 s”). In property P41, the observation interval is defined through the event representing the left boundary (denoted with “the value of signal pointing error after 16 200s goes below the pointing accuracy threshold of 2°”) and the duration (5400 s) representing the right boundary. Functional relationship properties (Table 5). These properties were expressed using several signal transform- ing functions, such as modulus (P10–P20), vector elements sum (P21), angular difference (P22–P23), scalar difference (P24–P26), and differentiation (P26). Notice that property P26 contains nested applications of signal transforming functions (i.e., the second operand of the scalar difference is the result of the application of the derivative). In all properties, the signal resulting from the application of the transforming function is used in a data assertion property (see column “Subtype” in Table 5 ). Order relationship properties (Table 6). All the order relationship properties we classified were instances of the “response” pattern (see section 3.4.2); we did not encounter any instance of the “precedence” pattern. Some properties (P35–P38) contain nested properties of type “order relationship”, meaning that the effect of the response pattern is represented by another property of type “order relationship”. For example, in property P36, the top-level response property has “the value of signal currentADCSMode is equal to NF” as cause and “if the value of signal RWs command becomes greater than 0, then the value of signal pointing error shall be less than 2°” as effect. The latter is another response property that can be further decomposed into the cause “the value of signal RWs command becomes greater than 0” and the effect “the value of signal pointing error shall be less than 2°”. The same group of properties also includes a temporal distance constraint (expressed with “within”) as part of the nested response property. As shown in column “Subtype” of Table 6, all the sub-properties used as “cause” and the vast majority of the sub-properties used as “effect” were data assertions. For example, in property P27 both the cause See Figure 1 for the acronyms used in column “Subtype” of Tables 5 and 6. 30 “the value of signal not Eclipse is equal to 0” and the effect “the value of signal sun currents shall be equal to 0” are data assertions. This is reflected in the third column of Table 6, with the notation “DA-DA”. Regarding transient behaviors, we only encountered one property of type “fall time”, used as effect of the response property P30. Other types of properties (e.g., rise time, overshoot) were not present in this case study. Summing up, through this case study we have shown the feasibility of expressing requirements specifi- cations of a real-world CPS using the property types included in our taxonomy. In the vast majority of the cases, the mapping from a specification written in English to its corresponding property type defined in the taxonomy was straightforward. In two cases, the specifications had to be refined, either by expressing a system-level property into a low-level one (e.g., stabilization being expressed as a (time-constrained) data assertion) or by converting a property defined in the frequency domain into the corresponding one defined in the time domain (e.g., in the case of an oscillation property); both types of refinement were simple and intuitive (with the help of a domain expert). Furthermore, the case study has shown the completeness of our taxonomy, since all requirements specifications of the case study could be classified using the property types included in our taxonomy. Guided by the mapping to one of the property types included in our taxonomy, and by means of the formalization presented in section 3, an engineer can obtain a formal specification of a property (e.g, in SFO), which can then be used in the context of V&V activities (e.g., as test oracle). Threats to validity. The results regarding the feasibility of expressing requirements specifications of a real- world CPS and the completeness of our taxonomy, have been obtained through one large industrial case study, involving a domain expert; this is a threat to the generalization of the results. We tried to mitigate this threat by selecting a case study with a rich set of requirements extracted from the documentation of a complex, production-grade system. Such requirements are representative, in many ways, of those defined in the satellite and other cyber-physical domains. Nevertheless, some CPS domains (e.g., healthcare) may have specific types of requirements (e.g., supporting frequency-domain in the temporal specifications), which could lead to different results. 