# An Algebraic Framework for Runtime Verification

Runtime verification (RV) is a pragmatic and scalable, yet rigorous technique, to assess the correctness of complex systems, including cyber-physical systems (CPS). By measuring how robustly a CPS run satisfies a specification, RV allows in addition, to quantify the resiliency of a CPS to perturbations. In this paper we propose Algebraic Runtime Verification (ARV), a general, semantic framework for RV, which takes advantage of the monoidal structure of runs (w.r.t. concatenation) and the semiring structure of a specification automaton (w.r.t. choice and concatenation), to compute in an incremental and application specific fashion the resiliency measure. This allows us to expose the core aspects of RV, by developing an abstract monitoring algorithm, and to strengthen and unify the various qualitative and quantitative approaches to RV, by instantiating choice and concatenation with real-valued functions as dictated by the application. We demonstrate the power and effectiveness of our framework on two case studies from the automotive domain.

## Authors

• 2 publications
• 35 publications
• 39 publications
• 15 publications
09/20/2020

### Heterogeneous Runtime Verification of Safety Critical Cyber Physical Systems

Advanced embedded system technology is one of the key driving forces beh...
02/11/2019

### COST Action IC 1402 ArVI: Runtime Verification Beyond Monitoring -- Activity Report of Working Group 1

This report presents the activities of the first working group of the CO...
08/15/2019

### Shield Synthesis for Real: Enforcing Safety in Cyber-Physical Systems

Cyber-physical systems are often safety-critical in that violations of s...
09/24/2021

### Mining Shape Expressions with ShapeIt

We present ShapeIt, a tool for mining specifications of cyber-physical s...
08/01/2018

### Metrics for Signal Temporal Logic Formulae

Signal Temporal Logic (STL) is a formal language for describing a broad ...
04/02/2021

### Bayesian Structural Learning for an Improved Diagnosis of Cyber-Physical Systems

The diagnosis of cyber-physical systems (CPS) is based on a representati...
12/09/2020

### Operator as a Service: Stateful Serverless Complex Event Processing

Complex Event Processing (CEP) is a powerful paradigm for scalable data ...
##### This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

## 1 Introduction

Verification of realistic cyber-physical systems is still a challenge, as CPS exhibit both discrete and continuous dynamics, software and hardware components, complex communication between sub-systems, and sophisticated interactions with the physical environment. Runtime verification provides a pragmatic, yet rigorous solution, for assessing CPS correctness at runtime.

RV for CPS [7], centered around Signal Temporal Logic (STL) [30], has recently achieved noticeable success. STL extends Metric Temporal Logic (MTL)
[29] with predicates over real-valued variables. The monitoring algorithms for STL were first developed in [30, 31] and implemented in a tool [34], giving thus STL a practical purpose in the analysis of realistic CPS.

In a CPS context, RV measures the satisfaction robustness of a CPS run with respect to a specification [1, 18, 4]. Most measures were associated to STL specifications [23, 21, 20, 18, 1, 4, 19, 36, 22] and to its variants or extensions [9, 3]. The general approach was to first develop the measure, based on the STL syntax, and then use the measure for monitoring. This resulted in a plethora of measures, assessing space [23, 21], time [21], and averaging [3] robustness, respectively. A discrete-time, weighted, edit-distance measure was proposed in [28], and a space-robustness measure for Signal Regular Expressions (SRE) in [5].

The proliferation of measures reflects the various needs of different applications, and the limitations of STL-based measure definitions. We propose Algebraic Runtime Verification (ARV), as a general, semantic approach to measuring a run, with respect to a specification automaton. The main idea is to use the monoidal structure of a run (with respect to concatenation), and the semiring structure of a specification (with respect to choice and concatenation), to defining a measure in an incremental and application specific way, by allowing to associate arbitrary real-valued functions to choice and concatenation.

ARV simplifies and unifies qualitative and quantitative approaches to the RV of CPS. It exposes the core of the RV problem, and its underlying structure, allowing us thus to develop an abstract monitoring algorithm, that we instantiate with different specification languages, as well as qualitative and quantitative semantics. The use of automata, admits semantic and precise monitoring procedures, that are invariant to different syntactic representations of the same specification. In addition, it opens the door for flexible code generation which can directly translate the abstract monitoring procedure into real-time monitors, implemented in either software, embedded software, or hardware.

ARV starts from a regular specification formalism that admits an effective translation into symbolic automata. It then decorates the symbolic acceptor with weights and associates a semiring to the resulting symbolic weighted automaton (SWA). The weights in the SWA measure the distance at a given point in time between the current trace observation and the constraints induced by the specification. ARV defines the monitoring procedure over the SWA as a dynamic programming algorithm that computes the shortest path induced by an input trace. By instantiating the semiring, it provides various qualitative and quantitative semantics to the monitoring procedure without changing the underlying algorithms. We study the basic properties of our generic ARV framework and evaluate it with two case studies from the automotive domain.

The rest of the paper is organized as follows. In Section 2 we discuss related work. In Section 3 we introduce the theoretical background for formalizing ARV in Section 4. Section 5 includes two case studies performed on scientific benchmarks, as well as a precision comparison between ARV and tools that implement syntactic-based robustness degree. In Section 6 we draw conclusions and discuss numerous possibilities for future work. Theorem proofs and STL and SRE semantics are given in the appendices.

