Trace-Checking CPS Properties: Bridging the Cyber-Physical Gap by Menghi, Claudio et al.
ar
X
iv
:2
00
9.
12
25
0v
2 
 [c
s.S
E]
  2
8 S
ep
 20
20
Trace-Checking CPS Properties:
Bridging the Cyber-Physical Gap
Claudio Menghi
University of Luxembourg
Luxembourg, Luxembourg
claudio.menghi@uni.lu
Enrico Viganò
Politecnico di Milano
Milano, Italy
enrico4.vigano@mail.polimi.it
Domenico Bianculli
University of Luxembourg
Luxembourg, Luxembourg
domenico.bianculli@uni.lu
Lionel C. Briand
University of Luxembourg
Luxembourg, Luxembourg
University of Ottawa
Ottawa, Canada
lionel.briand@uni.lu
Abstract—Cyber-physical systems combine software and physi-
cal components. Specification-driven trace-checking tools for CPS
usually provide users with a specification language to express
the requirements of interest, and an automatic procedure to
check whether these requirements hold on the execution traces
of a CPS. Although there exist several specification languages
for CPS, they are often not sufficiently expressive to allow the
specification of complex CPS properties related to the software
and the physical components and their interactions.
In this paper, we propose (i) the Hybrid Logic of Signals (HLS),
a logic-based language that allows the specification of complex
CPS requirements, and (ii) ThEodorE, an efficient SMT-based
trace-checking procedure. This procedure reduces the problem of
checking a CPS requirement over an execution trace, to checking
the satisfiability of an SMT formula.
We evaluated our contributions by using a representative
industrial case study in the satellite domain. We assessed the
expressiveness of HLS by considering 212 requirements of our
case study. HLS could express all the 212 requirements. We also
assessed the applicability of ThEodorE by running the trace-
checking procedure for 747 trace-requirement combinations.
ThEodorE was able to produce a verdict in 74.5% of the cases.
Finally, we compared HLS and ThEodorE with other specifi-
cation languages and trace-checking tools from the literature.
Our results show that, from a practical standpoint, our approach
offers a better trade-off between expressiveness and performance.
I. INTRODUCTION
Cyber-physical systems (CPSs) combine cyber and physical
capabilities [1]. Cyber capabilities are typically provided by
software components that sense and act on the physical
environment, while physical capabilities are provided by the
environment in which the software is deployed. Therefore,
CPSs combine software and physical dynamics. Physical dy-
namics are typically modeled through formalisms that capture
the continuous evolution—according to physical laws—of the
environment over time (e.g., differential equations); the cor-
responding behaviors are typically represented as continuous
signals. Software (i.e., cyber) dynamics are typically modeled
with discrete event systems (e.g., finite state machines), whose
behavior is typically represented by a sequence of events.
Cyber-physical systems exhibit hybrid dynamics since they
combine both physical and software capabilities.
Engineers collect traces (i.e., logs) describing the behavior
of a CPS both when the CPS is simulated and, by means
of instrumentation and logging mechanisms, during the actual
execution of the CPS. A trace is a sequence of records
that contain some information about the execution (or the
simulation) of the cyber-physical components (e.g., the state
of the system variables). Trace records are usually labeled
with time-stamps representing the time instants at which the
recorded information was obtained.
Engineers analyze these traces to check whether they con-
form to the system’s requirements specifications; this ac-
tivity can be automated by means of trace-checking tools.
Specification-driven trace-checking tools usually take as in-
put a trace to be analyzed and a requirement specification;
they yield a Boolean verdict indicating whether the trace
satisfies the specification. The algorithms implemented by
trace-checking tools are typically language-specific. In the
context of trace checking, there exist two main categories of
languages used for specifying CPS requirements: time-based
and sequence-based languages.
Time-based languages (e.g., STL [2], RFOL [3], MTL [4],
SFO [5], TPTL [6]. and SB-TemPsy-DSL [7]) interpret the
records of the cyber and physical components as signals over
a time domain. Specifications written in a time-based language
express time relations over the occurrence of events. Such
languages are suitable to express CPS requirements related
to physical quantities; an example of such requirement is P1:
“between 2 s and 10 s (measured starting from the origin of
the trace) the speed of the satellite is lower than 10 m/s”.
However, time-based languages are not easily amenable to
specifying requirements related to software components. As
an example, let us consider the requirement P2: “whenever
the satellite changes its mode from safe to normal, the speed
of the satellite decreases”. To express the first part of this
requirement (marked in italics), one should specify that 1)
in the trace there are two consecutive records; 2) the first
record captures that the satellite is in “safe mode”; and 3)
the second record captures that the satellite is in “normal
mode”. This requirement cannot be expressed in time-based
languages since they cannot specify the first condition, i.e.,
that a record immediately follows another one in the trace.
Indeed, expressing such a condition requires the specification
language to provide access to the indices (i.e., positions in the
trace) of the different records.
1
On the other hand, in sequence-based languages—such as
LTL [8] (and domain-specific languages based on one of its
extensions, like the one in the SpeAR tool [9]), FRETISH [10],
and CoCoSpec [11]—traces are sequences of consecutive
records, whose temporal model is represented by the sequence
of discrete indices of the records. This class of languages
interprets the records of the CPS software and physical
components as discrete-time signals. Specifications in these
languages constrain the indices in which events can occur;
such specifications are used to express properties that mostly
refer to the CPS software components, such as the first part
of the aforementioned P2 property. However, these languages
cannot express time relations over the occurrence of events,
such as the one in property P1.
A third class of specification languages is the one of hybrid
languages (e.g., STL-MX [12], HyLTL [13], HRELTL [14],
Differential Dynamic Logic [15], HTL [16]), which support
the specification of both continuous and discrete behaviors.
However, these languages typically extend existing languages
(e.g., LTL) to support the specification of hybrid behaviors
in specific contexts (e.g., using signal derivatives). Therefore,
they provide ad-hoc solutions that inherit some of the intrinsic
limitations of the base language, thus hindering the expressive-
ness of the resulting hybrid language. For example, a hybrid
language based on LTL cannot support metric operators to
constrain the time distance between events.
The goal of this paper is to tackle the challenge of specifying
hybrid behaviors of CPSs, in a way amenable to practical and
efficient trace-checking. To reach this goal we propose:
(i) the Hybrid Logic of Signals (HLS), a new specification
language tailored to specifying CPS requirements. HLS allows
engineers to express CPS requirements as properties (i.e.,
specifications) that refer both to the time-stamps and to the
indices of the records of CPS traces. In this way, HLS
specifications can easily express the behavior of both cyber
and physical components, as well as their interactions.
(ii) ThEodorE, an efficient trace-checking approach for
properties expressed in HLS. ThEodorE reduces the problem
of checking an HLS property on a trace to a satisfiability
problem, which can be solved using off-the-shelf Satisfiability
Modulo Theories (SMT) solvers. The latter have efficient
decision procedures for several background theories, thus
making it possible to check whether a formula expressed in a
first-order logic is satisfiable.
We evaluated our contribution using an industrial case study
in the satellite domain, in collaboration with the engineers who
developed the satellite’s on-board system.
(i) We assessed the expressiveness of HLS by checking
whether it could express the 212 requirements of our case
study. Our results show that HLS could express all the
requirements of our case study. We also compared HLS with
SB-TemPsy-DSL [7] and STL [2], two specification languages
proposed in the literature and for which trace-checking tools
are available. The results show that HLS is significantly more
expressive than SB-TemPsy-DSL and STL, which could only
express 145 and 102 requirements, respectively.