6. Applications In this section, we discuss how the main contributions of the papers can support the research community and practitioners working in the CPS domain. Application of the taxonomy. The taxonomy of signal-based temporal properties can be used by researchers to design new specification languages, whose constructs can be directly mapped to the main property types identified in the taxonomy. This type of impact has been already observed for similar contributions in the literature, such as the seminal work of Dwyer et al. [26] on temporal specification patterns, which has influenced the design of many domain-specific languages for temporal specifications (e.g., Temporal OCL [34], OCLR [35], VISPEC - graphical formalism [36], TemPsy [37], ProMoboBox - property lan- guage [38], FRETISH [39]), and the work on service provisioning patterns [40], which has led to the design of new specification languages and tools [41, 42, 43, 44, 45]. For instance, as mentioned in section 4, some of the authors have already developed SB-TemPsy-DSL [33], a domain-specific specification language for signal-based properties based on the taxonomy proposed in this paper. The property types included in our taxonomy can also be used to assess the expressiveness of existing languages, in a way similar to what we have done in section 4. By doing so, researchers can identify expressiveness gaps in existing languages, which could then be extended to support specific constructs. For instance, the motivating example for the development of STL* [5] was the impossibility of expressing oscillatory behaviors in STL. Furthermore, practitioners can use the taxonomy as a reference guide to systematically identify and characterize signal behaviors, so that the latter can be defined precisely and used correctly during the development process of CPSs (e.g., when defining system requirements or test oracles). 31 Application of the logic-based characterization. Researchers can leverage the logic-based characterization of the property types included in our taxonomy to define the formal semantics of the constructs of a new language, which has been inspired by the taxonomy itself. In this sense, the logic-based characterization can guide the implementation of the core, pattern-specific algorithms of a verification tool, which can be used for checking properties expressed in a language containing constructs derived from the property types included in our taxonomy. For instance, the formal semantics of the aforementioned SB-TemPsy-DSL language and the corre- sponding trace checking algorithm implemented in SBTemPsy-Check [33] have been developed based on the logic-based characterization introduced in this paper. Expressiveness results. The expressiveness results of state-of-the-art temporal logics with respect to the property types included in our taxonomy, presented in section 4, can be used by practitioners to carefully select the language to use for defining signal-based properties, based on the type of requirements they are going to define, the expressiveness of the candidate specification language(s), and the availability of suitable tools. 7. Related Work To the best of our knowledge, this is the first paper that presents a comprehensive taxonomy of signal- based temporal properties describing signal behaviors in the CPS domain. The closest work is the taxonomy of automotive controller behaviors presented in [46], in which behaviors are captured in ST-Lib, a catalogue of formal requirements written in STL. Although the ST-Lib catalogue contains several types of signal-based temporal properties (e.g., spike, overshoot, rise time), the treatment of some property types is limited (e.g., oscillatory behaviors are only discussed for the case of short-period behaviors, i.e., ringing). Furthermore, as we have shown in section 3.2, the formalization of spike properties