## 2 Related Work

The theoretical and practical concerns regarding symbolic automata and transducers are studied in [14, 13, 41]. In our work, we use the theory developed for symbolic automata to develop our ARV framework.

An algebraic framework for the basic properties of the weighted automata is studied in [33]. The shortest-distance problem in weighted automata is investigated in [32]. It generalizes the Bellman-Ford algorithm [8] to non-idempotent semirings. We are interested in a Hausdorff measure and hence restrict our attention to additively idempotent semirings. In constrast to fixed edge weights, we use SWA with dynamic weights which depend on current trace valuation.

Quantitative semantics for temporal logics based on the (spatial) infinite norm were studied in [37, 23, 21]. Spatial robustness monitoring is implemented in S-TaLiRo [4] and Breach [19] tools. The spatial robustness was complemented with time robustness in [21] and with a combined time-space robustness based on -similarity in [2]. In [3], the authors extend STL with averaged temporal operators. Determining robustness of hybrid systems using self-validated arithmetics is shown in [24]. The weighted Hamming and edit distances between behaviors are proposed in [40], where the authors use it to develop procedures for reasoning about the Lipshitz-robustness of Mealy machines and string transducers. The authors of [11] propose an online monitoring procedure where semantics describe the relation between input and output streams. In [6] the authors used an algebraic approach to define the robustness for a spatio-temporal extension of STL considering only the MinMax semiring. Their approach works at the syntax level of the specification, resulting to be less precise than the one proposed here. Similarly to our work, [38] explores different interpretation of temporal logic operators. In contrast to ARV, these interpretations are applied directly on the syntax and semantics of the logic, with the aim to demonstrate a relation between temporal logic operators and convolution. We also mention the work on quantitative languages [10] that is studied over infinite words and is complementary to our work.

The problem of online robustness monitoring was studied more recently in [17, 16]. The authors of [17] propose a predictor-based online monitoring approach, in contrast to our black-box view of monitoring. In [16]

, the authors propose an interval-based approach of online evaluation that allows estimating the minimum and the maximum robustness with respect to both the observed prefix and unobserved suffix of the trace. Instead, our robustness gives the distance of the observed prefix from the of the specification at every point in time.

## 3 Background

We first introduce the background needed to develop our algebraic runtime verification algorithm. In particular, we define semirings, metric spaces and distances, specification languages, and symbolic automata and SWA.

### 3.1 Semirings

Semirings are one of the most important algebraic structures, laying the foundation to both continuous and discrete mathematics. They help finding similarities between the two domains, even in places where these are not at all obvious.

###### Definition 1 (Semiring)

A semiring is the tuple , where is a set equipped with two binary operations, addition () and multiplication (), and two identity elements, and , such that:

• is a commutative monoid with identity element ;

• is a monoid with identity element ;

• distributes over ; and

• is an annihilator element for .

We say that a semiring is commutative if the -multiplication operation is commutative. A semiring is said to be additively (multiplicatively) idempotent if for all , we have that . We say that a semiring is idempotent if it is both additively and multiplicatively idempotent. We say that a semiring is bounded if is an annihilator element for . We note that a bounded semiring is also additively idempotent [32].

###### Example 1

We depict in Table 1 several examples of semiring structures that we use in this paper. We note that the Boolean and the MinMax semirings are both commutative and idempotent. The tropical semiring is commutative and additively idempotent. All three semirings are bounded. Note that we use a non-standard definition of the Boolean and MinMax semirings, in which corresponds to and , while corresponds to and , respectively.

Additively idempotent semirings defined over sets of Booleans, naturals and reals admit a natural order between the elements in the set.

###### Definition 2 (Natural order on S)

Let be an additively idempotent semiring. We define the natural order on as the relation : If is also multiplicatively idempotent, we additionaly require:

###### Lemma 1 ([32])

Let be an additively idempotent semiring. The natural order on defines a partial order.

We now define the monotonicity of semirings, an important property that will allow us factoring and thus simplifying our RV operations.

###### Definition 3 (Negative and monotonic semirings)

Let be a semiring. We say that is negative if . We say that is monotonic if for all :

###### Lemma 2 ([32])

Let be an additively idempotent semiring equipped with the natural order on . Then is both negative and monotonic.

###### Lemma 3

Let be an additively idempotent, negative and monotonic semiring. Then, for all , .

### 3.2 Metric Spaces and Distances

A metric space is a set possesing a distance among its elements. The distance between two elements is a positive real value in .

###### Definition 4 (Metric space and distance)

Given a set , let be a distance. Then is a metric space with the distance measure , if:

1. for all in ;

2. if and only if ;

3. for all in ; and

4. for all in .

Since we reason about real-valued behaviors and the distances between them, we are interested in semirings defined over (subsets of) reals, see Example 1. Given and , we can lift the above definition to reason about the distance111Since is comparing an element to a set, strictly speaking it is not a distance. between an element of and the subset of to define a Hausdorff-like measure. We use the -addition to combine individual distances between and the elements in and fix to . We also need a special value when we compare to an empty set and define .

 d(m,M)={\raisebox0.0pt$e⊕$if M is empty⊕m′∈Md(m,m′)otherwise

We define the robustness degree of w.r.t. the set as follows:

 ρ(m,M)={d(m,M∖M)if m∈M−d(m,M)otherwise

### 3.3 Traces and Specification Languages

Let denote a set of variables defined over a domain . We denote by the valuation function that maps a variable in to a value in . We denote by a trace over and by the set of all traces over .