(ii) We evaluated the trace-checking support provided by
ThEodorE by assessing its applicability on 20 large traces
provided by our industrial partner and obtained by simulating
the behavior of the satellite across representative, different
scenarios. We ran the ThEodorE trace-checker on 747 trace-
requirement combinations. ThEodorE completed the verifica-
tion in 74.5% of the cases within one hour, a reasonable time-
out considering typical CPS development contexts. ThEodorE
yielded a verdict for 67.9% of the 337 trace-requirement com-
binations containing a requirement that can not be verified by
any of the other trace-checkers. We compared the applicability
of ThEodorE with SB-TemPsy-Check [7] and Breach [17],
for the trace-requirement combinations containing require-
ments expressible in SB-TemPsy-DSL and STL. For these
combinations, SB-TemPsy-Check and Breach were 21.9% and
4.9% more often applicable than ThEodorE, respectively. SB-
TemPsy-Check and Breach were also more efficient, but not
to a point where it had practical implications.
Our results show that ThEodorE is broadly applicable as it
allows engineers to specify a large variety of requirements
while providing an efficient trace-checking procedure. Since
in practical applications it is generally difficult to know
in advance which requirement types engineers will need to
specify, our findings suggest that ThEodorE is good default
choice. However, if ThEodorE is not able to produce a verdict,
and the requirement are expressible in SB-TemPsy-DSL or
STL, engineers should then use SB-TemPsy-Check or Breach.
The paper is organized as follows. Section II describes our
case study. Section III illustrates the syntax and semantics
of HLS. Section IV presents ThEodorE. Section V evaluates
our contribution based on an industrial case study. Section VI
discussed related work. Section VII concludes the paper.
II. CASE STUDY AND MOTIVATIONS
Our industrial partner developed, in collaboration with a
large space agency, a maritime satellite to collect tracking
information from vessels operating on Earth and to relay those
data to the ground. This is a representative CPS made of
complex software component interacting with many actuator
and sensors and the physical environment where the satellite
is to be deployed. This system should satisfy many varied
requirements regarding the behavior of the software system
itself but also its interactions with hardware and the satellite
physical dynamics in space. Its development relies on tech-
nologies and practices typically seen in CPS contexts, e.g.,
Model-in-the-loop development with Simulink®.
Software engineers check the compliance of the satellite
behavior to its requirements [18] both while the software is
being developed and at run time. This is done by (i) collecting
execution traces of the system, and (ii) checking whether those
traces satisfy the system requirements.
Figure 1 shows a fragment of an execution trace, which
we will use to motivate this work. A trace is a sequence of
records that contain some information about the execution of
the system. In this example, the records include data about the
angular rate (ang-rate) and the (satellite) mode (mode).
2
ang-rate 20.1 22.2 23.3 20.4 21.1 3.2 1.1
mode 0 1 0 0 3 3 3
timestamp 0 0.2 0.9 1.8 3.0 4.9 5.7
index 0 1 2 3 4 5 6
Record r3
Figure 1: A fragment of an execution trace of our case study.
The angular rate is a physical quantity represented by a real
value measured by sensors. The mode is an enumeration of
values that represent the state of the satellite software. There
are four different modes: “Idle Mode”, “Safe Spin Mode”,
“Normal Mode Coarse”, and “Normal Mode Fine”, which
are represented in the trace by the values 0, 1, 2, and 3,
respectively. In addition, each record is associated with a
timestamp, representing the time instant at which the recorded
information was obtained, and a progressive index value.
The requirements to be checked on the system traces
refer both to the software and to the physical dynamics of
the satellite. For example, let us consider requirement R1:
Whenever the satellite mode switches from “Idle Mode” to
“Normal Mode Fine”, the satellite angular rate shall reach
a value lower than 1.5 °/s within 10 s. Moreover, the angular
rate shall stabilize around an arbitrary value c lower than
or equal to 1.5 °/s. R1 specifies a constraint on a physical
quantity, i.e., the angular rate of the satellite, which shall be
ensured as a reaction to a software change, i.e., the satellite
switching its mode from “Idle” to “Normal Mode Fine”.
One way to express that the mode of the satellite switches
from “Idle Mode” to “Normal Mode Fine”, is to specify
that the trace contains: 1) two records with consecutive in-
dices; 2) the first record captures that the satellite is in “Idle
Mode”; 3) the second record captures that the satellite is in
“Normal Mode Fine”. This requirement cannot be expressed
using time-based languages since they do not provide access
to the indices of the different records. To compensate for
this limitation when using time-based languages, engineers
can apply ad-hoc solutions, such as adding a new Boolean
flag to the trace records. In our example, such a flag would
be true whenever the mode of the satellite switches from
“Idle Mode” to “Normal Mode Fine”. In this way, the afore-
mentioned requirement fragment would be rephrased as the
flag switch-from-IDLE-to-NORMAL-MODE-FINE is
true. However, this is impractical in real scenarios because:
(i) the number of flags to add in the trace records can
quickly grow and become unmanageable. For example, given
the four possible values for the satellite mode in our case
study, to consider all possible combinations for switching
satellite mode, engineers would need to add 16 values in each
record (one for each mode switching combination). (ii) The
requirement is reformulated and its connection to the actual
software component behavior is lost.
Furthermore, requirement R1 cannot be expressed using
sequence-based languages because they do not support time
relations over the occurrence of events. More specifically,
expressing that “the [. . . ] angular rate shall reach [. . . ] within
10 s” requires to access the timestamps associated with the
trace records (and compute a distance). This feature is not
provided by sequence-based languages.
Moreover, to the best of our our knowledge, among the
time-based and sequence-based languages mentioned in the
previous section, SFO [5] is the only language that allows
users to use quantified variables in specifications, (as in “(there
exist) an arbitrary value c lower than or equal to 1.5 °/s
around which [. . . ] shall stabilize”. This type of requirements
is quite common in practical CPS applications, since engineers
often want to check that the system stabilizes around a given
value (e.g., the steady-state value). Although engineers know
some properties of the steady-state value c (i.e., c shall be
lower than or equal to 1.5 °/s), they generally do not know its
exact value, which has to be indicated as a generic variable in
the requirement specification.
This example, extracted from our case study, shows the need
for an expressive language for specifying hybrid behaviors of
CPSs. In the next section, we will introduce a new specifica-
tion language for CPSs, which overcomes the limitations—in
terms of expressiveness—of state-of-the-art languages and is
supported by an effective trace-checking procedure.
III. HYBRID LOGIC OF SIGNALS
In this section, we illustrate HLS (Hybrid Logic of Signals),
our new specification language for CPSs. We first discuss the
design goals of the language (section III-A). Then, we define
the mathematical model of the traces considered in this work
(section III-B). Finally, we present the syntax (section III-C)
and the semantics (section III-D) of the language.
A. Design goals
We designed HLS to provide a language for specify-
ing CPS properties that seamlessly combine the features of
sequence-based and time-based languages. Therefore, HLS
extends existing time-based languages (e.g., STL [2], MTL [4],
RFOL [3], and SFO [5]) and sequence-based languages (e.g.,
LTL [8], FRETISH [10], and CoCoSpec [11]) to allow engi-
neers to refer both to trace indices and to timestamps in the
logical specifications and to arbitrarily combine them to define
properties describing the expected behavior of a CPS. More
specifically, HLS allows engineers to use first-order existential
and universal quantifiers with:
• timestamp variables, to express properties that refer to
specific time instants and to the distance among them,
such as “there exists a time instant t within 10 s from the
current time instant [. . . ]”;
• (trace) index variables, to express properties that refer
to the indices of trace records, such as “for every trace
index i, such that the corresponding record captures that
the satellite is in “Idle Mode”, and the immediately
following record (at trace index i + 1) captures that the
satellite is in “Normal Mode Fine” [. . . ]”;
3
• real-valued variables, to express properties that refer to
arbitrary signal values, such as “there exists a value c
lower than or equal to 1.5 °/s around which the signal
ang-rate shall stabilize”.
Additionally, HLS supports specifications that use:
• the value of a signal at a certain timestamp or associated
with a record at a certain index;
• the timestamp associated with the record at a certain
index;
• the index of the record with a certain timestamp;
• expressions combining time variables, trace indices, and
real-valued variables, using arithmetic and relational op-
erators.
