Signal Convolution Logic

We introduce a new logic called Signal Convolution Logic (SCL) that combines temporal logic with convolutional filters from digital signal processing. SCL enables to reason about the percentage of time a formula is satisfied in a bounded interval. We demonstrate that this new logic is a suitable formalism to effectively express non-functional requirements in Cyber-Physical Systems displaying noisy and irregular behaviours. We define both a qualitative and quantitative semantics for it, providing an efficient monitoring procedure. Finally, we prove SCL at work to monitor the artificial pancreas controllers that are employed to automate the delivery of insulin for patients with type-1 diabetes.

Authors

• 4 publications
• 10 publications
• 30 publications
• 23 publications
• A Logic for Monitoring Dynamic Networks of Spatially-distributed Cyber-Physical Systems

Cyber-Physical Systems (CPS) consist of inter-wined computational (cyber...
05/24/2021 ∙ by E. Bartocci, et al. ∙ 0

• Monitoring Mobile and Spatially Distributed Cyber-Physical Systems

Cyber-Physical Systems (CPS) consist of collaborative, networked and tig...
04/15/2019 ∙ by Ezio Bartocci, et al. ∙ 0

• Data-driven Design of Context-aware Monitors for Hazard Prediction in Artificial Pancreas Systems

Medical Cyber-physical Systems (MCPS) are vulnerable to accidental or ma...
04/06/2021 ∙ by Xugui Zhou, et al. ∙ 9

• Mining Environment Assumptions for Cyber-Physical System Models

Many complex cyber-physical systems can be modeled as heterogeneous comp...

• Metrics for Signal Temporal Logic Formulae

Signal Temporal Logic (STL) is a formal language for describing a broad ...
08/01/2018 ∙ by Curtis Madsen, et al. ∙ 0

• Online Monitoring of Metric Temporal Logic using Sequential Networks

Metric Temporal Logic (MTL) is a popular formalism to specify patterns w...
01/01/2019 ∙ by Dogan Ulus, et al. ∙ 0

• Generating Automated and Online Test Oracles for Simulink Models with Continuous and Uncertain Behaviors

Test automation requires automated oracles to assess test outputs. For c...
03/08/2019 ∙ by Claudio Menghi, et al. ∙ 0

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Cyber-Physical Systems (CPS) are engineering, physical and biological systems tightly integrated with networked computational embedded systems monitoring and controlling the physical substratum. The behaviour of CPS is generally modelled as a hybrid system where the flow of continuous variables (representing the state of the physical components) is interleaved with the occurrence of discrete events (representing the switching from one mode to another, where each mode may model a different continuous dynamics). The noise generated by sensors measuring the data plays an important role in the modes switching and it can be captured using a stochastic extension of hybrid systems.

The exhaustive verification for these systems is in general undecidable. The available tools for reachability analysis are based on over-approximation of the possible trajectories and the final reachable set of states may result too coarse (especially for nonlinear dynamics) to be meaningful. A more practical approach is to simulate the system and to monitor both the evolution of the continuous and discrete state variables with respect to a formal requirement that specifies the expected temporal behaviour (see [4] for a comprehensive survey).

Temporal logics such as Metric Interval Temporal Logic (MITL) [13] and its signal variant, Signal Temporal Logic (STL) [7], are powerful formalisms suitable to specify in a concise way complex temporal properties. In particular, STL enables to reason about real-time properties of components that exhibit both discrete and continuous dynamics. The Boolean semantics of STL decides whether a signal is correct or not w.r.t. a given specification. However, since a CPS model approximates the real system, the Boolean semantics is not always suitable to reason about its behaviour, because it is not tolerant to approximation errors or to uncertainty.

More recently, several notions of quantitative semantics (also called robustness) [7, 9, 14] have been introduced to overcome this limitation. These semantics enrich the expressiveness of Boolean semantics, passing from a Boolean concept of satisfaction (yes/no) to a (continuous) degree of satisfaction. This allows us to quantify “how much” (w.r.t. a given notion of distance) a specific trajectory of the simulated system satisfies a given requirement. A typical example is the notion of robustness introduced by Fainekos et al. in [9], where the binary satisfaction relation is replaced with a quantitative robustness degree function. The positive or negative sign of the robustness value indicates whether the formula is respectively satisfied or violated. This notion of quantitative semantics is typically exploited in the falsification analysis [8, 16, 4, 1] to systematically generate counterexamples by searching, for example, the sequence of inputs that would minimise the robustness towards the violation of the requirement. On the other hand, the maximisation of the robustness can be employed to tune the parameters of the system [3, 2, 4, 6] to obtain a better resilience. A more thorough discussion on other quantitative semantics will be provided in Section 2.