A specification over a set of variables , regardless of the formalism used, defines a language that partitions the set of all traces over .

###### Definition 5 (Trace-specification distance)

Let and be two valuations over , and two traces over of size and and a specification over . We then have:

 d(v,v′)=⊗x∈Xd(v(x),v′(x))d(τ,τ′)={\raisebox0.0pt$e⊕$if m≠n⊗1≤i≤md(vi,v′i)otherwised(τ,φ)=⊕τ′⊨φd(τ,τ′)

.

In this paper, we consider specification languages defined over discrete time and real-valued variables that are regular. Examples of specification languages that fall into this category are Signal Temporal Logic (STL) and Signal Regular Expressions (SRE), both interpreted over discrete time. We briefly recall the syntax of STL and SRE and refer to their semantics in Appendix 0.A.

We consider STL with both past and future operators interpreted over digital signals of final length. We assume that is a metric space equipped with a distance . The syntax of a STL formula over is defined by the grammar222STL interpreted over discrete time is equivalent to LTL extended with predicated over real-valued variables.:

 φ:=x∼u | ¬φ | φ1∨φ2 | φ1UIφ2 | φ1SIφ2

where , , , is of the form or such that and . The other standard (Boolean and temporal) operators are derived from the basic ones. For instance, eventually is defined as , while always corresponds to .

The syntax of a SRE formula over is defined by the grammar:

 b:=x∼u | ¬b | b1∨b2φ:=ϵ | b | φ1⋅φ2 | φ1∪φ2 | φ1∩φ2 | φ∗ | ⟨φ⟩I

where , , , is of the form or such that and . Although we interpret SRE over discrete time, we interpret its operators following the style of continuous time TRE. As a consequence, a signal segment that matches a predicate such as means that it matches it for a strictly positive duration. The time duration operator is matched by a segment if it has a duration in .

###### Example 2

Consider the requirement ‘’There must be a point in time within the trace where (1) is smaller or equal than , and (2) both is smaller or equal than and is greater or equal than for the duration of at least two time steps. We formalize the above requirement as the STL specification and the SRE specification .

### 3.4 Symbolic and Symbolic Weighted Automata

Let be the domain of reals and the set of variables defined over . We now define predicates over variables in .

###### Definition 6 (Predicate)

We define the syntax of a predicate over with the following grammar: , where , and .

We denote by the set of all predicates over . We say that a valuation models the predicate , denoted by , iff evaluates to true under . We note that plays the role of basic propositions. In our framework, the predicates come from specifications, hence we allow predicates in arbitrary form. In order to define the subsequent RV algorithms, we need to transform arbitrary predicates into (minimal) disjunctive normal form (DNF).

###### Definition 7 (Predicate in Disjunctive Normal Form (DNF))

A predicate in disjunctive normal form is generated by the following grammar:

where , and . The predicate has the following structure:

 ψ=h⋁i=1ψci,ψci=m(i)⋀h=1ψli,h

where is the number of clauses, each clause is a conjunction of literals and each literal can be either a basic proposition, its negation, true or false.

###### Definition 8 (Predicate in ∧-minimal DNF)

A predicate is expressed in a -minimal DNF if it satisfies the following properties:

 h⋀i=1m(i)⋀s=1,r=1,s≠r(ψli,s→ψli,r)=⊥
###### Example 3

The predicate is in DNF, while the predicate is in -minimal DNF.

We lift the definition of a distance between two valuations to the distance between a valuation and a predicate by -summing the distances between the valuation and the set of valuations defined by a predicate.

###### Definition 9 (Valuation-predicate distance)

Given a valuation and a predicate , we have that: .

This completes our definitions for computing the distance between an observation and a specification at a single point in time. We now concentrate on the dynamic (temporal) aspect of the specification. We first define symbolic and symbolic weighted automata.

###### Definition 10 (Symbolic and Symbolic Weighted Automata)

A symbolic automaton (SA) is the tuple , where is a finite set of variables defined over a domain , is a final set of locations, is the set of initial states, is the set of final states and is the transition relation. A symbolic weighted automaton is the pair , where is a symbolic automaton and is the weight function.

In the following, we assume that the weights are elements of the semiring . We use to compute the weight of a path by -multiplying the weights of the transitions taken along that path. We use to -sum the path weights induced by an input trace. We now formalize the above notions.

A path in is a finite alternating sequence of locations and transitions such that and for all , . We say that the path is accepting if . We say that that a trace induces a path in if for all , , where . We denote by the set of all accepting paths in induced by trace .

###### Definition 11 (Path and trace value)

The path value of a path induced in by a trace is defined as: The trace value of a trace in is defined as:

## 4 Algebraic Monitors for Correctness and Robustness

In this section, we develop ARV, a novel procedure for abstract computation of the robustness degree of a discrete signal with respect to a specification . The proposed methods consists of several steps, illustrated in Figure 1. We first translate the specification into a symbolic automaton that accepts the same language as the specification. The automaton treats timing constraints from the formula in an enumerative fashion, but keeps symbolic guards on data variables. We then decorate with weights on transitions, thus obtaining the symbolic weighted automaton . We propose an abstract algorithm for computing the distance between a trace and a specification by reducing it to the problem of finding the shortest path in induced by . Computing the robustness degree between the trace and the specification follows from combining the computed distance from the specification and its negation .