B. Traces
Let J = {0, 1, 2, . . . , j, . . . ,m}, with elements j ∈ N, be a set
of indices. Let T be an interval of R; we call T a time domain.
Let S = {s1, s2, . . . , si, . . . , sn} be a set of variables (hereafter
called “signals”) of the systems being monitored, with si ∈ R.
A trace pi is a finite sequence of records r0, r1, . . . , rj, . . . , rm,
with j ∈ J.
Each record rj is a tuple 〈 j, t, v1, v2, . . . , vn〉, where j ∈ J is
the index associated with the record, t ∈ T is the timestamp at
which the recorded information was obtained, and v1, v2, . . . ,
vn ∈ R are the values associated with signals s1, s2, . . . , sn in
the record. For a trace pi we use the array notation “[ j]” to
denote the j-th record of pi, and we use the dot notation to
denote an element of a record; we also introduce the notation
tj , short for pi[ j].t for a given trace pi. For example, let pie
be the fragment of the trace depicted in Figure 1; it contains
seven records. Record r3 is denoted by pie[3]; it is represented
by the tuple 〈3, 1.8, 0, 20.4〉, where pie[3].t = t3 = 1.8 is the
value of the timestamp, pie[3].mode = 0 is the value of signal
mode, and pie[3].ang-rate = 20.4 is the value of signal
ang-rate.
We assume that the values associated with the timestamps
are monotonically increasing, i.e., tj < tj+1, since records refer
to consecutive timestamps. We say that a trace has a fixed
sample rate sr if, for every j, 0 ≤ j < m, tj+1 − tj = sr, where
sr is a constant value; otherwise, we say that the trace has a
variable sample rate. For example, trace pie in Figure 1 has a
variable sample rate.
Additionally, we introduce a function ιpi : T → J: given a
timestamp value t, ιpi(t) is the value of the index j of the record
in pi with the highest timestamp tj such that tj <= t; we will
omit the trace subscript when it is clear from the context. For
example, for trace pie in Figure 1, ιpie (2.5) = 3. In this work,
we consider two definitions of ι:
ιV (t) ::= [t0 ≤ t] · [t < t1] · 0 + [t1 ≤ t] · [t < t2] · 1 +
. . . + [tm−1 ≤ t] · [t < tm] · (m − 1) + [tm = t] · m
ιF (t) ::=
⌊ t
sr
⌋
Definition ιV (t) assumes that the trace has a variable sample
rate. Notice that the notation [P], where P is a logical
predicate, is the Iverson bracket; it evaluates to 1 if P is true,
and to 0 otherwise. The resulting arithmetic formula checks
where the timestamp t provided in input is situated w.r.t. the
timestamps of the trace (i.e., t0, t1, . . . , tm), and returns the
value of the index of the record that has the highest timestamp
that is smaller than or equal to t. For example, if the parameter
t is greater than timestamp t2 and lower than timestamp t3,
the only expression in ιV (t) that does not evaluate to 0 is
[t2 ≤ t] · [t < t3] · 2; therefore the index returned will be 2.
Definition ιF (t) assumes that the trace has a fixed sample
rate. In such as case, the index associated with a timestamp
can be simply retrieved by computing the floor of the ratio of
the timestamp t over the sample rate sr.
In this work, we assume that all the variables are sampled
at each timestamp. This is a necessary requirement to enable
the evaluation of the satisfaction of the system requirements at
each timestamp. For systems that do not sample all the vari-
ables at each timestamp, engineers can use a pre-processing
step to generate values to be assigned to variables for which
the value is missing at certain timestamps. In this work, we
consider two complementary pre-processing strategies:
A1: In each record, an interpolation function (e.g., piece-
wise constant, linear, cubic) specific to each signal, is used
to generate values for unassigned variables. Notice that this
approach does not alter the original sample rate of the trace,
since it keeps the same records as the original trace and only
generates (in each record) values for the unassigned variables.
A2: If the trace has a variable sample rate, it is converted
into a trace with a fixed sample rate. This is done by generating
a fresh set of records with a fixed sample rate equal to
the smallest sample rate (i.e., the minimum time distance
between two records) of the original trace, and by using the
interpolation functions (as in the case of strategy A1) to
generate the values of all variables.
As we will discuss in Section V, the strategy used to generate
the values of unassigned variables determines the trace accu-
racy. The latter influences the trace checking verdict and may
impact on the correctness of the trace-checking procedure.
C. Syntax
An HLS formula is defined according to the grammar
presented in Figure 2, whose start symbol is p. In the grammar,
we use the symbol f to represent a generic (binary) arithmetic
function; the symbol | separates alternatives. In the following,
we illustrate the various language constructs; in the explana-
tions, we will refer to the set TV = {τ0, τ1, . . . } of timestamp
variables over T, the set IV = {σ0, σ1, . . . } of index variables
over J, and the set RV = {ρ0, ρ1, . . . } of real-valued variables
over R.
A term (non-terminal tm) can be either a time term, an
index term, or a value term.
A time term (non-terminal tt) allows engineers to refer
to timestamps in the specifications. A time term can be a
timestamp variable τ ∈ TV , a literal denoting a value t ∈ T,
the value returned by the operator i2t, or an arithmetic
expression over these entities. The operator i2t(it) takes an
4
index term as argument and returns the timestamp associated
with the record at the (trace) index it. An example of time
term is the expression τ0 + 5.5 + i2t(2).
An index term (non-terminal it) allows engineers to refer
to trace indices in the specifications. An index term can be
an index variable σ ∈ IV , a literal denoting a value j ∈ J,
the value returned by the operator t2i, or an arithmetic
expression over these entities. The operator t2i(tt) takes
a time term as argument and returns the index j of the trace
record with timestamp tj , where tj is the highest timestamp
value for which tj ≤ tt. An example of index term is the
expression σ0 + 2 + t2i(3.3).
A value term (non-terminal vt) allows engineers to refer
to real values (e.g., signal values) in the specifications. A value
term can be a real-valued variable ρ ∈ RV , a literal denoting
a value x ∈ R, the value of a signal returned by the operators
@i (“at index”) and @t (“at timestamp”), or an arithmetic
expression over these entities. The @i operator is an infix
operator that takes two arguments: a signal s and an index
term it; it returns the value of signal s associated with the
record at the (trace) index it. Similarly, the @t operator is
an infix operator that takes two arguments: a signal s and a
time term tt; it returns the value of signal s associated with
a record at timestamp tj , where tj is the highest timestamp
value in the trace for which tj ≤ tt. An example of value
term is the expression (s1 @i2)+ (s2 @t3.3)+ ρ0 + 5.2, where
s1 and s2 are signals, 2 is an index term, 3.3 is a time term,
ρ0 is a real-valued variable, and 5.2 is a numeric literal.
A formula (non-terminal p) is a relational expression over
terms, a logical expression over other formulae defined using
Boolean connectives, or an existentially quantified formula.
As anticipated in section III-A, HLS supports three types of
quantification:
(i) over timestamp variables, as in “exists τ in IT [. . . ]”,
where IT is a time range with bounds in T;
(ii) over index variables, as in “exists σ in IJ [. . . ]”,
where IJ is a range of index values with bounds in J;
(iii) over real-valued variables, as in “exists ρ [. . . ]”.
For example, the formula exists σ0 in [3, 5] such that
(s1 @iσ0) < 2.5 specifies that there exists a record with index
greater than or equal to 3 and lower than or equal to 5, in
which the value of signal s1 is less than 2.5.
The language is further extended with additional relational
operators, additional logical connectives (e.g., implication
(implies), conjunction (and)), and universal quantifiers
(forall) on timestamp variables, index variables, and real-
valued variables, using the standard logical conventions.