Motivating Challenges.

Despite STL is a powerful specification language, it does not come without limitations. An important type of properties that STL cannot express are the non-functional requirements related to the percentage of time certain events happen. The globally and eventually operators of STL can only check if a condition is true for all time instants or in at least one time instant, respectively. There are many real situations where these conditions are too strict, where it could be interesting to describe a property that is in the middle between eventually and always. Consider for instance a medical CPS, e.g., a device measuring glucose level in the blood to release insulin in diabetic patients. In this scenario, we need to check if glucose level is above (or below) a given threshold for a certain amount of time, to detect critical settings. Short periods under Hyperglycemia (high level of glucose) are not dangerous for the patient. An unhealthy scenario is when the patient remains under Hyperglycemia for more than 3 hours during the day, i.e., for of 24 hours (see Fig. 1 left). This property cannot be specified by STL. A second issue is that often such measurements are noisy, and measurement errors or short random fluctuations due to environmental factors can easily violate (or induce the satisfaction) of a property. One way to approach this problem is to filter the signal to reduce the impact of noise, This requires a signal pre-processing phase, which may however alter the signal introducing spurious behaviours. Another possibility, instead is to ask that the property is true for at least 95% of operating time, rather than for 100% of time, this requirements can be seen as a relaxed globally condition (see Fig. 1 right). Finally, there are situations in which the relevance of events may change if they happen at different instants in a time window. For instance, while measuring glucose level in blood, it is more dangerous if the glucose level is high just before meal, that means “the risk becomes greater as we move away from the previous meal and approach the next meal”. To capture this, one could give different weights if the formula is satisfied or not at the end or in the middle of a time interval, i.e., considering inhomogeneous temporal satisfaction of a formula. This is also not possible in STL.

Contributions.

In this paper, we introduce a new logic based on a new temporal operator, , that we call the convolution operator, which overcomes these limitations. It depends on a non-linear kernel function , and requests that the convolution between the kernel and the signal (i.e., the satisfaction of ) is above a given threshold . This operator allows us to specify queries about the fraction of time a certain property is satisfied, possibly weighting unevenly the satisfaction in a given time interval , e.g., allowing to distinguish traces that satisfy a property in specific parts of . We provide a Boolean semantics, and then define a quantitative semantics, proving its soundness and correctness with respect to the former. Similarly to STL, our definition of quantitative semantics permits to quantify the maximum allowed uniform translation of the signals preserving the true value of the formula. We also show that SCL is strictly more expressive than (the fragment of STL which considers only eventually and globally operators) and then we provide the monitoring algorithms for both semantics. Finally, we show SCL at work to monitor the behaviour of an artificial pancreas device releasing insulin in patients affected by type-I diabetes.

Paper structure.

The rest of the paper is organized as follows. In Section 2 we discuss the related work. Section 3 provides the necessary preliminaries. Section 4 presents the syntax and the semantics of SCL and discuss its expressiveness. In Section 5, we describe our monitoring algorithm and in Section 6 we show an application of SCL for monitoring an insulin releasing device in diabetic patients. Finally, we draw final remarks in Section 7.

2 Related Work

The first quantitative semantics, introduced by Fainekos et al. [9] and then used by Donze et al. [7] for STL, is based on the notion of spatial robustness. Their approach replaces the binary satisfaction relation with a function returning a real-value representing the distance from the unsatisfiability set in terms of the uniform norm. In [7] the authors consider also the displacement of a signal in the time domain (temporal robustness). These semantics, since are related with the uniform-norm, are very sensitive to glitches (i.e., sporadic peaks in the signals due to measurement errors).

To overcome this limitation Rodionova et al. [14] proposed a quantitative semantics based on filtering. More specifically they provide a quantitative semantics for the positive normal form fragment of STL which measures the number of times a formula it is satisfied within an interval associating with different types of kernels. However, restricting the quantitative semantics to the positive normal form gives up the duality property between the eventually and the globally operators, and the correctness property, which instead are both kept in our approach. Furthermore, their work is just theoretical and there is no discussion on how to efficiently evaluate such a properties.