proposed in [46] has some limitations. A specific type of signal-based temporal properties (i.e., oscillations) is discussed in [5] and used as a motivation for introducing STL*. Similarly to what we did in section 3, most of the papers dealing with the specification or verification of signal-based temporal properties also include examples of such properties written using a specific temporal logic. We systematically reviewed the example properties used throughout all the papers dealing with speci- fication, verification, and monitoring of CPS, cited in a recent survey on these topics [2]; we excluded papers using spatio-temporal and frequency domain properties since they are out of the scope of this work. Table 7 shows, for each of the reviewed papers, the property types (from our taxonomy) to which the examples included in the paper correspond, as well as the temporal logic used for their specification; treatment or lack thereof of a property type is denoted by a “+” or “-” symbol, respectively. One can see that data assertion and relationship between signals are the most common property types covered in the literature, whereas transient behaviors (e.g., rise time, overshoot) properties are the least common; spike and oscillation properties have a similar coverage. To summarize, we propose in this paper the first comprehensive taxonomy of signal-based properties, formalized in a consistent and precise manner, which accounts for all reported property types in the literature. 8. Conclusion and Future Work Requirements of cyber-physical systems are usually expressed using signal-based temporal properties, which characterize the expected behaviors of input and output signals processed by sensors and actuators. Expressing such requirements is challenging because of the many ways to characterize a signal behavior (e.g., using certain features). To avoid ambiguous or inconsistent specifications, we argue that engineers need precise definitions of such features and proper guidelines for selecting the features most appropriate in a certain context. Furthermore, given the broad variation in expressiveness of the specification languages used for defining signal-based temporal properties, our experience indicates that engineers need guidance for selecting the most appropriate specification language, based on the type of requirements they are going to define and the expressiveness of each language. 32 Table 7: Coverage of property types (from our taxonomy, see figure 1 for acronyms) in example specifications from the literature. Reference Formalism DA SPK RT (FT) OSH (USH) OSC RSH [4] STL + - - - - + [10] STL/PSL + - + - - + [46] PSTL + + + + - + [5] STL* + - - - + - [47] MTL + - - - - + [48] MTL + - - - - + [49] CTMTL + - - - - - [49] XCTL + - - - - + [49] CLTL + - - - - + [50] STL + + - - - + [51] STL + - - - - + [51] AVSTL + - - - - + [52] STL + - - - - + [53] STL + + - - + + [54] KSL + - - - - + [55] MITL + - - - - - [56] MITL + - - - - - [57] STL + - - - + + [58] STL + - - - + + [59] MTL + - - - - - [60] STL + - - - - + [61] STL + - - - - - [62] TRE + + - - - + [36] STL + - - - - + [7] STL + - - - - + [63] STL + - - - - + [63] PSTL + - - - - - [64] MTL + - - - - + [65] MTL + - - - - + [66] MTL + - - - - + [67] MITL + - - - + + [67] STL + - - - - + [68] STL + + - - - + [69] STL + + - - - + [69] PSTL + + - + - + [29] MITL + - - - - + [70] STL + - - - + + [71] PSL + - - - - + [72] MTL + - - - - + [72] MITL + - - - - - [72] MTL + - - - - + [30] MTL + - - - - + [73] TRE + + - - - - [74] PMTL + - - - - - [74] MTL + - - - - + [75] MTL + - - - - + [75] PMTL + - - - - + 33 Table 7: (continued) Reference Formalism DA SPK RT (FT) OSH (USH) OSC RSH [76] STL + - - - + + [77] BMTL + - - - - + [78] STL + - - - - + [79] MITL + - - - - + [79] STL + - - - - + [79] STL/PSL + - + - - + [79] MTL-B + - - - - + [11] STL/PSL + - - - - + [80] CTL + - - - - + [81] LTL(R) + - - - + - [81] QFLTL(R) + - - - + - [82] MTL + - - - - + [83] STL + + + - - - [83] TRE + + + - - - [84] STL + - - - - - [85] TRE + - - - + + [86] PMTL + - - - - - Total 64 10 5 2 10 48 To tackle these challenges, in this paper we have presented a taxonomy of the most common types of signal-based temporal properties, accompanied by a comprehensive and detailed description of signal-based