### 4.1 From Specification to Symbolic Weighted Automaton

We assume in this paper an effective translation T of a regular specification language to symbolic automata that accepts the language of . For STL and SRE defined over discrete time, such translation is a moderate adaptation of standard methods, including on-the-fly tableau construction [26] and temporal testers [35]. During the translation, we decorate the transitions in the symbolic automaton with weight functions that measure the distance between observed valuations and the predicate associated to the transition, i.e. we set instantiate the weight function to , for all .

###### Example 4

We illustrate this step on specifications and from Example 2:

 φ1 ≡ \scaleobj1.1\raisebox−1.72pt\rotatebox45.0$□$(x≤5 ∧ \scaleobj1.3\raisebox−0.215pt$□$[0,1](x≤3 ∧ y>6)) φ2 ≡ ⊤ ⋅ ((x≤5⋅⊤) ∩ ⟨x≤3∧y≥6⟩[1,1]) ⋅ ⊤

In Figure 2 we depict the SWA that accepts the language of and . The -minimal predicates are shown in the boxes above the transitions.

### 4.2 Valuation-Predicate Distance Computation

We propose an effective procedure for computing the distance between a valuation and a predicate . The procedure is shown in Algorithm 1 and works as follows. The input to the procedure is a valuation and a predicate in DNF. The computation of the distance between and is done inductively in the structure of . In the base case when is an atomic predicate, the distance between and is if satisfies , and it is equal to otherwise. We compute logic and by interpreting them as -addition and -multiplication.

Algorithm 1 vpd 1:Predicate 2:if ( is UNSAT) then return 3:end if 4:if () or ( then 5:     if (then return 6:     else return 7:     end if 8:else if (then 9:     return 10:else if (then 11:     return 12:end if

The procedure presented in Algorithm 1 indeed computes the distance from Definition 9 for (1) idempotent semirings and (2) additively idempotent semirings with the predicate given in -minimal DNF. The transformation of arbitrary predicates to DNF is standard, while we present the -minimization of a predicate in DNF in Algorithm 2. In the following example, we give intuition why predicates must be in -minimal DNF if the semiring is only -idempotent.

###### Example 5

Consider the term from the transition in Figure 2 that defines the set of valuations , its semantically equivalent -minimal representation and the valuation . It is clear that . Let us consider the tropical semiring and the computation of vpd. We illustrate the need for the -minimal predicate in Figure 3. We have that , but . Due to the non-minimality of the term and the additive nature of , we incorrectly accumulate the distance from to the atomic predicate .

###### Theorem 4.1

Given a predicate in DNF, a valuation and the distance defined over a bounded semiring , we have that if: (1) is idempotent; or (2) is in -minimal DNF.

### 4.3 Trace Value Computation

In this section, we present a dynamic programming procedure (see Algorithm 3) for computing the value of a trace in a symbolic weighted automaton . We assume that the weights are defined over a semiring . The algorithm first assigns to every state the initial cost, depending whether is initial or not. At every step and for every state of , the procedure computes the cost of reaching with the -prefix of . The procedure uses the -multiplication to aggregate the valuation-predicate distances collected along every path induced by and thus compute the path weight and the -addition to combine the weights of all the accepting paths induced by .

Algorithm 3 val 1:for all  do 2:      3:end for 4:for  do 5:      6:end for 7:return Algorithm 4 rob 1: 2: 3: 4: 5:if   then return 6:else return 7:end if

We now state that Algorithm 3 correctly computes the value of in , which corresponds to the distance .

###### Theorem 4.2

Given a specification , its associated SWA defined over a semiring and a trace , we have that .

We finally build the monitor that measures the robustness degree between the trace and a specification by computing the value of in and . This procedure is summarized in Algorithm 4 that trivially implements the robustness measure . We show that our abstract computation of is sound and complete.

###### Theorem 4.3 (Soundness and completeness)

Given traces and , a specification and distances , defined over a bounded semiring ,

 ρ(τ,φ)>0→τ⊨φρ(τ,φ)<0→τ⊭φτ⊨φ and d(τ,τ′)⊏d(τ,¬φ)→τ′⊨φ.

We first observe that if , then we do not know (only from that number) whether satisfies . We illustrate this observation with the formula and the trace of size one. It is clear that but the actual distance between the element in that is closest to and is infinitesimally close to . In order to have both directions of the implications in the soundness proof and to guarantee that the robustness degree is never equal to , we would need to introduce non-standard reals. Note that even with the current setting, we can easily say whether , even when . Second, we do not need to explicitly compute the complement automaton if is deterministic. In that case, it is sufficient to apply a slight modification of Algorithm 3 on only. The modification consists in reporting either the minimum value of an accepting or the minimum value of a non-accepting location, depending on whether the trace satisfies .

#### 4.3.1 Complexity of the translation and the algorithm

The number of locations in the symbolic automaton is exponential in the size of the formula for both STL and SRE (we recall that we use SRE with the intersection operator). The size of the predicates decorating the transitions in is also exponential in the number of propositions appearing in the formula, due to the translation of the predicate to DNF form. The algorithm applied to a trace of size , and with locations, transitions, and maximum size of the predicates, takes in the order of iterations.