In [1], Akazaki et al. have extended the syntax of STL by introducing averaged temporal operators. Their quantitative semantics expresses the preference that a specific requirement occurs as earlier as possible or for as long as possible, in a given time range. Such time inhomogeneity can be evaluated only in the quantitative semantics (i.e. the new operators, at the Boolean level, are equal to the classic STL temporal operators). Furthermore, the new operators force separations of two robustness (positive and negative) and it is lost also in this case the correctness property.

An alternative way to tackle the noise of a signal is to consider explicitly their stochasticity. Recently, there has been a great effort to define several stochastic extensions of STL, such as Stochastic Signal Temporal Logic (StSTL) [12], Probabilistic Signal Temporal Logic (PrSTL) [15] and Chance Constrained Temporal Logic (C2TL) [11]

. The type of quantification is intrinsically different, while the probabilistic operators quantify on the signal values, our convolutional operator quantifies over the time in which the nested formula is satisfied. Furthermore, all these approaches rely on the use of probabilistic atomic predicates that need to be quantified over the probability distribution of a model (usually a subset of samples). As such, they need computationally expensive procedures to be analyzed. Our logic, instead, operates directly on the single trace, without the need of any probabilistic operator, in this respect being closer to digital signal processing.

3 Background

In this section, we introduce the notions needed later in the paper: signals, kernels, and convolution.

Definition 1 (Signal)

A signal is a function from an interval to a subset of . Let us denote with a generic set of signals.

When

, we talk of Boolean signals. In this paper, we consider piecewise constant signals, represented by a sequence of time-stamps and values. Different interpolation schemes (e.g. piecewise linear signals) can be treated similarly as well.

Definition 2 (Bounded Kernel)

Let be a closed interval. We call bounded kernel a function such that:

 ∫TkT(τ)dτ=1and∀t∈T,kT(t)>0. (1)

Several examples of kernels are shown in Table 1. We call the time window of the bounded kernel , which will be used as a convolution 111

This operation is in fact a cross-correlation, but here we use the same convention of the deep learning community and call it convolution.

operator, defined as:

 (kT∗f)(t)=∫t+TkT(τ−t)f(τ)dτ

We also write in place of .

In the rest of the paper, we assume that the function is always a Boolean function: . This implies that , i.e. the convolution kernel will assume a value in This value can be interpreted as a sort of measure of how long the function is true in . In fact, the kernel induces a measure on the time line, giving different importance of the time instants contained in its time window . As an example, suppose we are interested in designing a system to make an output signal as true as possible in a time window (i.e., maximizing ). Using a non-constant kernel will put more effort in making true in the temporal regions of where the value of the kernel is higher. More formally, the analytical interpretation of the convolution is simply the expectation value of in a specific interval w.r.t. the measure induced by the kernel. In Fig. 2 (a) we show some example of different convolution operators on the same signal.

4 Signal Convolution Logic

In this section, we present the syntax and semantics of SCL, in particular of the new convolutional operator , discussing also its soundness and correctness, and finally comment on the expressiveness of the logic.

Syntax and Semantics.

The atomic predicates of SCL are inequalities on a set of real-valued variables, i.e. of the form , where is a continuous function, and consequently . The well formed formulas of SCL are defined by the following grammar:

 φ:=⊥|⊤|μ|¬φ|φ∨φ|⟨kT,p⟩φ, (2)

where are atomic predicates as defined above, is a bounded kernel and . SCL introduces the novel convolutional operator (more precise, a family of them) defined parametrically w.r.t. a kernel and a threshold . This operator specifies the probability of being true in , computed w.r.t. the probability measure of , the choice of different types of kernel will give rise to different kind of operators (e.g. a constant kernel will measure the fraction of time is true in , while an exponentially decreasing kernel will concentrate the focus on the initial part of ). As usual, we interpret the SCL formulas over signals.

Before describing the semantics, we give a couple of examples of properties. Considering again the glucose scenario presented in Section 1. The properties in Fig. 1 are specified in SCL as , . We can use instead an exponential increasing kernel to described the more dangerous situation of high glucose closed to the next meal, e.g. .

We introduce now the Boolean and quantitative semantics. As the temporal operators are time-bounded, time-bounded signals are sufficient to assess the truth of every formula. In the following, we denote with the minimal duration of a signal allowing a formula to be always evaluated. is computed as customary by structural recursion.