We now present an application of HLS for the specification
of one of the requirements in our case study. Let us consider
a fragment of requirement R1: Whenever the satellite mode
switches from “Idle Mode” to “Normal Mode Fine”, the
satellite angular rate shall reach a value lower than 1.5 °/s
within 10 s. We recall that the satellite mode is represented
by the signal mode, for which value 0 corresponds to “Idle
Mode” and value 3 corresponds to “Normal Mode Fine”; also,
Term tmF tt | vt | it
Time Term ttF τ | t | i2t(it) | f (tt1, tt2)
Index Term itF σ | j | t2i(tt) | f (it1, it2)
Value Term vtF ρ | x | (s @i it) | (s @t tt) | f (vt1, vt2)
Formula pF tm1 < tm2 | not p | p1 or p2
| exists τ in IT such that p
| exists σ in IJsuch that p
| exists ρ such that p
t ∈ T, j ∈ J, x ∈ R, τ ∈ TV, σ ∈ SV, ρ ∈ RV, s ∈ S
Figure 2: Syntax of the Hybrid Logic of Signals.
the angular rate is represented by the signal ang-rate. This
fragment can be specified in HLS as:
forall σ0 in [0, 5] such that
((mode @i σ0) = 0 and (mode @i (σ0 + 1)) = 3)
implies exists τ0 in [0 s, 10 s] such that
(ang-rate @t (τ0 + i2t(σ0)) < 1.5))
The sub-formula ((mode @i σ0) = 0 and (mode @i (σ0 +
1)) = 3) detects when the satellite switches from “Idle Mode”
to “Normal Mode Fine” over two consecutive records (notice
the use of the “at index” operator to refer to the consecutive
indices σ0 and σ0 + 1). This expression is within the scope of
the outer universal quantifier, which iterates over a range of
values for the index variable σ0. This range depends on the
length of the trace and on the use of σ0 in the formula. In
this case, since the requirement says “whenever [the satellite
mode switches. . . ]”, in the specification we want to cover the
full length of the trace fragment pie in Figure 1, where record
index values span from 0 to 6. We achieve this by setting the
lower bound to zero and the upper bound to five; in this way,
the term mode @i (σ0 + 1) always refers to a record index of
the example trace.
The inner quantification over the timestamp variable τ0
checks whether the angular rate of the satellite reaches a
value lower than 1.5 °/s within 10 s. More specifically, the
expression (ang-rate @t (τ0 + i2t(σ0)) < 1.5) represents
the value of signal ang-rate at timestamp τ0 + i2t(σ0),
where τ0 is in the interval [0 s, 10 s] (corresponding to the
distance of 10 s) and i2t(σ0) is the timestamp at which the
satellite switches from “Idle Mode” to “Normal Mode Fine”,
i.e., the timestamp associated with the record at index σ0.
D. Semantics
To evaluate whether an HLS formula is true or false over a
trace pi, we must first define how time, index, and value terms
are interpreted and evaluated.
Let µTV, µIV, µRV be variable assignments, respectively, for
timestamp, index, and real-valued variables; for example, µTV
is a mapping from a timestamp variable in TV to a value in T.
Let µ denote, collectively, the family of variable assignment
functions µTV, µIV, µRV . We evaluate a generic term tm on a
trace pi, using the variable assignment functions in µ, by means
of an interpretation function ntmopi,µ.
5
Time Term Interpretation
nτopi,µ = µ
TV (τ), for all τ ∈ TV; ntopi,µ = t, for all t ∈ T;
ni2t(it)opi,µ = pi[nitopi,µ].t;
n f (tt1, tt2)opi,µ = n f opi,µ (ntt1opi,µ, ntt2opi,µ );
Index Term Interpretation
nσopi,µ = µ
IV (σ), for all σ ∈ IV; n jopi,µ = j, for all j ∈ J;
nt2i(tt)opi,µ = ιpi (nttopi,µ);
n f (it1, it2)opi,µ = n f opi,µ (nit1opi,µ, nit2opi,µ );
Value Term Interpretation
nρopi,µ = µ
RV (ρ), for all ρ ∈ RV; nxopi,µ = x, for all x ∈ R;
n(s @i it)opi,µ = pi[nitopi,µ ].s; n(s @t tt)opi,µ = pi[ιpi (nttopi,µ)].s
n f (vt1, vt2)opi,µ = n f opi,µ (nvt1opi,µ, nvt2opi,µ );
Formula Satisfaction
(pi, µ) |= tm1 < tm2 iff ntm1opi,µ < ntm2opi,µ
(pi, µ) |= not p iff (pi, µ) 6 |= p
(pi, µ) |= p1 or p2 iff (pi, µ) |= p1 or (pi, µ) |= p2
(pi, µ) |= exists τ in IT iff (pi, µ) |= p[τ ← t j ]
such that p for some t j ∈ IT
(pi, µ) |= exists σ in IJ iff (pi, µ) |= p[σ ← j]
such that p for some j ∈ IJ
(pi, µ) |= exists ρ iff (pi, µ) |= p[ρ ← v]
such that p for some v ∈ R
Figure 3: Semantics of the Hybrid Logic of Signals.
The interpretation of HLS terms is defined inductively at
the top of figure 3. For all three term types, the interpretation
of a literal is the value denoted by the literal itself; a variable
is interpreted using the variable assignment function for the
corresponding type; an arithmetic expression defined using a
function f is interpreted by applying the interpretation of the
function symbol f to the interpretation of the corresponding
arguments. The operators i2t, t2i, @i, and @t are inter-
preted according to the informal semantics provided in the
previous section.
The semantics of an HLS formula φ is defined over a trace pi
and a variable assignment µ; we use the notation (pi, µ) |= φ to
indicate that trace pi satisfies formula φ under variable assign-
ment µ. The satisfiability relation of HLS formulae is defined
inductively at the bottom of figure 3. The formula tm1 < tm2
is satisfied if and only if (iff) the interpretation of term tm1
is lower than the interpretation of term tm2. The semantics
of the Boolean connectives or and not is the standard one.
A formula with an existential quantifier over a timestamp
variable, of the form exists τ in IT such that p, is
satisfied iff there exists a timestamp tj ∈ IT , such that when
substituting timestamp tj for τ in the formula p (denoted by
p[τ ← tj ]), the resulting formula is satisfied. The semantics of
the other two types of formulae with an existential quantifier
is defined in a similar way.
IV. TRACE CHECKING HLS FORMULAE
In this section, we present ThEodorE, our trace checker
for HLS. ThEodorE reduces the problem of checking an HLS
property on a trace to a satisfiability problem, which can be
solved using off-the-shelf SMT solvers.
ThEodorE takes as input a property φ expressed in HLS
and a trace pi. The first step of ThEodorE is to automatically
translating property φ and trace pi formulae expressed using
a target logic L. This translation relies on two translation
functions h (for HLS formulae, see Section IV-B) and t (for
traces, see Section IV-A) and guarantees, given a variable
assignment µ, that (pi, µ) |= φ iff h(¬φ)∧t(pi) is not satisfiable.
The second step of ThEodorE is checking the satisfiability
of formula ψ ≡ h(¬φ) ∧ t(pi), expressed in the target logic L
using an SMT solver. Based on the condition stated above,
when ψ is satisfiable, it means that φ does not hold on the
trace pi. Vice-versa, when ψ is not satisfiable, it means that φ
holds on the trace pi.
The final verdict yielded by ThEodorE can be “satisfied”,
“violated” or “unknown”; it is based on the answer of the
solver. ThEodorE yields the definitive verdicts “satisfied”
or “violated” when the solver returns “UNSAT” or “SAT”,
indicating, respectively, that ψ is unsatisfiable or satisfiable.
However, the solver may return an “UNKNOWN” answer,
since the satisfiability of the underlying target logic L is
generally undecidable. In our case, this indicates that no
conclusion is drawn on the satisfiability of formula ψ, resulting
in an “unknown” verdict returned by ThEodorE. Assessing
whether this is a frequent case in practical applications is part
of our evaluation (Section V).