behaviors and their precise characterization in terms of a temporal logic (SFO). Engineers can rely on such characterization to derive—from informal requirements specifications—formal specifications to be used in various V&V activities. Furthermore, we have reviewed the expressiveness of state-of-the-art signal-based temporal logics (i.e., STL, STL*, SFO) in terms of the property types identified in the taxonomy, while also taking into ac- count the complexity of monitoring algorithms and the availability of the corresponding tools. Our analysis indicates that SFO is the most expressive language for the property types of our taxonomy; however, the application of SFO in V&V activities is still challenging given the computational complexity of the corre- sponding monitoring algorithm and the lack of tools. We have also applied our taxonomy to classify the requirement specifications of an industrial case study in the aerospace domain. The case study has shown the feasibility of expressing requirements specifications of a real-world CPS using the property types included in our taxonomy, and has provided evidence of the completeness of our taxonomy. As part of future work, we plan to assess the expressiveness of other temporal logics (such as SCL - Signal Convolution Logic [87], the extension of STL proposed in [88], and the shape expressions formalism [89]) in terms of the property types identified in our taxonomy. Moreover, we plan to collect feedback from practitioners (i.e., software and system engineers) to assess the usefulness of our taxonomy and of the proposed property formalizations for the verification of CPS. Acknowledgments This work has received funding from the European Research Council under the European Union’s Horizon 2020 research and innovation programme (grant agreement No 694277), from the University of Luxembourg (grant “MOVIDA”), and from the NSERC Discovery and Canada Research Chair programmes. We also wish to thank Claudio Menghi and Dejan Niˇckovi´c for their feedback on the paper. 34 References [1] E. A. Lee, S. A. Seshia, Introduction to Embedded Systems: A Cyber-Physical Systems Approach, 2nd ed., The MIT Press, 2016. [2] E. Bartocci, J. Deshmukh, A. Donz´e, G. Fainekos, O. Maler, D. Niˇckovi´c, S. Sankaranarayanan, Specification-based monitoring of cyber-physical systems: a survey on theory, tools and applications, in: Lectures on Runtime Verification, Springer, 2018, pp. 135–175. [3] A. Adam, N. Mokhtar, M. Mubin, Z. Ibrahim, M. Z. M. Tumari, M. I. Shapiai, Feature selection and classifier parameter estimation for EEG signal peak detection using gravitational search algorithm, in: Proc. 4th International Conference on Artificial Intelligence with Applications in Engineering and Technology (AIFU2014), 2014, pp. 103–108. [4] O. Maler, D. Nickovic, Monitoring temporal properties of continuous signals, in: Proc. FTRTFT2004, Springer, 2004, pp. 152–166. [5] L. Brim, P. Dluhoˇs, D. Safr´anek, T. Vejpustek, STL*: Extending signal temporal logic with signal-value freezing operator, Information and Computation 236 (2014) 52–67. [6] A. Bakhirkin, T. Ferr`ere, T. A. Henzinger, D. Niˇckovi´c, The first-order logic of signals: Keynote, in: Proc. International Conference on Embedded Software (EMSOFT2018), EMSOFT ’18, IEEE Press, 2018, pp. 1:1–1:10. [7] S. Jakˇsi´c, E. Bartocci, R. Grosu, D. Niˇckovi´c, Quantitative monitoring of STL with edit distance, in: Proc. International Conference on Runtime Verification (RV2016), Springer International Publishing, 2016, pp. 201–218. [8] R. Matinnejad, S. Nejati, L. Briand, T. Bruckmann, Test generation and test prioritization for Simulink models with dynamic behavior, IEEE Transactions on Software Engineering 45 (2018) 919–944. [9] C. A. Gonzalez Perez, M. Varmazyar, S. Nejati, L. Briand, et al., Enabling model testing of cyber-physical systems, in: Proc. 21th ACM/IEEE International Conference on Model Driven Engineering Languages and Systems (MODELS2018), 2018, pp. 176–186. [10] O. Maler, D. Niˇckovi´c, Monitoring properties of analog and mixed-signal circuits, International Journal on Software Tools for Technology Transfer 15 (2013) 247–268. [11] D. Nickovic, O. Maler, AMT: A property-based monitoring tool for analog systems, in: Proc. International Conference on Formal Modeling