Definition 3 (Boolean Semantics)

Given a signal , the Boolean semantics is defined recursively by:

 χ(s,t,μ) =1⟺μ(s(t))=⊤ where μ(X)≡[g(X)≥0] (3a) χ(s,t,¬φ) =1⟺χ(s,t,φ)=0 (3b) χ(s,t,φ1∨φ2) =max(χ(s,t,φ1),χ(s,t,φ2)) (3c) χ(s,t,⟨kT,p⟩φ) =1⟺kT(t)∗χ(s,t,φ)≥p (3d)

Moreover, we let .

The atomic propositions are inequalities over the signal’s variables. The semantics of negation and conjunction are the same as classical temporal logics. The semantics of requires to compute the convolution of with the truth value of the formula as a function of time, seen as a Boolean signal, and compare it with the threshold .

An example of the Boolean semantics can be found in Fig. 2 (left - bottom) where four horizontal bars visually represent the validity of , for 4 different kernels (one for each bar). We can see that the the only kernel for which is the exponential increasing one .

Definition 4 (Quantitative semantics)

The quantitative semantics is defined as follows:

 ρ(s,t,⊤) =+∞ (4a) ρ(s,t,μ) =g(s(t)) where g is such that μ(X)≡[g(X)≥0] (4b) ρ(s,t,¬φ) =−ρ(φ,s,t) (4c) ρ(s,t,φ1∨φ2) =max(ρ(φ1,s,t),ρ(φ2,s,t)) (4d) ρ(s,t,⟨kT,p⟩φ) =max{r∈R∣kT(t)∗[ρ(s,t,φ)>r]≥p} (4e)

Moreover, we let .

where is a function of such that if , 0 otherwise. Intuitively the quantitative semantics of a formula w.r.t. a primary signal describes the maximum allowed uniform translation of the secondary signals in preserving the truth value of . Stated otherwise, a robustness of for means that all signals such that will result in the same truth value for : . Fig. 2(b) shows this geometric concept visually. Let us consider the formula , a flat kernel. A signal satisfies the formula if it is greater than zero for at most the of the time interval . The robustness value corresponds to how much we can translate s.t. the formula is still true, i.e. s.t. still satisfies . In the figure, we can see that . The formal justification of it is rooted in the correctness theorem (Theorem 4.2).

Soundness and Correctness.

We turn now to discuss soundness and correctness of the quantitative semantics with respect to the Boolean one. The proofs of the theorems can be found in the on-line version of the paper on arXiv.

Theorem 4.1 (Soundness Property)

The quantitative semantics is sound with respect to the Boolean semantics, than means:

 ρ(s,t,φ)>0⟹(s,t)⊨φandρ(s,t,φ)<0⟹(s,t)⊭φ
Definition 5

Consider a SCL formula with atomic predicates , and signals . We define

 ∥s1−s2∥φ:=maxi≤nmaxt∈T(φ)|gi(s1(t))−gi(s2(t))|
Theorem 4.2 (Correctness Property)

The quantitative semantics satisfies the correctness property with respect to the Boolean semantics if and only if, for each formula , it holds:

 ∀s1,s2∈D(T;S),∥s1−s2∥φ<ρ(s1,t,φ)⇒χ(s1,t,φ)=χ(s2,t,φ)

Expressiveness.

We show that SCL is more expressive than the fragment of STL composed of the logical connectivities and the eventually and globally temporal operators, i.e., .

First of all, globally is easily definable in SCL. Take any kernel , and observe that , as holds only if is true in the whole interval . This holds provided that we restrict ourselves to Boolean signals of finite variation, as for [13], which are changing truth value a finite amount of times and are never true or false in isolated points: in this way we do not have to care what happens in sets of zero measure. With a similar restriction in mind, we can define the eventually, provided we can check that .

To see how this is possible, start from the fundamental equation . By applying 3d and 3b we easily get . For compactness we write , and thus define the eventually modality as . By definition, this is the dual operator of . Furthermore, consider the uniform kernel : a property of the form , requesting to hold at least half of the time interval , cannot be expressed in STL, showing that SCL is more expressive than STL.