The target logic L to be selected for trace checking of HLS
properties in ThEodorE shall fulfill two goals:
G1: be sufficiently expressive to encode the logic-based
representation of an input trace pi and the (semantics of an)
HLS formula φ. This means that it should include linear
real arithmetic (to support real-valued and timestamp terms),
quantifiers (since HLS is a first-order logic), and arrays (since
a trace can be seen as an array of records).
G2: be supported by an efficient solver, so that the trace
checking procedure for HLS formulae can be completed within
practical time limits.
We have identified the AUFLIRA (Closed linear formulae
with free sort and function symbols over one- and two-
dimentional arrays of integer indices and real values) fragment
of the SMT-LIB (Satisfiability Modulo Theories LIBrary)
logic [19] as a suitable target logic for ThEodorE. The theories
used by AUFLIRA are identifiable through its name: A: arrays;
UF: extension allowing free sort and function symbols; LIRA:
linear integer and real arithmetics. Furthermore, AUFLIRA
does not restrict the formulae to be quantifier-free. Based on
the list of supported theories, AUFLIRA satisfies G1. It also
satisfies G2, since it is included in the SMT-LIB logic, whose
satisfiability can be verified using highly efficient and opti-
mized solvers, as shown in the annual SMT competition [20].
In the following subsections we will describe functions t
and h. For simplicity, we will present the translation using the
syntax of the Z3 Python API [21].
A. Translating a Trace into the Target Logic
Function t translates a trace pi into a logic formula expressed
using the target logic L.
6
To represent the sequence of timestamps in pi, the translation
creates an array variable t; the type of the array indices (i.e.,
the domain of t) is Z, whereas the type of the array values (i.e.,
the range of t) is R. Then, the translation defines a series of
constraints on the values in t: the value of array t at position
i (denoted by t[i]) is constrained to be equal to the value of
the timestamp contained in the record at index i of trace pi.
In addition, the translation creates an array variable for each
signal whose values are recorded in the trace; the variable
name is the string obtained by concatenating v_ with the name
of the signal. For each of these array variables representing
signals, the translation defines a series of constraints on the
values of the array: the value of the array in position i is
constrained to be equal to the value of the corresponding signal
in the record at index i of trace pi.
B. Translating an HLS Formula into the Target Logic
Function h translates an HLS formula into a logic formula
expressed using the target logic L.
First, the translation declares a new variable for each
timestamp, index, and real-valued variable used in the HLS
formula; the name of the new variable is the string obtained
by concatenating v_ with the named of the original variable.
The type of the new variables is Real for timestamp and
real-valued variables, and Int for index variables.
Afterwards, the translation recursively evaluates each node
in the parse tree of the input formula, starting from the root
node; each node is translated using the rules shown in Figure 4.
The translation of time, index, and values term nodes is
defined as follows. Nodes referring to HLS variables are
translated into the corresponding variables in the target logic
formula. Literal nodes are mapped into literals in the target
logic formula. Arithmetic expressions using a function f
are translated by converting the function symbol into the
equivalent in the target language, and then by applying it
to the translation of its arguments. A time term node of the
form i2t(it) is translated into an expression that accesses
the element of the array t in position h(it). An index term
node of the form t2i(tt) is translated into the application
of the translation of function ι to h(tt). A value term of the
form (s @i it) is translated into an expression that retrieves
the value of variable v_s at index h(it). Similarly, a value
term of the form (s @t tt) is translated into an expression
that retrieves the value of variable v_s at the index obtained
through the evaluation of h(ι)(h(tt)).
The translation of function ι supports both definitions
presented in section III-B. It consists of a rewriting of the
definition into the equivalent syntax of the target logic. We
remark that the size of the arithmetic expression to compute
h(ιV ) in the case of a variable sample rate is linear in the
length of the trace and the number of timestamp variables.
Evaluating the impact of our translation and of the selection
of the definition of function ι on the performance of the trace-
checking procedure is part of our evaluation.
The translation of HLS formulae is basically their rewriting
into the equivalent syntax of the target logic, modulo the
Time Term
h(τ) = v_τ, for all τ ∈ TV; h(t) = t, for all t ∈ T;
h( f (tt1, tt2)) = h( f )(h(tt1), h(tt2)); h(i2t(it)) = t[h(it)];
Index Term
h(σ) = v_σ, for all σ ∈ IV; h(j) = j, for all j ∈ J;
h( f (it1, it2)) = h( f )(h(it1), h(it2)); h(t2i(tt)) = h(ι)(h(tt));
Value Term
h(σ) = v_σ, for all σ ∈ RV; h(x) = x, for all x ∈ R;
h( f (vt1, vt2)) = h( f )(h(vt1), h(vt2))
h((s @i it)) = v_s[h(it)]; h((s @t tt)) = v_s[h(ι) (h (tt))];
Formula (with IT = [ta, tb ] and IJ = [a, b])
h(tm1 < tm2) = h(tm1) < h(tm2);
h(p1 or p2) = Or(h(p1), h(p2)); h(not p) = Not(h(p));
h(exists τ in IT such that p) =
Exists (v_τ, And (And (ta ≤ v_τ, v_τ ≤ tb ) , h (p)))
h(exists σ in IJ such that p) =
Exists (v_σ, And (And (a ≤ v_σ, v_σ ≤ b) , h (p)))
h(exists ρ such that p) = Exists(v_ρ, h(p))
Figure 4: Rules for translating HLS formulae into L.
translation of the variables and of the sub-formulae. For
example, a formula of the form exists ρ such that p
is rewritten as Exists(v_ρ,h(p)), where the target logic
variable v_ρ corresponds to variable ρ in the HLS formula,
and h(p) is the translation of sub-formulae p.
ThEodorE ensures that (pi, µ) |= φ iff h(¬φ) ∧ t(pi) is not
satisfiable. The correctness of our procedure is based on two
arguments: (i) t translates the trace pi into a set of array
variables whose values are set according to the values of the
original trace, and (ii) h rewrites the HLS formula into the
target logic without applying any change (that could alter the
semantics) to the structure of the formula.
C. Implementation
We implemented ThEodorE as an Eclipse plugin using
Xtext [22] and Sirius [23]. We selected Z3 [21] as SMT solver,
since it is an award-winning [24, 25], industry-strength tool.
As such, it is likely to satisfy goal G2 discussed above. Check-
ing whether this conjecture holds is part of our evaluation.
V. EVALUATION
In this section, we report on the evaluation of our contribu-
tions. First, we evaluate the expressiveness of HLS, and com-
pare it with state-of-the-art specification languages. Second,
we evaluate the applicability of the ThEodorE trace checker,
and compare it to state-of-the-art tools. Specifically, we aim
to answer the following research questions:
RQ1 To which extent can HLS express requirements from
industrial CPS applications and how does it compare
with state-of-the-art specification languages in terms of
expressiveness? (section V-A)
RQ2 Can ThEodorE verify CPS requirements on real-world
execution traces within practical time and how does it
compare with state-of-the-art tools? (section V-B)
7
A. Expressiveness of HLS (RQ1)
To answer RQ1, we collected a set of industrial CPS
requirements expressed in plain English text, and verified
whether they could be expressed in HLS and in other state-
of-the-art specification languages.
Dataset. We considered 212 industrial requirements from
our satellite case study, coming from three different sources:
S1: 61 requirements were randomly selected from 745
requirements contained in the requirement specification docu-
ment of the satellite on-board software (OBSW). Due to the
prohibitive effort (more than 20 hours spanned across several
working days) involved, both on our part and that of the
domain experts who helped us formalize these requirements,
we could only process a subset. Such requirements mostly
refer to the software dynamics of the satellite, as in “When the
satellite switches to “Idle Mode”, the OBSW shall checkout
the GPS, wait 50 ms, and then checkout the sun sensors”.
S2: 101 requirements were provided by the authors of SB-
TemPsy-DSL [7]. They mostly refer to the physical dynamics
of the satellite, as in “the beta angle [26] shall show an
oscillatory behavior with a maximum period of 2500 s”.