### 4.4 Instantiating Monitors

In Sections 4.2 and 4.3, we presented an abstract monitoring procedure that measures a robustness degree of a trace with respect to a specification . We give concrete semantics to these monitors by instantiating the semiring and the distance function. Here we consider three instantiations of the procedure:

1. Boolean semiring with if and otherwise

2. Minmax semiring with

3. Tropical semiring with

The instantiation 1 gives the monitors classical qualitative semantics, where the distance of from is if is in the language of and otherwise. The instantiation 2 gives the computation of the robustness degree based on the infinite norm, as defined in [23]. The instantiation 3 gives the computation of the robustness degree based on the Hamming distance lifted to the sets.

###### Example 6

We illustrate our monitoring procedure instantiated to different semantics in Table 2. We choose the trace that violates the specifications and from Example 2. We instantiate Algorithm 3 to the specific semirings and apply each instantiation to the and from Figure 2. We mark in bold the accepting state and the trace value.

We note that by Theorem 4.2, our computation of robustness is precise with respect to the semantics of the specification, regardless of the instantiated semiring. This is in contrast to the syntactic approaches to robustness [23, 21] that under-approximate the robustness value. In case we instantiate MinMax seminiring in ARV, we do not demonstrate imprecision shown in Examples 17,18 from [23]. The comparison results from section 5.1 confirm this observation.

## 5 Case Studies

We implemented our approach (ARV) in a prototype tool in Java. In order to determine satisfiability of SWA transition constraints, we used the Z3 solver [15]. We evaluate our framework on two case studies from the automotive domain: The Autonomous Vehicle Control Stack model [39] and the Automatic Transmission System model [27]. In the first case study we also compare the precision of ARV with relevant tools developed by the RV community.

### 5.1 Autonomous Vehicle Control Stack

The first benchmark is a model of an autonomous vehicle control stack, which is used to solve the trajectory planning problem. The stack consists of three layers, starting from the top: Behavioral Planner (BP), Trajectory Planner (TP) and Trajectory Tracker (TT). The BP provides the coarse-grain trajectory way-points for the Autonomous Vehicle (AV), and supplies them to the underlying TP which calculates fine grain trajectory points, using cubic spline trajectory generation. The lowest layer is the TT which actuates the AV based on the trajectory points in order to steer it towards the requested path.

The benchmark supports three distinct layouts: a room with obstacles, a curved road and a roundabout. The obstacles and undesired areas are determined by assigning the specific cost. The autonomous vehicles can simulate 4 scenarios: parallel driving, paths crossing without collision and collision avoidance by either the first or the second vehicle. We ran the scenario of AVs performing parallel driving on roundabout layout and we obtained the traces for the speed and acceleration . We specified two requirements, which model normal operation (w.r.t. acceleration) and traffic rules (speed limit).

In Fig 4 we demonstrate various robustness degrees for the following requirement: “The ego vehicle travels at a velocity less than or equal to the speed limit”. We formalize this requirement in STL: . In Fig 5 we monitor the following requirement “If the autonomous vehicle started to accelerate, then it will not start decelerating in the very near future”. We formalize this requirement in STL: . We select and . For the clarity of the graph, some values are (down)scaled.

#### 5.1.1 Comparison with S-TaLiRo and Breach

Both S-TaLiRo and Breach implement robustness monitoring algorithms, in which robustness is measured with infinite norm. The algorithms implemented in these tools are syntactic, i.e. they work directly (and inductively) on the structure of the formula without passing via automata. In this section, we intend to demonstrate the preciseness of our semantic automata-based approach. We note that in contrast to our setting, these two tools work with continuous time. In order to enable the comparison, we instantiate our monitors to the MinMax semiring and we simulate the Autonomous Vehicle Control Stack model with fixed sampling, thus ensuring that the discrete versus continuous discrepancy does not affect the results.

In and we test the sensitivity of the robustness degree algorithm w.r.t. to the minimal set representation. The formula defines the acceptable range of values for , while is a semantically equivalent formula that represents the same set as a disjoint union . Similarly, and represent two semantically equivalent temporal formulas. Finally, both and represent formulas that are unsatisfiable. We can observe that our approach produces results that are invariant to the syntactic representation of the formula. In particular, our monitoring algorithm is able to detect unsatisfiable formulas. In contrast, neither S-TaLiRo nor Breach can detect unsatisfiable specifications. We can also observe that in some cases, these two tools are also sensitive to the syntactic representation of the specification. This is visible in the computation of the robustness for and , where S-TaLiRo computes the inconclusive result for a specification that is satisfied by the trace, while Breach correctly finds that the formula is satisfied, but assigns it a very low robustness degree.

### 5.2 Automatic Transmission System

We first consider the Automatic Transmission deterministic model [27] as our system-under-test (SUT). It is a model of a transmission controller that exhibits both continuous and discrete behavior. The system has two inputs – the throttle and the break . The break allows the user to model variable load on the engine. The system has two continuous-time state variables – the speed of the engine (RPM), the speed of the vehicle (mph) and the active gear .

The system is initialized with zero vehicle and engine speed. It follows that the output trajectories depend only on the input signals and , which can take any value between and at any point in time. The Simulink model contains blocks including integrators, look-up tables, two-dimensional look-up tables and a Stateflow chart with concurrently executing finite state machines with and states, respectively. The benchmark [27] defines STL formalized requirements that the system must satisfy.