Note that defining a new quantitative semantics has an intrinsic limitation. Even if the robustness can help the system design or the falsification process by guiding the underline optimization, it cannot be used at a syntactic level. It means that we cannot write logical formulas which predicate about the property. For example, we cannot specify behaviors as the property has to be satisfied in at least the 50% of interval I, but we can only measure the percentage of time the properties has been verified. Furthermore, lifting filtering and percentage at the syntactic level has other important two advantages. First, it preserves duality of eventually and globally operator, meaning that we are not forced to restrict our definition to positive formulae, as in [14], or to present two separate robustness measures as in [1]. Second, it permits to introduce a quantitative semantics which quantifies the robustness with respect to signal values instead of the percentage values and that satisfies the correctness property.

5 Monitoring Algorithm

In this section, we present the monitoring algorithms to evaluate the convolution operators . For all the other operators we can rely on established algorithms as [13] for Boolean monitoring and [7] for the quantitative one.

Boolean Monitoring.

We provide an efficient monitor algorithm for the Boolean semantics of SCL formulas. Consider an SCL formula and a signal . We are interested in computing , as a function of , where is the following convolution function

 H(t)=kT(t)∗χ(s,t,φ)=∫t+TkT(τ−t)χ(s,τ,φ)dτ (5)

It follows that the efficient monitoring of the Boolean semantics of SCL is linked to the efficient evaluation of , which is possible if can be computed by reusing the value of previously stored. To see how to proceed, assume the signal to be unitary, namely that it is true in a single interval of time, say from time to time , and false elsewhere. We remark that is always possible to decompose a signal in unitary signals, see [13].

In this case, it easily follows that the convolution with the kernel will be non-zero only if the interval intersects the convolution window . Inspecting Figure 3, we can see that sliding the convolution window forward of a small time corresponds to sliding the positive interval of the signal of time units backwards with respect to the kernel window. In case is fully contained into , by making infinitesimal and invoking the fundamental theorem of calculus, we can compute the derivative of with respect to time as . By taking care of cases in which the overlap is only partial, we can derive a general formula for the derivative:

 ddtH(t)=kT(u0−(t+T0))I{u0∈t+T}−kT(u1−(t+T1))I{u1∈t+T}, (6)

where is the indicator function, i.e. if and zero otherwise. This equation can be seen as a differential equation that can be integrated with respect to time by standard ODE solvers (taking care of discontinuities, e.g. by stopping and restarting the integration at boundary times when the signal changes truth value), returning the value of the convolution for each time . The initial value is , that has to be computed integrating explicitly the kernel (or setting it to zero if ). If the signal is not unitary, we have to add a term like the right hand side of 6 in the ODE of for each unitary component (positive interval) in the signal. We use also a root finding algorithm integrated in the ODE solver to detect when the property will be true or false, i.e. when will be above or below the threshold .

The time-complexity of the algorithm for the convolution operator is proportional to the computational cost of numerically integrating the differential equation above. Using a solver with constant step size , the complexity is proportional to the number of integration steps, times the number of unitary components in the input signal, i.e. . A more detailed description of the algorithm can be found in Appendix LABEL:app:monitoring.

Quantitative Monitoring.

In this paper, we follow a simple approach to monitor it: we run the Boolean monitor for different values of and in a grid, using a coarse grid for , and compute at each point of such grid the value . Relying on the fact that is monotonically decreasing in , we can find the correct value of , for each fixed , by running a bisection search starting from the unique values and in the grid such that changes sign, i.e. such that . The bounds of the grid are set depending on the bounds of the signal, and may be expanded (or contracted) during the computation if needed. Consider that the robustness can assumes only a finite number of values because of the finite values assumed by the pieacewise-constant inputs signals. A more efficient procedure for quantitative monitoring is in the top list of our future work, and it can be obtained by exploring only a portion of such a grid, combining the method with the boolean monitor based on ODEs, and alternating steps in which we advance time from to (fixing to its exact value at time ), by integrating ODEs and computing , and steps in which we adjust the value of at time by locally increasing or decreasing its value (depending if is negative or positive), finding such that .

6 Case Study: Artificial Pancreas

In this example, we show how SCL can be useful in the specification and monitoring of the Artificial Pancreas (AP) systems. The AP is a closed-loop system of insulin-glucose for the treatment of Type-1 diabetes (T1D), which is a chronic disease caused by the inability of the pancreas to secrete insulin, an hormone essential to regulate the blood glucose level. In the AP system, a Continuous Glucose Monitor (CGM) detects the blood glucose levels and a pump delivers insulin through injection regulated by a software-based controller.