and Analysis of Timed Systems (FORMATS2007), Springer Berlin Heidelberg, 2007, pp. 304–319. [12] D. Niˇckovi´c, O. Lebeltel, O. Maler, T. Ferr`ere, D. Ulus, AMT 2.0: Qualitative and quantitative trace analysis with extended signal temporal logic, in: Proc. International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS2018), Springer, 2018, pp. 303–319. [13] E. Asarin, P. Caspi, O. Maler, Timed regular expressions, Journal of the ACM 49 (2002) 172–206. [14] L. V. Nguyen, J. Kapinski, X. Jin, J. V. Deshmukh, K. Butts, T. T. Johnson, Abnormal data classification using time-frequency temporal logic, in: Proc. 20th international conference on hybrid systems: Computation and control (HSCC2017), ACM, 2017, pp. 237–242. [15] A. Donz´e, O. Maler, E. Bartocci, D. Nickovic, R. Grosu, S. Smolka, On temporal logic and signal processing, in: Proc. International Symposium on Automated Technology for Verification and Analysis (ATVA2012), Springer, 2012, pp. 92–106. [16] D. Niˇckovi´c, Monitoring and measuring hybrid behaviors, in: Proc. International Conference on Runtime Verification (RV2015), Springer International Publishing, 2015, pp. 378–402. [17] DSI consortium, DSI3 bus standard, 2011. [18] S. R. Dumpala, S. N. Reddy, S. K. Sarna, An algorithm for the detection of peaks in biological signals, Computer Programs in Biomedicine 14 (1982) 249–256. [19] N. Acır, C. Gu¨zeli¸s, Automatic spike detection in EEG by a two-stage procedure based on support vector machines, Computers in Biology and Medicine 34 (2004) 561–575. [20] N. Acır, Automated system for detection of epileptiform patterns in EEG by using a modified RBFN classifier, Expert Systems with Applications 29 (2005) 455–462. [21] N. Acir, I. Oztura, M. Kuntalp, B. Baklan, C. Guzelis, Automatic detection of epileptiform events in EEG by a three-stage procedure based on artificial neural networks, IEEE Transactions on Biomedical Engineering 52 (2005) 30–40. [22] H. S. Liu, T. Zhang, F. S. Yang, A multistage, multimethod approach for automatic detection and classification of epileptiform EEG, IEEE Transactions on biomedical engineering 49 (2002) 1557–1566. [23] A. A. Dingle, R. D. Jones, G. J. Carroll, W. R. Fright, A multistage system to detect epileptiform activity in the EEG, IEEE Transactions on Biomedical Engineering 40 (1993) 1260–1268. [24] T. H¨agglund, A control-loop performance monitor, Control Engineering Practice 3 (1995) 1543–1551. [25] J. Kapinski, J. Deshmukh, X. Jin, H. Ito, K. Butts, Simulation-based approaches for verification of embedded control systems: An overview of traditional and advanced modeling, testing, and verification techniques, IEEE Control Systems Magazine 36 (2016) 45–64. [26] M. B. Dwyer, G. S. Avrunin, J. C. Corbett, Patterns in property specifications for finite-state verification, in: Proc. 21st international conference on Software engineering (ICSE1999), ACM, 1999, pp. 411–420. [27] S. Konrad, B. H. C. Cheng, Real-time specification patterns, in: Proc. 27th International Conference on Software Engineering (ICSE2005), ACM, 2005, pp. 372–381. [28] M. Chechik, D. O. Paun, Events in property patterns, in: Proc. 5th and 6th International SPIN Workshops on Theoretical and Practical Aspects of SPIN Model Checking (SPIN1999), Springer-Verlag, 1999, pp. 154–167. [29] A. Donz´e, Breach, a toolbox for verification and parameter synthesis of hybrid systems, in: Proc. International Conference on Computer Aided Verification (CAV2010), Springer, 2010, pp. 167–170. 35 [30] G. E. Fainekos, S. Sankaranarayanan, K. Ueda, H. Yazarel, Verification of automotive control applications using s-taliro, in: Proc. American Control Conference (ACC2012), Citeseer, 2012, pp. 3567–3572. [31] D. Niˇckovi´c, T. Yamaguchi, RTAMT: Online robustness monitors from STL, in: Proc. International Symposium on Automated Technology for Verification and Analysis (ATVA 2020), volume 12302 of LNCS, Springer, 2020, pp. 564–571. [32] L. Brim, T. Vejpustek, D. Safr´anek, J. Fabrikova´, Robustness analysis for value-freezing signal temporal logic, in: Proc. Second International Workshop on Hybrid Systems and Biology (HSB2013), volume 125 of Electronic Proceedings in Theoretical Computer Science, Open Publishing Association, 2013, pp. 20–36. [33] C. Boufaied, C. Menghi, D. Bianculli, L. Briand, Y. Isasi-Parache, Trace-checking