We select the following requirement for our case study: “The engine and the vehicle speed never reach and ”. We use STL to formalize this requirement as follows:

We translate into a SWA and instantiate it with three semirings – Boolean, MinMax and Tropical, thus obtaining monitors for qualitative, -norm and Hamming distance based quantitative semantics. We note that the qualitative semantics yields the binary verdicts. In contrast, the quantitative semantics based on the -norm is obtained by instantiating MinMax idempotent semiring. Therefore the robustness degree based of this semantics relies on maximum pointwise distance, without accumulating it over time. For this reason we find it useful for performing worst-case analysis. Finally, the quantitative semantics based on Tropical semiring accumulates the pointwise distances over the entire trace due to non-idempotent (addition). Thus, the robustness degree in each time instance depends on the robustness of the entire trace prefix, ensuring that no information on robustness is lost over time. We can finally observe that all the quantitative semantics are consistent with qualitative semantics, as stated in Theorem 4.3. This is observable in Fig 6, before time reaches 200.

## 6 Conclusions and Future Work

We presented ARV, our generic algebraic approach to monitoring correctness and robustness of CPS applications. We demonstrated the flexibility of ARV with respect to specification languages and semantics. We showed that ARV, which relies on the use of automata, enables a precise robustness measurement of a trace with respect to a specification. We also believe that defining the abstract RV algorithm over the automaton structure will facilitate code generation of real-time monitors for various platforms, including software and FPGAs.

We believe that the results presented in this paper may open many new research and development avenues. In this paper, we have an enumerative approach to real-time. We will investigate the effect of symbolic representation of time to our automata-based approach.

We have seen that the precision of our semantic approach comes at a price – an exponential blow up in the number of locations and the size of the transition predicates. In this paper, we studied the worst-case complexity of our translation. However, we believe that for many applications the effective translation will yield monitors that are much smaller from the worst case. This requires a comprehensive experimental study with an optimized implementation. To achieve this goal, we will explore different optimization strategies, including the use of the algorithms implemented in the symbolic automata library such as its minimization procedure [12]. We will integrate our robustness monitoring approach to the existing falsification testing frameworks and quantify the improvements due to the preciseness of our algorithms. We will implement several code generators (interpreted Java, Simulink S-functions, embedded C, FPGA, etc.) and investigate the reuse of specifications and monitors across stages in the development cycle.

In this paper, we restricted ourselves to Hausdorff-like measures, and additive idempotent semirings. We would like to study in the future, the extension of our framework to non-idempotent -addition, and its application to RV: For instance, to a probabilistic semiring. We would also like to investigate whether we can use our approach to support other types of semantics. For instance, we will study whether we can generalize ARV to enable measuring weighted edit distance measure between a trace and a specification as proposed in [28].