The efficient design of control systems to automate the delivery of insulin is still an open challenge for many reasons. Many activities are still under control of the patient, e.g., increasing insulin delivery at meal times (meal bolus), and decreasing it during physical activity. A complete automatic control includes several risks for the patient. High level of glucose (hyperglicemia) implies ketacidosis and low level (hypoglycemia) can be fatal leading to death. The AP controller must tolerate many unpredictable events such as pump failures, sensor noise, meals and physical activity.

AP Controller Falsification via SMT solver [18] and robustness of STL [5] has been recently proposed. In particular, [5] formulates a series of STL properties testing insulin-glucose regulatory system. Here we show the advantages of using SCL for this task.

PID Controller.

Consider a system/process which takes as input a function and produces as output a function . A PID controller is a simple closed-loop system aimed to maintain the output value as close as possible to a set point . It continuously monitors the error function, i.e., and defines the input of the systems accordingly to . The proportional (), integral () and derivative () parameters uniquely define the PID controller and have to be calibrated in order to achieve a proper behavior.

System.

PID controllers have been successfully used to control the automatic infusion of insulin in AP. In [18], for example, different PID have been synthesized to control the glucose level for the well studied Hovorka model [10]:

 ddtG(t)=F(G(t),u(t),Θ), (7)

where the output represents the glucose concentration in blood and the input

is the infusion rate of bolus insulin which has to be controlled. The vector

are the control parameters which define the quantity of carbohydrates assumed during the three daily meals and the inter-times between each of them and . Clearly a PID controller for Eq. (7) has to guarantee that under different values of the control parameters the glucose level remains in the safe region . In [18], four different PID controllers that satisfy the safe requirement, have been discovered by leveraging SMT solver under the assumption that the inter-times and are both fixed to 300 minutes (5 hrs) and that , which correspond to the average quantity of carbohydrates contained in breakfast, lunch and dinner222

is the Gaussian distribution with mean

and variance

.
. Here, we consider the PID controller which has been synthesized by fixing the glucose setting point to and maximizing the probability to remain in the safe region, provided a distribution of the control parameter as explained before. We consider now some properties which can be useful to check expected or anomalous behaviors of an AP controller.

Hypoglycemia and Hyperglycemia.

Consider the following informal specifications: never during the day the level of glucose goes under , and never during the day the level of glucose goes above , which technically mean that the patient is never under Hypoglycemia or Hyperglycemia, respectively. These behaviours can be formalized with the two STL formulas and . The problem of STL is that it does not distinguish if these two conditions are violated for a second, few minutes or even hours. It only says those events happen. Here we propose stricter requirements described by the two following SCL formulas for the Hypoglycemia regime, and for the Hyperglycemia regime. We are imposing not that globally in a day the hypoglycemia and the hyperglycemia event never occur, but that these conditions persist for at least 95% of the day (i.e., 110 minutes). We will show above in a small test case how this requirement can be useful.

Prolongated Conditions.

As already mentioned in the motivating example, the most dangerous conditions arise when Hypoglycemia or Hyperglycemia last for a prolongated period of the day. In this context a typical condition is the Prolongated Hyperglycemia which happens if the total time under hyperglycemia (i.e., ) exceed the 70% of the day, or the Prolongated Severe Hyperglycemia when the level of glucose is above for at least 3 hrs in a day. The importance of these two conditions has been explained in [17], however the authors cannot formalized them in STL. On the contrary, SCL is perfectly suited to describe these conditions as shown by the following two formulas: and . Here we use flat kernels to mean that the period of a day where the patient is under Hyperglycemia or Severe Hyperglycemia does not count to the evaluation of the boolean semantics. Clearly, an hyperglycemia regime in different times of the day can count differently. In order to capture this “preference” we can use non-constant kernels.

Inhomogeneous time conditions.

Consider the case of monitoring Hyperglycemia during the day. Even if avoiding that regime during the entire day is always a best practice, there may be periods of the day where avoiding it is more important than others. We imagine the case to avoid hyperglycemia with a particular focus on the period close to the first meal. We can express this requirement considering the following SCL formula: . Thanks to an decreasing kernel, indeed, the same quantity of time under hyperglycemia which is close to zero counts more than the same quantity far from it.

Correctness of the insulin delivery.