signal-based temporal properties: A model-driven approach, in: Proc. International Conference on Automated Software Engineering (ASE2020), IEEE, 2020, pp. 1202–1213. [34] B. Kanso, S. Taha, Temporal constraint support for OCL, in: Proc. SLE 2012, volume 7745 of LNCS, Springer, Berlin, Heidelberg, 2013, pp. 83–103. [35] W. Dou, D. Bianculli, L. Briand, OCLR: a more expressive, pattern-based temporal extension of OCL, in: Proc. ECMFA 2014, volume 8569 of LNCS, Springer, Heidelberg, Germany, 2014, pp. 51–66. [36] B. Hoxha, N. Mavridis, G. Fainekos, VISPEC: A graphical tool for elicitation of MTL requirements, in: Proc. IEEE/RSJ International Conference on Intelligent Robots and Systems (IROS2015), 2015, pp. 3486–3492. [37] W. Dou, D. Bianculli, L. Briand, A model-driven approach to trace checking of pattern-based temporal properties, in: Proc. MODELS2017, IEEE Computer Society, Los Alamitos, CA, USA, 2017, pp. 323–333. [38] B. Meyers, H. Vangheluwe, J. Denil, R. Salay, A framework for temporal verification support in domain-specific modelling, IEEE Transactions on Software Engineering 46 (2020) 362–404. [39] D. Giannakopoulou, T. Pressburger, A. Mavridou, J. Schumann, Generation of formal requirements from structured natural language, in: Requirements Engineering: Foundation for Software Quality (REFSQ 2020), Springer International Publishing, Cham, 2020, pp. 19–35. [40] D. Bianculli, C. Ghezzi, C. Pautasso, P. Senti, Specification patterns from research to industry: a case study in service- based applications, in: Proc. ICSE2012, IEEE, Los Alamitos, CA, USA, 2012, pp. 968–976. [41] D. Bianculli, C. Ghezzi, P. San Pietro, The tale of SOLOIST: a specification language for service compositions interactions, in: Proc. FACS’12, volume 7684 of LNCS, Springer, Heidelberg, Germany, 2013, pp. 55–72. [42] M. M. Bersani, D. Bianculli, C. Ghezzi, S. Krsti´c, P. San Pietro, SMT-based checking of SOLOIST over sparse traces, in: Proc. of FASE 2014, volume 8411 of LNCS, Springer, 2014, pp. 276–290. [43] D. Bianculli, C. Ghezzi, S. Krsti´c, Trace checking of metric temporal logic with aggregating modalities using MapReduce, in: Proc. of SEFM 2014, volume 8702 of LNCS, Springer, 2014, pp. 144–158. [44] D. Bianculli, C. Ghezzi, S. Krsti´c, P. San Pietro, Offline trace checking of quantitative properties of service-based applications, in: Proceedings of the 7h International Conference on Service Oriented Computing and Application (SOCA 2014), IEEE, 2014, pp. 9–16. doi:10.1109/SOCA.2014.14. [45] C. Boufaied, D. Bianculli, L. C. Briand, A model-driven approach to trace checking of temporal properties with ag- gregations, Journal of Object Technology 18 (2019) 15:1–15:21. URL: https://doi.org/10.5381/jot.2019.18.2.a15. doi:10.5381/jot.2019.18.2.a15. [46] J. Kapinski, X. Jin, J. Deshmukh, A. Donze, T. Yamaguchi, H. Ito, T. Kaga, S. Kobuna, S. Seshia, ST-Lib: A library for specifying and classifying model behaviors, Technical Report, SAE Technical Paper, 2016. [47] Y. S. R. Annapureddy, G. E. Fainekos, Ant colonies for temporal logic falsification of hybrid systems, in: Proc. 36th Annual Conference on IEEE Industrial Electronics Society (IECON2010), 2010, pp. 91–96. [48] H. Abbas, G. Fainekos, S. Sankaranarayanan, F. Ivanˇci´c, A. Gupta, Probabilistic temporal logic falsification of cyber- physical systems, ACM Transactions on Embedded Computing Systems (TECS) 12 (2013) 95. [49] H. Abbas, A. Rodionova, E. Bartocci, S. A. Smolka, R. Grosu, Quantitative regular expressions for arrhythmia detection algorithms, in: Proc. International Conference on Computational Methods in Systems Biology (CMSB2017), Springer, 2017, pp. 23–39. [50] E. Bartocci, R. Grosu, A. Karmarkar, S. A. Smolka, S. D. Stoller, E. Zadok, J. Seyster, Adaptive runtime verification, in: Proc. International Conference on Runtime Verification (RV2013), Springer Berlin Heidelberg, 2013, pp. 168–182. [51] T. Akazaki, I. Hasuo, Time robustness in MTL and expressivity in hybrid system falsification, in: Proc. International Conference on Computer Aided Verification (CAV2015), Springer, 2015, pp. 356–374. [52] E. Bartocci, L. Bortolussi, L. Nenzi, A temporal logic approach to modular design of synthetic biological circuits, in: Proc. International Conference on Computational