## References

• [1] Houssam Abbas, Bardh Hoxha, Georgios E. Fainekos, Jyotirmoy V. Deshmukh, James Kapinski, and Koichi Ueda. Conformance testing as falsification for cyber-physical systems. CoRR, abs/1401.5200, 2014.
• [2] Houssam Abbas, Hans D. Mittelmann, and Georgios E. Fainekos. Formal property verification in a conformance testing framework. In Proc. of MEMOCODE 2014: the Twelfth ACM/IEEE International Conference on Formal Methods and Models for Codesign, pages 155–164. IEEE, 2014.
• [3] Takumi Akazaki and Ichiro Hasuo. Time robustness in MTL and expressivity in hybrid system falsification. In Computer Aided Verification - 27th International Conference, CAV 2015, San Francisco, CA, USA, July 18-24, 2015, Proceedings, Part II, pages 356–374, 2015.
• [4] Yashwanth Annpureddy, Che Liu, Georgios E. Fainekos, and Sriram Sankaranarayanan. S-TaLiRo: A tool for temporal logic falsification for hybrid systems. In Proc. of TACAS 2011: the 17th International Conference on Tools and Algorithms for the Construction and Analysis of Systems, volume 6605 of LNCS, pages 254–257. Springer, 2011.
• [5] Alexey Bakhirkin, Thomas Ferrère, Oded Maler, and Dogan Ulus. On the quantitative semantics of regular expressions over real-valued signals. In Formal Modeling and Analysis of Timed Systems - 15th International Conference, FORMATS 2017, Berlin, Germany, September 5-7, 2017, Proceedings, pages 189–206, 2017.
• [6] Ezio Bartocci, Luca Bortolussi, Michele Loreti, and Laura Nenzi. Monitoring mobile and spatially distributed cyber-physical systems. In Proc.of MEMOCODE 2017: the 15th ACM-IEEE International Conference on Formal Methods and Models for System Design, pages 146–155. ACM, 2017.
• [7] Ezio Bartocci, Jyotirmoy Deshmukh, Alexandre Donzé, Georgios Fainekos, Oded Maler, Dejan Nickovic, and Sriram Sankaranarayanan. Specification-based monitoring of cyber-physical systems: A survey on theory, tools and applications. In Lectures on Runtime Verification - Introductory and Advanced Topics, volume 10457 of LNCS, pages 128–168. Springer, 2018.
• [8] Richard Bellman. On a routing problem. Quarterly of applied mathematics, 16(1):87–90, 1958.
• [9] Lubos Brim, Tomas Vejpustek, David Safránek, and Jana Fabriková. Robustness analysis for value-freezing signal temporal logic. In Proceedings Second International Workshop on Hybrid Systems and Biology, HSB 2013, Taormina, Italy, 2nd September 2013., pages 20–36, 2013.
• [10] Krishnendu Chatterjee, Laurent Doyen, and Thomas A Henzinger. Quantitative languages. In International Workshop on Computer Science Logic, pages 385–400. Springer, 2008.
• [11] Ben D’Angelo, Sriram Sankaranarayanan, César Sánchez, Will Robinson, Bernd Finkbeiner, Henny B. Sipma, Sandeep Mehrotra, and Zohar Manna. LOLA: runtime monitoring of synchronous systems. In 12th International Symposium on Temporal Representation and Reasoning (TIME 2005), 23-25 June 2005, Burlington, Vermont, USA, pages 166–174, 2005.
• [12] Loris D’Antoni and Margus Veanes. Minimization of symbolic automata. In The 41st Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL ’14, San Diego, CA, USA, January 20-21, 2014, pages 541–554, 2014.
• [13] Loris D’Antoni and Margus Veanes. Extended symbolic finite automata and transducers. Formal Methods in System Design, 47(1):93–119, 2015.
• [14] Loris D’Antoni and Margus Veanes. The power of symbolic automata and transducers. In Computer Aided Verification - 29th International Conference, CAV 2017, Heidelberg, Germany, July 24-28, 2017, Proceedings, Part I, pages 47–67, 2017.
• [15] Leonardo De Moura and Nikolaj Bjørner. Z3: An efficient smt solver. Tools and Algorithms for the Construction and Analysis of Systems, pages 337–340, 2008.
• [16] Jyotirmoy V. Deshmukh, Alexandre Donzé, Shromona Ghosh, Xiaoqing Jin, Garvit Juniwal, and Sanjit A. Seshia. Robust online monitoring of signal temporal logic. Formal Methods in System Design, 51(1):5–30, 2017.
• [17] Adel Dokhanchi, Bardh Hoxha, and Georgios E. Fainekos. On-line monitoring for temporal logic robustness. In Proc. RV 2014: the 5th International Conference on Runtime Verification, volume 8734 of Lecture Notes in Computer Science, pages 231–246. Springer, 2014.
• [18] Adel Dokhanchi, Aditya Zutshi, Rahul T. Sriniva, Sriram Sankaranarayanan, and Georgios E. Fainekos. Requirements driven falsification with coverage metrics. In 2015 International Conference on Embedded Software, EMSOFT 2015, Amsterdam, Netherlands, October 4-9, 2015, pages 31–40, 2015.
• [19] Alexandre Donzé. Breach, A toolbox for verification and parameter synthesis of hybrid systems. In Computer Aided Verification, 22nd International Conference, CAV 2010, Edinburgh, UK, July 15-19, 2010. Proceedings, pages 167–170, 2010.
• [20] Alexandre Donzé, Thomas Ferrère, and Oded Maler. Efficient robust monitoring for STL. In Computer Aided Verification (CAV), pages 264–279, 2013.
• [21] Alexandre Donzé and Oded Maler. Robust satisfaction of temporal logic over real-valued signals. In Formal Modeling and Analysis of Timed Systems (FORMATS), pages 92–106, 2010.
• [22] Tommaso Dreossi, Thao Dang, Alexandre Donzé, James Kapinski, Xiaoqing Jin, and Jyotirmoy V. Deshmukh. Efficient guiding strategies for testing of temporal properties of hybrid systems. In NASA Formal Methods - 7th International Symposium, NFM 2015, Pasadena, CA, USA, April 27-29, 2015, Proceedings, pages 127–142, 2015.
• [23] Georgios E. Fainekos and George J. Pappas. Robustness of temporal logic specifications for continuous-time signals. Theor. Comput. Sci., 410(42):4262–4291, 2009.
• [24] Georgios E. Fainekos, Sriram Sankaranarayanan, Franjo Ivancic, and Aarti Gupta. Robustness of model-based simulations. In Proc. of RTSS 2009: the 30th IEEE Real-Time Systems Symposium, pages 345–354. IEEE Computer Society, 2009.
• [25] Thomas Ferrère, Oded Maler, Dejan Nickovic, and Dogan Ulus. Measuring with timed patterns. In Computer Aided Verification, 27th International Conference, CAV 2015, San Francisco, CA, USA, July 18-24, 2011, Proceedings, 2015.
• [26] Rob Gerth, Doron Peled, Moshe Y Vardi, and Pierre Wolper. Simple on-the-fly automatic verification of linear temporal logic. In Protocol Specification, Testing and Verification XV, pages 3–18. Springer, 1995.
• [27] Bardh Hoxha, Houssam Abbas, and Georgios E. Fainekos. Benchmarks for temporal logic requirements for automotive systems. In 1st and 2nd International Workshop on Applied veRification for Continuous and Hybrid Systems, ARCH@CPSWeek 2014, Berlin, Germany, April 14, 2014 / ARCH@CPSWeek 2015, Seattle, WA, USA, April 13, 2015., pages 25–30, 2014.
• [28] Stefan Jaksic, Ezio Bartocci, Radu Grosu, and Dejan Nickovic. Quantitative monitoring of STL with edit distance. In Runtime Verification - 16th International Conference, RV 2016, Madrid, Spain, September 23-30, 2016, Proceedings, pages 201–218, 2016.
• [29] Ron Koymans. Specifying real-time properties with metric temporal logic. Real-Time Systems, 2(4):255–299, 1990.
• [30] Oded Maler and Dejan Nickovic. Monitoring temporal properties of continuous signals. In Formal Techniques, Modelling and Analysis of Timed and Fault-Tolerant Systems, Joint International Conferences on Formal Modelling and Analysis of Timed Systems, FORMATS 2004 and Formal Techniques in Real-Time and Fault-Tolerant Systems, FTRTFT 2004, Grenoble, France, September 22-24, 2004, Proceedings, pages 152–166, 2004.
• [31] Oded Maler and Dejan Nickovic. Monitoring properties of analog and mixed-signal circuits. STTT, 15(3):247–268, 2013.
• [32] Mehryar Mohri. Semiring frameworks and algorithms for shortest-distance problems. Journal of Automata, Languages and Combinatorics, 7(3):321–350, 2002.
• [33] Mehryar Mohri. Edit-distance of weighted automata: General definitions and algorithms. Int. J. Found. Comput. Sci., 14(6):957–982, 2003.
• [34] Dejan Nickovic and Oded Maler. AMT: A property-based monitoring tool for analog systems. In Formal Modeling and Analysis of Timed Systems, 5th International Conference, FORMATS 2007, Salzburg, Austria, October 3-5, 2007, Proceedings, pages 304–319, 2007.
• [35] Amir Pnueli and Aleksandr Zaks. On the merits of temporal testers. In 25 Years of Model Checking - History, Achievements, Perspectives, pages 172–195, 2008.
• [36] Vasumathi Raman, Alexandre Donzé, Dorsa Sadigh, Richard M. Murray, and Sanjit A. Seshia. Reactive synthesis from signal temporal logic specifications. In Proceedings of the 18th International Conference on Hybrid Systems: Computation and Control, HSCC’15, Seattle, WA, USA, April 14-16, 2015, pages 239–248, 2015.
• [37] Aurélien Rizk, Grégory Batt, François Fages, and Sylvain Soliman. On a continuous degree of satisfaction of temporal logic formulae with applications to systems biology. In Computational Methods in Systems Biology, 6th International Conference, CMSB 2008, Rostock, Germany, October 12-15, 2008. Proceedings, pages 251–268, 2008.
• [38] Alena Rodionova, Ezio Bartocci, Dejan Nickovic, and Radu Grosu. Temporal logic as filtering. In Proceedings of the 19th International Conference on Hybrid Systems: Computation and Control, pages 11–20. ACM, 2016.
• [39] Alena Rodionova, Matthew O’Kelly, Houssam Abbas, Vincent Pacelli, and Rahul Mangharam. An autonomous vehicle control stack. In ARCH17. 4th International Workshop on Applied Verification of Continuous and Hybrid Systems, collocated with Cyber-Physical Systems Week (CPSWeek) on April 17, 2017 in Pittsburgh, PA, USA, pages 44–51, 2017.
• [40] Roopsha Samanta, Jyotirmoy V. Deshmukh, and Swarat Chaudhuri. Robustness analysis of string transducers. In Proc. of ATVA 2013: the 11th International Symposium on Automated Technology for Verification and Analysis, volume 8172 of LNCS, pages 427–441. Springer, 2013.
• [41] Margus Veanes, Pieter Hooimeijer, Benjamin Livshits, David Molnar, and Nikolaj Bjørner. Symbolic finite state transducers: algorithms and applications. In Proceedings of the 39th ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 2012, Philadelphia, Pennsylvania, USA, January 22-28, 2012, pages 137–150, 2012.