S3: 50 requirements were extracted from the design and
architectural documents of the satellite. These documents
describe the relations and interactions among the different
components of the satellite. They contain cyber-physical re-
quirements that relate the software and the physical dynamics
of the satellite, as in “if the satellite mode switches from “Idle
Mode” to “Safe Spin Mode” and the satellite is not in eclipse,
the magnetic field recorded by the magnetometer shall contain
a spike with a maximum amplitude of 0.02 T”.
Methodology. We tried to express the requirements from
our dataset using HLS and two state-of-the-art specification
languages, namely SB-TemPsy-DSL [7] and STL [2]. We
selected these languages because they are both supported
by trace checking tools. We assessed the extent to which
requirements were expressible in each language.
Results. Table I reports1 the number of requirements that
we were able to express in each of the languages, for each set
of requirements (S1, S2, and S3). HLS was able to express
100% (212/212) of the requirements, while SB-TemPsy-DSL
and STL were able to express 68% (145/212) and 48%
(102/212) of the requirements, respectively. These results
confirm that HLS is highly expressive and much more so than
alternatives. We remark that all the HLS constructs were useful
to express at least some of the considered CPS requirements,
though in very different proportions.
The answer to RQ1 is that HLS could express all the
requirements of our case study, many more than SB-TemPsy-
DSL (+67) and STL (+110).
1The values in Table I marked with an asterisk are slightly different from
those reported in [7]. In the latter, quantification on real-valued variables (not
supported in STL and SB-TemPsy-DSL) was handled by artificially selecting
a value for the quantified variables within their quantification range. In this
work, we marked such requirements as not specifiable.
Table I: Number of requirements expressible in each of the
languages for each set of requirements.
S1 S2 S3 Total
HLS 61/61 101/101 50/50 212/212 (100%)
SB-TemPsy-DSL 34/61 92/101∗ 19/50 145/212 (68%)
STL 38/61 51/101∗ 13/50 102/212 (48%)
B. Applicability of ThEodorE (RQ2)
To answer RQ2, we (i) assessed to which extent ThEodorE
can be applied to check the execution traces of our case study;
(ii) compared, in terms of applicability, ThEodorE with SB-
TemPsy-Check [7] and Breach [17]. SB-TemPsy-Check is the
trace checker for SB-TemPsy-DSL; Breach is a trace checker
for STL. We chose Breach among other similar tools listed in
a recent survey [27] (i.e., AMT [28, 29] and S-TaLiRo [30]),
because AMT 2.0, in contrast to Breach, is not publicly
available, and because Breach is faster than S-TaLiRo [17].
Furthermore, we excluded from our comparison tools for
online trace checking (e.g., SOCRaTEs [3] and RTAMT [31]).
Dataset. Our industrial partner provided 20 traces, obtained
by simulating the behavior of the satellite in different scenar-
ios; the simulation time ranged from four to six hours. Their
size (in number of entries) ranges from 41844 to 1202241
entries (avg = 389771, sd = 393718); the corresponding
file size ranges from ≈1.7 MB to ≈58.9 MB (avg ≈17.6 MB,
sd ≈19.4 MB). The traces have a considerably large (yet
variable) number of records and size.
For each trace in our dataset, our industrial partner indicated
which requirements to check. Indeed, since only a subset of the
satellite signals is recorded in each simulation scenario, not all
the requirements have to be checked on each trace. In total, we
considered 747 trace-requirement combinations: 320 obtained
from requirements in S1, 178 obtained from requirements in
S2, and 249 obtained from traces in S3. We remark that, out
of these 747 combinations, 337 involve a requirement that can
be expressed neither in SB-TemPsy-DSL nor in STL.
Our industrial partner used a variable sample-rate for gen-
erating the trace records; hence not all the signal values were
recorded at each sample index. Since our approach assumes
that all the signals are assigned a value at each sample index,
we pre-processed the traces. First, for each trace-requirement
combination, we filtered out from the trace all the records
that contained only signals that were not used in the HLS
specification of the requirement. This step prevents the trace
checker from handling an unnecessarily large set of records.
Then, we transformed the traces using both pre-processing
strategiesA1 andA2 presented in section III-B; in both cases,
the interpolation function to use for each signal was indicated
by the engineers of our industrial partner.
By applying the A1 and A2 strategies on the original
747 trace-requirement combinations, the final dataset con-
tains 1494 trace-requirement combinations (with half of them
obtained using one of the two strategies). The size of the
traces obtained using A1 ranges from 2 to 17321 entries
8
Table II: Output of ThEodorE (percentage and execution time)
when using the pre-processing strategies A1 and A2.
Output % avg min max sd
A1
satisfied 53.9 80.2 0.01 2693.0 334.7
violated 12.1 14.2 0.01 513.9 57.9
unknown 1.6 6.5 5.8 7.4 0.6
timeout 0.5 - - - -
max_depth_exceeded 13.0 - - -
out_of_memory 18.9 - - -
A2
satisfied 53.8 102.5 0.01 3432.9 331.7
violated 20.7 96.5 0.01 3143.5 379.8
unknown 2.2 8.7 5.4 12.3 2.1
timeout 23.3 - - - -
(avg = 2071, sd = 3840); the corresponding file size ranges
from ≈15 B to ≈5.9 MB (avg ≈0.1 MB, sd ≈0.4 MB). The size
of the traces obtained using A2 ranges from 2 to 2360674
entries (avg = 52406, sd = 185875); the file size ranges from
≈15 B to ≈90.0 MB (avg ≈2.3 MB, sd ≈8.4 MB).
Methodology. We ran ThEodorE over the 1494 trace-
requirements combinations in our dataset. When translating the
HLS properties in the target logic, we used function ιV for the
trace-requirement combinations generated using strategy A1
(since the pre-processed traces have a variable sample rate),
and function ιF for those generated using strategy A2 (since
the pre-processed traces have a fixed sample rate).
We conducted our evaluation on a high-performance com-
puting platform, using nodes equipped with Dell C6320 units
(2 Xeon E5-2680v4@2.4GHz, 128 GB). Each run (checking
a distinct combination of a trace and a property) was repeated
10 times, to account for variations in the performance of the
HPC platform and of the SMT solver. In total, we executed
1494 × 10 = 14940 runs of ThEodorE. We allocated 4 GB of
memory for each run and considered a timeout of one hour. We
recorded whether the trace-checking procedure ended within
the timeout, the trace checking result, and the time required
to yield a verdict.
As for the comparison with SB-TemPsy-Check and Breach,
we only considered the requirements from S2 since it has the
highest number of requirements expressible in SB-TemPsy-
DSL and STL, and it was recently used for comparing SB-
TemPsy-DSL with STL [7]. More specifically, we considered
the 162 trace-requirement combinations (with requirements
from the set S2) expressible in SB-TemPsy-DSL, and the 103
trace-requirement combinations expressible in STL. We ran
the tools following the same methodology described above.
Since each run was repeated ten times, in total we considered
1620 runs of SB-TemPsy-Check and 1030 runs of Breach.
Results - Applicability of ThEodorE. Table II shows the
different types of output returned by ThEodorE for checking
the 7470 trace-requirement combinations generated using the
variable sample rate interpolation (row A1) and the fixed
sample rate interpolation (row A2). Column “%” indicates
the percentage of cases in which each type of verdict was
returned. For each of the cases in which ThEodorE finished
within the timeout (i.e., it yielded a satisfied, violated, or
unknown verdict), Table II also provides the average (avg),
minimum (min), maximum (max) and standard deviation (sd)
of the ThEodorE execution time (s).
The results in row A1 show that ThEodorE finished within
the timeout in 67.6% of the cases. In 66.0% of the cases,
ThEodorE produced a definitive verdict (i.e., satisfied or vio-
lated); in 0.5% of the cases, ThEodorE timed out. ThEodorE
returned a “max_depth_exceeded - maximum recursion depth
exceeded during compilation” error in 13.0% of the cases,
and an “out_of_memory” error in 18.9% of the cases; both
errors are generated by the Z3 solver. The root cause of
these errors is the translation of function ιV , used in the
case of variable sample rate traces: the size of the arithmetic
expression resulting from the translation is linear in the length
of the trace. As expected, ThEodorE inherits the limitations
of SMT solvers and its applicability is expected to improve
along with the quick pace of progress in that field.