During the Hypoglycemia regime the insulin should not be provided. The SCL formula: states that if during the next 10 minutes the patient is in Hypoglycemia for at least the 95% of the time then the delivering insulin pump is shut off (i.e., ) for at least the 90% of the time. This is the “cumulative” version of the STL property which says that in hypoglycemia regime no insulin should be delivered. During the Hyperglycemia regime the insulin should be provided as soon as possible. The property SCL formula:   says that if we are in severe Hyperglycemia regime (i.e., ) the delivered insulin should be higher than for at least the 90% of the following 10 minutes. We use a negative exponential kernel to express (at the robustness level) the preference of having a higher value of delivered insulin as soon as possible.

Test Case: falsification.

As a first example we show how SCL logic can be effectively used for falsification. The AP control system has to guarantee that the level of glucose remains in a safe region, as explained before. The falsification approach consists in identifying the control parameters () which force the system to violate the requirements, i.e., to escape from the safe region. The standard approach consists in minimizing the robustness of suited temporal logic formulas which express the aforementioned requirements, e.g., . In this case the minimization of the STL robustness forces the identification of the control parameters which causes the generation of trajectories with a maximum displacement under the threshold or above . To show differences among the STL and SCL logics, we consider the PID + Hovorka model and perform a random sampling exploration among its input parameters. At each sampling we calculate the robustness of the STL formulas and the SCL formula

and separately store the minimum robustness value. For this minimum value, we estimate the maximum displacement with respect to the hypoglycemia and hyperglycemia thresholds and the maximum time spent violating the hypoglycemia and hyperglycemia thresholds. Fig.

4(left, middle) shows the trajectory with minimum robustness. We can see that the trajectory which minimize the robustness of the STL formula has an higher value of the displacement from the hypoglycemia () and hyperglycemia () thresholds than SCL trajectory (which are and respectively). On the contrary, the trajectory which minimizes the robustness of the SCL formula remains under hypoglycemia (for min) and hyperglycemia (for min) longer than the STL trajectory ( min and min, respectively). These results show how the convolutional operator and its quantitative semantics can be useful in a falsification procedure. This is particularly evident in the Hyperglycemia case (Fig. 4 (middle) ) where the falsification of the SCL Hyperglycemia formula shows two subintervals where the level of glucose is above the threshold.

In order to show the effect of non-homogeneous kernel, we perform the previous experiment, with the same setting, for properties and . From the results (Fig. 4 (right)) is evident how the Gaussian kernel of property forces the glucose to be higher of the hyperglycemia threshold just before the first meal () and ignores for example the last meal ().

Test Case: noise robustness.

Now we compare the sensitivity to noise of SCL and STL formulae. We consider three degrees of hypoglycemia , where and estimate the probability that the Hovorka model controlled by the usual PID (i.e., PID + Hovorka Model) satisfies the STL formulas and the SCL formulas under the usual distribution assumption for the control parameters . The results are reported in column “noise free” of Table 2. Afterwards, we consider a noisy outcome of the same model by adding a Gaussian noise, i.e., , to the generated glucose trajectory. We estimate the probability that this noisy system satisfies the STL and SCL formulas above, see column “with noise” of Table 2. The noise correspond to the disturbance of the original signals which can occur, for example, during the measurement process.

As shown in Table 2, the probability estimation of the STL formulas changes drastically with the addition of noise (the addition of noise forces all the trajectory to satisfy the STL formula). On the contrary, the SCL formulas are more stable under noise and can be even used to approximate the probability of the STL formulas on the noise-free model. To better asses this, we checked how much the STL formula and the SCL formula , evaluated in the noisy model, agree with the STL formula evaluated in the noise-free model, by computing their truth value on 2000 samples, each time choosing a random threshold . The score for STL is 56%, while SCL agrees on 78% of the cases.

7 Conclusion

We have introduced SCL, a novel specification language that employs signal processing operations to reason about temporal behavioural patterns. The key idea is the definition of a family of modal operators which compute the convolution of a kernel with the signal and check the obtained value against a threshold. Our case study on monitoring glucose level in artificial pancreas demonstrates how SCL empowers the classical temporal logic operators (i.e., such as finally and globally) with noise filtering capabilities, and enable us to express temporal properties with soft time bounds and with non symmetric treatment of time instants in a unified way.

The convolution operator of SCL can be seen as a syntactic bridge between temporal logic and digital signal processing, trying to combine the advantages of both these two worlds. This point of view can be explored further, bringing into the monitoring algorithms of SCL tools from frequency analysis of signals. Future work includes the release of a Python library, and the design of efficient monitoring algorithms also for the quantitative semantics. Finally, we also plan to develop online monitoring algorithms for real-time systems using hardware dedicated architecture such as field-programmable gate array (FPGA) and digital signal processor (DSP).