Methods in Systems Biology (CMSB2013), Springer, 2013, pp. 164–177. [53] E. Bartocci, L. Bortolussi, L. Nenzi, G. Sanguinetti, System design of stochastic models using robustness of temporal properties, Theoretical Computer Science 587 (2015) 3–25. [54] E. Bartocci, F. Corradini, E. Merelli, L. Tesei, Model checking biological oscillators, Electronic Notes in Theoretical Computer Science 229 (2009) 41–58. [55] L. Bortolussi, D. Milios, G. Sanguinetti, U-check: Model checking and parameter synthesis under uncertainty, in: Proc. Quantitative Evaluation of Systems (QEST2015), Springer International Publishing, 2015, pp. 89–104. [56] S. Bufo, E. Bartocci, G. Sanguinetti, M. Borelli, U. Lucangelo, L. Bortolussi, Temporal logic based monitoring of assisted ventilation in intensive care patients, in: Proc. International Symposium On Leveraging Applications of Formal Methods, Verification and Validation (ISoLA2014), Springer Berlin Heidelberg, 2014, pp. 391–403. [57] J. V. Deshmukh, A. Donz´e, S. Ghosh, X. Jin, G. Juniwal, S. A. Seshia, Robust online monitoring of signal temporal logic, Formal Methods in System Design 51 (2017) 5–30. [58] J. V. Deshmukh, A. Donz´e, S. Ghosh, X. Jin, G. Juniwal, S. A. Seshia, Robust online monitoring of signal temporal logic, in: Proc. International Conference on Runtime Verification (RV2015), Springer International Publishing, 2015, pp. 55–70. 36 [59] A. Dokhanchi, A. Zutshi, R. T. Sriniva, S. Sankaranarayanan, G. Fainekos, Requirements driven falsification with coverage metrics, in: Proc. International Conference on Embedded Software (EMSOFT2015), 2015, pp. 31–40. [60] A. Donz´e, O. Maler, Robust satisfaction of temporal logic over real-valued signals, in: Proc. International Conference on Formal Modeling and Analysis of Timed Systems (Formats2010), Springer Berlin Heidelberg, 2010, pp. 92–106. [61] T. Dreossi, T. Dang, A. Donz´e, J. Kapinski, X. Jin, J. V. Deshmukh, Efficient guiding strategies for testing of temporal properties of hybrid systems, in: Proc. NASA Formal Methods (NFM2015), Springer International Publishing, 2015, pp. 127–142. [62] T. Ferrere, Assertions and measurements for mixed-signal simulation, Ph.D. thesis, University of Grenoble, 2016. [63] G. Juniwal, A. Donz´e, J. C. Jensen, S. A. Seshia, Cpsgrader: Synthesizing temporal logic testers for auto-grading an embedded systems laboratory, in: Proc. International Conference on Embedded Software (EMSOFT2014), 2014, pp. 1–10. [64] F. Cameron, G. Fainekos, D. M. Maahs, S. Sankaranarayanan, Towards a verified artificial pancreas: Challenges and solutions for runtime verification, in: Proc. International Conference on Runtime Verification (RV2015), Springer, 2015, pp. 3–17. [65] T. Nghiem, S. Sankaranarayanan, G. Fainekos, F. Ivanci´c, A. Gupta, G. J. Pappas, Monte-carlo techniques for falsification of temporal properties of non-linear hybrid systems, in: Proc. 13th ACM international conference on Hybrid systems: computation and control (HSCC2010), HSCC ’10, ACM, 2010, pp. 211–220. [66] A. Dokhanchi, B. Hoxha, G. Fainekos, On-line monitoring for temporal logic robustness, in: Proc. International Conference on Runtime Verification (RV2014), Springer, 2014, pp. 231–246. [67] A. Dokhanchi, B. Hoxha, G. Fainekos, Metric interval temporal logic specification elicitation and debugging, in: Proc. International Conference on Formal Methods and Models for Codesign (MEMOCODE2015), IEEE, 2015, pp. 70–79. [68] T. Nguyen, D. Nikovi, Assertion-based monitoring in practice checking correctness of an automotive sensor interface, Science of Computer Programming 118 (2016) 40–59. [69] X. Jin, A. Donz´e, J. V. Deshmukh, S. A. Seshia, Mining requirements from closed-loop control models, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems 34 (2015) 1704–1717. [70] A. Donz´e, E. Fanchon, L. M. Gattepaille, O. Maler, P. Tracqui, Robustness analysis and behavior discrimination in enzymatic reaction networks, PloS one 6 (2011) e24246. [71] C. Eisner, D. Fisman, A practical introduction to PSL, Springer Science & Business Media, 2007. [72] G. E. Fainekos, G. J. Pappas, Robustness of temporal logic specifications, in: Formal Approaches to Software Testing and Runtime Verification, Springer, 2006, pp. 178–192. [73] T. Ferrere, O. Maler, D. Niˇckovi´c, D. Ulus, Measuring