The results in row A2 show that ThEodorE finished within
the timeout in 76.7% of the cases. In 74.5% of the cases,
ThEodorE produced a definitive verdict; in 23.3% of the cases,
ThEodorE timed out. When using strategy A2, the number of
times ThEodorE reached the timeout was higher than when
using A1. Indeed, many trace-requirement runs that generated
max_depth_exceeded and out_of_memory errors in the case of
A1, timed out when using A2. As discussed for the case
of A1, the applicability of ThEodorE when using A2 is
determined by the scalability of the underlying SMT solver.
To evaluate whether ThEodorE is applicable in cases in
which neither SB-TemPsy-Check nor Breach is applicable, we
considered the subset of 3370 runs associated with the 337
trace-requirement combinations that involve a requirement that
can be expressed neither in SB-TemPsy-DSL nor in STL. For
those combinations, ThEodorE was able to produce a verdict
in 67.9% of the cases.
To evaluate the impact of the trace accuracy (as determined
by the application of the pre-processing strategies A1 and
A2) on the correctness of the trace-checking procedure, we
considered the 449 runs in which ThEodorE returned a defini-
tive verdict both when using A1 and when using A2, and
we compared the verdicts. In 95.1% of the cases (427 over
449), the verdicts coincided. For the 22 cases in which the
verdicts were different, we manually inspected the generated
traces and confirmed that differences in verdicts were caused
by the pre-processing strategies.
Overall, these results show that ThEodorE, when configured
with the pre-processing strategy based on a fixed sample rate
(A2), produced a definitive verdict for a considerable number
of trace-requirement combinations (74.5%), thus confirming
ThEodorE’s applicability in practical scenarios. Relying on
the A2 strategy led to a significantly wider applicability of
ThEodorE than with the A1 strategy (74.5% vs 66.0%), while
resulting in negligible differences in trace accuracy. Therefore,
for comparing ThEodorE with other tools, we resorted to using
the A2 pre-processing strategy.
Results - Comparison with other tools. Table III reports the
percentage of cases in which ThEodorE, SB-TemPsy-Check,
9
Table III: Comparison of ThEodorE, SB-TemPsy-Check, and
Breach in terms of the execution time.
Tool % avg min max sd
ThEodorE 72.2 69.6 0.01 2506.2 317.6
SB-TemPsy 94.1 30.1 0.09 3440.0 310.1
ThEodorE 95.1 81.4 0.01 2506.2 345.7
Breach 100 0.03 0.02 0.1 0.007
and Breach provided a verdict within the timeout and the
minimum, maximum, average and standard deviation of the
time required to yield the verdict.
The results show that, when the requirements are expressible
in SB-TemPsy-DSL and STL, SB-TemPsy-Check and Breach
are faster than ThEodorE. However, given the usage scenario
considered in our work (offline trace checking), the difference
in execution times reported in Table III does not have signif-
icant practical consequences since the average trace-checking
time (less than two minutes) is significantly lower than the
time required to collect the traces (several hours). Note that
all tools were consistent in terms of verdicts: when ThEodorE
returned a definitive verdict, it matched the verdict returned by
SB-TemPsy-Check and Breach (when they did not time out).
The answer to RQ2 is that ThEodorE could compute a
definitive verdict, within one hour, for 74.5% of the trace-
requirement combinations of our industrial case study, and
produced a verdict for 67.9% of the 337 trace-requirement
combinations that could not be checked by the other tools.
C. Discussion and Threats to Validity
Based on results, we recommend the following workflow.
Developers should initially use ThEodorE since its language
(HLS) is the most expressive, and it is generally difficult to
know in advance which requirement types engineers will need
to specify. If the property to be verified does not contain
the t2i HLS operator, which causes the generation of large
arithmetic expressions, engineers should use ThEodorE with
the pre-processing strategy based on a variable sample rate
(A1). If the property contains the t2i operator, engineers
should use the pre-processing strategy based on a fixed sample
rate (A2). If ThEodorE was not able to produce a definitive
verdict, and the requirement is expressible in SB-TemPsy-DSL
or STL, engineers should use SB-TemPsy-Check or Breach.
Threats to validity. The requirements and traces we used in
our evaluation come from a single case study in the satellite
domain. Although this could influence the generalization of
our results, our industrial case study is representative of what
can be found in other cyber-physical domains, where the
system requirements are complex properties related to the
software system, its environment and their interactions, and
traces are obtained by simulating (or executing) the behavior
of the CPS in many different scenarios.
VI. RELATED WORK
Our contribution is mainly related to work done in the area
of hybrid specification languages.
STL-MX [12] extends STL to define properties both on
discrete time and on dense time. The language includes two
layers, one based on LTL to express properties of discrete-time
Boolean signals (sampled at a fixed sample rate), and another
one based on STL, to express properties on dense-time real-
valued signals. Time mapping operators define the conversion
between dense-time and discrete-time signals and formulae.
A trace-checking procedure has been proposed for STL-MX,
but its implementation is not available. Compared with HLS,
STL-MX restricts discrete-time Boolean signals to be sampled
at a fixed sample rate, and lacks first-order quantifiers.
HyLTL [13], HRELTL [14], and HTL [16] extend existing
languages (e.g., LTL) with operators to express constraints
on certain behaviors of signals (e.g., derivatives or limits). In
contrast to HLS, they cannot express properties that refer to
specific time instants and to the distance between them.
Differential Dynamic Logic [15] differs from HLS since it is
designed for specifying properties of systems expressed using
the hybrid system [32] modeling formalism. As such, its modal
operators enable references to the states that are reachable after
firing the transitions of the hybrid system model.
The approach of reducing the trace-checking problem to
the verification of the satisfiability of a logical formula has
been also used in other works ([14, 33, 34]). However, our
approach supports HLS, a more widely applicable language,
and developed an efficient translation for it.
To summarise, in our context and given our goal, in addition
to the lack of trace-checking tools, none of the languages
discussed above is as expressive as HLS. Taking into account
the expressiveness limitations of state-of-the-art languages like
SB-TemPsy-DSL and STL, which were not able to express
many of our requirements (see section V), the development
of a new language (and of the corresponding trace-checking
tool) was indeed necessary.
VII. CONCLUSION
Software verification and validation requires specification-
driven trace-checking techniques that strike a balance between
the expressiveness of the specification language and the ef-
ficiency of its trace-checking procedures. In this paper, we
specifically address this problem in the CPS domain. We
proposed the Hybrid Logic of Signals (HLS), a specification
language tailored to the specifics of CPS requirements. HLS
allows engineers to specify complex CPS requirements related
to its cyber and the physical components, as well as their in-
teractions. Additionally, we developed ThEodorE, an efficient
SMT-based trace-checking procedure for HLS.
We evaluated our solutions through a large-scale, complex
industrial case study involving an on-board satellite system.
Results show that our approach achieves a better trade-off
between expressiveness and performance than existing solu-
tions. HLS was able to express all system requirements in
contrast to existing languages. As a result, ThEodorE supports
a much wider set of property types than other trace checkers.
In most cases, ThEodorE was able to check those properties
within practical time limits. Furthermore, the applicability of
10
ThEodorE is expected to improve in the future along with the
underlying SMT technology. Last, based on results, we suggest
a way to effectively combine various trace-checking tools.
As part of future work, we plan to develop trace diagnostics
methods for HLS, inspired by existing work [35, 36], to
explain the violations found by ThEodorE.
ACKNOWLEDGMENT
This work has received funding from the European Research
Council under the European Union’s Horizon 2020 research
and innovation programme (grant agreement No 694277) and
from the Natural Sciences and Engineering Research Council
of Canada (NSERC) under the Discovery and CRC programs.