## Appendix 0.A Specification Languages

In this appendix, we recall the syntax and semantics of STL and SRE, both interpreted over discrete time.

### 0.a.1 Signal Temporal Logic

We consider STL with both past and future operators interpreted over digital signals of final length. We assume that is a metric space equiped with a distance . The syntax of a STL formula over is defined by the grammar:

 φ:=x∼u | ¬φ | φ1∨φ2 | φ1UIφ2 | φ1SIφ2

where , , , is of the form or such that and . The other standard operators are derived as follows: , , , , , , , and .

The semantics of a STL formula with respect to a signal of length is described via the satisfiability relation , indicating that the signal satisfies at the time index , according to the following definition where .

 (s,i)⊨x∼u↔s(i,x)∼u(s,i)⊨¬φ↔(s,i)⊭φ(s,i)⊨φ1∨φ2↔(s,i)⊨φ1or(s,i)⊨φ2(s,i)⊨φ1UIφ2↔∃j∈(i+I)∩T:(s,j)⊨φ2and∀i

We note that we use the semantics for and that is strict in both arguments and that we allow punctual modalities due to the discrete time semantics. Given an STL formula , we denote by the language of , which is the set of all signals such that .

### 0.a.2 Signal Regular Expressions

Signal Regular Expressions (SRE) [5]

allow to pattern-match a specification over a signal. As the authors in

[25] mentioned, the fundamental difference between STL and SREs comes from a fact that the satisfaction of an STL formula is computed for a time point, while the match of a SRE results in a time interval. In this work we adapt the definition of SREs from [25] with an assumption of interpreting SREs over discrete time. The syntax of a SRE formula over is defined by the grammar:

 b:=x∼u | ¬b | b1∨b2φ:=ϵ | b | φ1⋅φ2