with timed patterns, in: Proc. International Conference on Computer Aided Verification (CAV2015), Springer, 2015, pp. 322–337. [74] B. Hoxha, H. Bach, H. Abbas, A. Dokhanchi, Y. Kobayashi, G. Fainekos, Towards formal specification visualization for testing and monitoring of cyber-physical systems, in: Proc. Int. Workshop on Design and Implementation of Formal Tools and Systems (DIFTS2014), 2014, pp. 1–9. [75] B. Hoxha, A. Dokhanchi, G. Fainekos, Mining parametric temporal logic properties in model-based design for cyber- physical systems, International Journal on Software Tools for Technology Transfer 20 (2018) 79–93. [76] S. Jakˇsi´c, E. Bartocci, R. Grosu, R. Kloibhofer, T. Nguyen, D. Niˇckovi´c, From signal temporal logic to FPGA monitors, in: Proc. Formal Methods and Models for Codesign (MEMOCODE2015), IEEE, 2015, pp. 218–227. [77] A. Kane, Runtime monitoring for safety-critical embedded systems, Ph.D. thesis, Carnegie Mellon University, 2015. [78] O. Maler, D. Nickovic, A. Pnueli, Checking temporal properties of discrete, timed and continuous behaviors, in: Pillars of computer science2008, Springer, 2008, pp. 475–505. [79] D. Nickovic, Checking timed and hybrid properties: Theory and applications, Ph.D. thesis, Universit´e Joseph-Fourier- Grenoble I, 2008. [80] M. Pajic, R. Mangharam, O. Sokolsky, D. Arney, J. Goldman, I. Lee, Model-driven safety analysis of closed-loop medical systems, IEEE Transactions on Industrial Informatics 10 (2014) 3–16. [81] A. Rizk, G. Batt, F. Fages, S. Soliman, On a continuous degree of satisfaction of temporal logic formulae with applications to systems biology, in: Proc. International Conference on Computational Methods in Systems Biology (CMSB2008), Springer, 2008, pp. 251–268. [82] S. Sankaranarayanan, G. Fainekos, Falsification of temporal properties of hybrid systems using the cross-entropy method, in: Proc. 15th ACM international conference on Hybrid Systems: Computation and Control (HSCC2012), ACM, 2012, pp. 125–134. [83] K. Selyunin, S. Jaksic, T. Nguyen, C. Reidl, U. Hafner, E. Bartocci, D. Nickovic, R. Grosu, Runtime monitoring with recovery of the SENT communication protocol, in: Proc. International Conference on Computer Aided Verification (CAV2017), Springer, 2017, pp. 336–355. [84] S. Stoma, A. Donz´e, F. Bertaux, O. Maler, G. Batt, STL-based analysis of trail-induced apoptosis challenges the notion of type I/type II cell line classification, PLoS computational biology 9 (2013) e1003056. [85] D. Ulus, T. Ferr`ere, E. Asarin, O. Maler, Timed pattern matching, in: Proc. International Conference on Formal Modeling and Analysis of Timed Systems (FORMATS2014), Springer International Publishing, 2014, pp. 222–236. [86] H. Yang, B. Hoxha, G. Fainekos, Querying parametric temporal logic properties on embedded systems, in: Proc. International Conference on Testing Software and Systems (IFIP2012), Springer, 2012, pp. 136–151. [87] S. Silvetti, L. Nenzi, E. Bartocci, L. Bortolussi, Signal convolution logic, in: Proc. International Symposium on Automated Technology for Verification and Analysis (ATVA2018), Springer International Publishing, 2018, pp. 267–283. [88] A. Bakhirkin, N. Basset, Specification and efficient monitoring beyond STL, in: Proc. International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS2019), Springer, 2019, pp. 79–97. [89] D. Niˇckovi´c, X. Qin, T. Ferr`ere, C. Mateis, J. Deshmukh, Shape expressions for specifying and extracting signal features, 37 in: Proc. International Conference on Runtime Verification (RV2019), Springer, 2019, pp. 292–309.
Electrical Engineering and Systems Science – arXiv (Cornell University)
Published: Oct 18, 2019
You can share this free article with as many people as you like with the url below! We hope you enjoy this feature!
Read and print from thousands of top scholarly journals.
Already have an account? Log in
Bookmark this article. You can see your Bookmarks on your DeepDyve Library.
To save an article, log in first, or sign up for a DeepDyve account if you don’t already have one.
Copy and paste the desired citation format or use the link below to download a file formatted for EndNote
Access the full text.
Sign up today, get DeepDyve free for 14 days.
All DeepDyve websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.