References

• [1] Akazaki, T., Hasuo, I.: Time robustness in MTL and expressivity in hybrid system falsification. In: Proc. of CAV. pp. 356–374. Springer (2015)
• [2] Bartocci, E., Bortolussi, L., Nenzi, L.: A temporal logic approach to modular design of synthetic biological circuits. In: Proc. of CMSB. pp. 164–177. Springer (2013)
• [3] Bartocci, E., Bortolussi, L., Nenzi, L., Sanguinetti, G.: System design of stochastic models using robustness of temporal properties. Theor. Comp. Sci. 587, 3–25 (2015)
• [4] Bartocci, E., Deshmukh, J., Donzé, A., Fainekos, G., Maler, O., Nickovic, D., Sankaranarayanan, S.: Specification-based monitoring of cyber-physical systems: A survey on theory, tools and applications. In: Lectures on Runtime Verification, LNCS, vol. 10457, pp. 135–175. Springer (2018)
• [5] Cameron, F., Fainekos, G., Maahs, D.M., Sankaranarayanan, S.: Towards a verified artificial pancreas: Challenges and solutions for runtime verification. In: Runtime Verification. pp. 3–17. Springer (2015)
• [6] Donzé, A.: Breach, A toolbox for verification and parameter synthesis of hybrid systems. In: Proc. of CAV. pp. 167–170. Springer (2010)
• [7] Donzé, A., Maler, O.: Robust satisfaction of temporal logic over real-valued signals. In: Proc. of FORMATS. pp. 92–106. Springer (2010)
• [8] Fainekos, G.E., Sankaranarayanan, S., Ueda, K., Yazarel, H.: Verification of automotive control applications using S-TaLiRo. In: Proc. of ACC. IEEE (2012)
• [9] Fainekos, G.E., Pappas, G.J.: Robustness of temporal logic specifications for continuous-time signals. Theor. Comput. Sci. 410(42), 4262–4291 (2009)
• [10] Hovorka, R., Canonico, V., Chassin, L.J., Haueter, U., Massi-Benedetti, M., Federici, M.O., Pieber, T.R., Schaller, H.C., Schaupp, L., Vering, T., et al.: Nonlinear model predictive control of glucose concentration in subjects with type 1 diabetes. Physiological measurement 25(4), 905 (2004)
• [11]

Jha, S., Raman, V., Sadigh, D., Seshia, S.A.: Safe autonomy under perception uncertainty using chance-constrained temporal logic. J. Autom. Reasoning 60(1), 43–62 (2018)

• [12] Li, J., Nuzzo, P., Sangiovanni-Vincentelli, A., Xi, Y., Li, D.: Stochastic contracts for cyber-physical system design under probabilistic requirements. In: Proc. of MEMOCODE. pp. 5–14. ACM (2017)
• [13] Maler, O., Ničković, D.: Monitoring temporal properties of continuous signals. In: Proc. of FORMATS/FTRTFT. pp. 152–166. Springer (2004)
• [14] Rodionova, A., Bartocci, E., Ničković, D., Grosu, R.: Temporal logic as filtering. In: Proc. of HSCC 2016. pp. 11–20. ACM (2016)
• [15] Sadigh, D., Kapoor, A.: Safe control under uncertainty with probabilistic signal temporal logic. In: Robotics: Science and Systems XII, University of Michigan, Ann Arbor, Michigan, USA, June 18 - June 22, 2016 (2016)
• [16] Sankaranarayanan, S., Fainekos, G.: Falsification of temporal properties of hybrid systems using the cross-entropy method. In: Proc. of HSCC. pp. 125–134 (2012)
• [17] Sankaranarayanan, S., Kumar, S.A., Cameron, F., Bequette, B.W., Fainekos, G., Maahs, D.M.: Model-based Falsification of an Artificial Pancreas Control System. SIGBED Rev. 14(2), 24–33 (Mar 2017)
• [18] Shmarov, F., Paoletti, N., Bartocci, E., Lin, S., Smolka, S.A., Zuliani, P.: SMT-based Synthesis of Safe and Robust PID Controllers for Stochastic Hybrid Systems. In: Proc. of HVC. pp. 131–146 (2017)