REFERENCES
[1] A. Platzer, Logical foundations of cyber-physical sys-
tems. Springer, 2018.
[2] O. Maler and D. Nickovic, “Monitoring temporal proper-
ties of continuous signals,” in Formal Techniques, Mod-
elling and Analysis of Timed and Fault-Tolerant Systems.
Springer, 2004, pp. 152–166.
[3] C. Menghi, S. Nejati, K. Gaaloul, and L. C. Briand,
“Generating automated and online test oracles for
simulink models with continuous and uncertain behav-
iors,” in European Software Engineering Conference and
Symposium on the Foundations of Software Engineering,
ser. ESEC/FSE. ACM, 2019.
[4] R. Koymans, “Specifying real-time properties with met-
ric temporal logic,” Real-time systems, vol. 2, no. 4, pp.
255–299, 1990.
[5] A. Bakhirkin, T. Ferrère, T. A. Henzinger, and
D. Nicˇkovic´, “The first-order logic of signals: keynote,”
in International Conference on Embedded Software.
IEEE Press, 2018, p. 1.
[6] R. Alur and T. A. Henzinger, “Real-time logics: Com-
plexity and expressiveness,” Information and Computa-
tion, vol. 104, no. 1, pp. 35–77, 1993.
[7] C. Boufaied, C. Menghi, D. Bianculli, L. Briand, and
Y. Isasi-Parache, “Trace-checking signal-based temporal
properties: A model-driven approach,” in International
Conference on Automated Software Engineering (ASE
2020). IEEE, 2020.
[8] E. A. Emerson and J. Y. Halpern, ““sometimes” and
“not never” revisited: on branching versus linear time
temporal logic,” Journal of the ACM (JACM), vol. 33,
no. 1, pp. 151–178, 1986.
[9] A. W. Fifarek, L. G. Wagner, J. A. Hoffman, B. D. Rodes,
M. A. Aiello, and J. A. Davis, “SpeAR v2. 0: Formalized
past LTL specification and analysis of requirements,” in
NASA Formal Methods Symposium. Springer, 2017, pp.
420–426.
[10] D. Giannakopoulou, T. Pressburger, A. Mavridou, and
J. Schumann, “Generation of formal requirements from
structured natural language,” in Requirements Engineer-
ing: Foundation for Software Quality (REFSQ 2020).
Springer, 2020, pp. 19–35.
[11] A. Champion, A. Gurfinkel, T. Kahsai, and C. Tinelli,
“Cocospec: A mode-aware contract language for reac-
tive systems,” in International Conference on Software
Engineering and Formal Methods. Springer, 2016, pp.
347–366.
[12] T. Ferrère, O. Maler, and D. Nicˇkovic´, “Mixed-time
signal temporal logic,” in Formal Modeling and Analysis
of Timed Systems, É. André and M. Stoelinga, Eds.
Springer, 2019, pp. 59–75.
[13] D. Bresolin, “HyLTL: a temporal logic for model check-
ing hybrid systems,” arXiv preprint arXiv:1308.5336,
2013.
[14] A. Cimatti, M. Roveri, and S. Tonetta, “HRELTL: A
temporal logic for hybrid systems,” Information and
Computation, vol. 245, pp. 54 – 71, 2015.
[15] A. Platzer, “Differential dynamic logic for hybrid sys-
tems,” Journal of Automated Reasoning, vol. 41, no. 2,
pp. 143–189, 2008.
[16] T. A. Henzinger, Z. Manna, and A. Pnueli, “Towards
refining temporal specifications into hybrid systems,” in
Hybrid systems. Springer, 1992, pp. 60–76.
[17] A. Donzé, T. Ferrère, and O. Maler, “Efficient robust
monitoring for STL,” in Computer Aided Verification
Conference (CAV). Springer, 2013.
[18] (2020) Satellite development phases. [Online]. Available:
https://www.esa.int/Science_Exploration/Space_Science/Building_and_testing_spacecraft
[19] C. Barrett, A. Stump, and C. Tinelli, “The SMT-LIB stan-
dard - version 2.6,” Department of Computer Science,
The University of Iowa, Tech. Rep., 2017.
[20] T. Weber, S. Conchon, D. Déharbe, M. Heizmann,
A. Niemetz, and G. Reger, “The SMT competition
2015-2018,” J. Satisf. Boolean Model. Comput.,
vol. 11, no. 1, pp. 221–259, 2019. [Online]. Available:
https://doi.org/10.3233/SAT190123
[21] (2020) Z3. [Online]. Available:
https://github.com/Z3Prover/z3
[22] “Xtext,” https://www.eclipse.org/Xtext/, 2020.
[23] “Sirius,” https://www.eclipse.org/sirius/, 2020.
[24] “ACM SIGPLAN - Programming Languages Soft-
ware Award,” http://www.sigplan.org/Awards/Software/,
07 2020.
[25] “ETAPS 2018 Test of Time Award,”
https://etaps.org/about/test-of-time-award/test-of-time-award-2018,
07 2020.
[26] (2020) Beta angle. [Online]. Available:
https://en.wikipedia.org/wiki/Beta_angle
[27] E. Bartocci, J. Deshmukh, A. Donzé, G. Fainekos,
O. Maler, D. Nicˇkovic´, and S. Sankaranarayanan,
“Specification-based monitoring of cyber-physical sys-
tems: a survey on theory, tools and applications,” in
Lectures on Runtime Verification. Springer, 2018, pp.
135–175.
[28] D. Nicˇkovic´, O. Lebeltel, O. Maler, T. Ferrère, and
D. Ulus, “AMT 2.0: Qualitative and quantitative trace
analysis with extended signal temporal logic,” in Tools
and Algorithms for the Construction and Analysis of
11
Systems. Springer, 2018, pp. 303–319.
[29] D. Nicˇkovic´, O. Lebeltel, O. Maler, T. Ferrère, and
D. Ulus, “Amt 2.0: qualitative and quantitative trace anal-
ysis with extended signal temporal logic,” International
Journal on Software Tools for Technology Transfer, pp.
1–18, 2020.
[30] Y. Annpureddy, C. Liu, G. Fainekos, and S. Sankara-
narayanan, “S-taliro: A tool for temporal logic falsifica-
tion for hybrid systems,” in International Conference on
Tools and Algorithms for the Construction and Analysis
of Systems. Springer, 2011, pp. 254–257.
[31] D. Nicˇkovic´ and T. Yamaguchi, “RTAMT: Online ro-
bustness monitors from STL,” in Proc. International
Symposium on Automated Technology for Verification
and Analysis (ATVA 2020). Springer, October 2020.
[32] R. Alur, Principles of cyber-physical systems. MIT
Press, 2015.
[33] M. M. Bersani, D. Bianculli, C. Ghezzi, S. Krstic´, and
P. San Pietro, “SMT-based checking of SOLOIST over
sparse traces,” in International Conference on Funda-
mental Approaches to Software Engineering (FASE), vol.
8411. Springer, 2014, pp. 276–290.
[34] D. Bianculli, C. Ghezzi, S. Krstic´, and P. San Pietro,
“Offline trace checking of quantitative properties of
service-based applications,” in Proceedings of the 7h
International Conference on Service Oriented Computing
and Application (SOCA 2014), Matsue, Japan. IEEE,
November 2014, pp. 9–16.
[35] W. Dou, D. Bianculli, and L. Briand, “Model-driven trace
diagnostics for pattern-based temporal specifications,” in
Proceedings of the 2018 ACM/IEEE 21st International
Conference on Model Driven Engineering Languages
and Systems (MODELS 2018). ACM, October 2018,
pp. 278–288.
[36] T. Ferrère, O. Maler, and D. Nicˇkovic´, “Trace diagnos-
tics using temporal implicants,” in Proc. ATVA 2015,
ser. LNCS, vol. 9364. Cham: Springer International
Publishing, 2015, pp. 241–258.
12
