Formal specifications on temporal behavior of Cyber-Physical Systems (CPS) is essential for verification of performance and safety. Existing solutions for verifying the satisfaction of temporal constraints on a CPS are compute and resource intensive since they require buffering signals from the CPS prior to constraint checking. We present an online approach, based on Timestamp Temporal Logic (TTL), for monitoring the timing constraints in CPS. The approach reduces the computation and memory requirements by processing the timestamps of pertinent events reducing the need to capture the full data set from the signal sampling. The signal buffer size bears a geometric relationship to the dimension of the signal vector, the time interval being considered, and the sampling resolution. Since monitoring logic is typically implemented on Field Programmable Gate Arrays (FPGAs) for efficient monitoring of multiple signals simultaneously, the space required to store the buffered data becomes the limiting resource. The monitoring logic, for the timing constraints on the Flying Paster (a printing application requiring synchronization between two motors), is illustrated in this paper to demonstrate a geometric reduction in memory and computational resources in the realization of an online monitor.
the conventional approaches [5] [6] [7] [8] [9] [10] record the value of the signal x[t] at all times in the interval t ∈ [τ + 2, τ + 6]. The signal values are compared against the constraint, (|x[t]| < 2), to determine if the requirements are satisfied within the time interval [τ + 2, τ + 6]. The constraint evaluation is repeated for each sampling period.
Often, existing monitoring systems are implemented in a simulation. To test real-time systems, FPGA (Field Programmable Gate Array) implementation has the potential to minimize computational latencies and allows for simultaneous monitoring of multiple signals, while supporting the flexibility for modifications and upgrades. The scheme by Jakšić et al. [11] was implemented on FPGAs. However, for FPGAs, the available memory to store the signal histories and perform the computation becomes the main bottleneck.
To evaluate how practical the existing state-of-the-art monitoring schemes are, we built a model of a Flying Paster application. We specified seven timing constraints to minimize the amount of unused paper while ensuring sufficient time to paste and splice the paper of the new roll before the first roll expires. The implemented test code to evaluate against the timing constraints using the (latest) Counters approach by Jakšić et al. [11] , could not be compiled due to insufficient memory on the commercial off-the-shelf (COTS) FPGA board with 82, 000 flip-flops (FFs) and 41, 000 look-up tables (LUTs), at a sampling rate of 20 kHz. In CPS, examples of systems using high sampling rates include power systems where IEC 61869-9 specifies sampling rates at 4.8 kHz for Alternating Current (AC) and up to 96 kHz for Direct Current (DC) measurements [12] .
In this paper, we propose a more efficient online approach for monitoring the timing constraints of CPS, Timestamp-based Monitoring Approach. The key improvement is rather than evaluating a constraint at each sampling period, TMA only computes the constraint satisfaction at the occurrence of relevant events extracted from monitored signals. For constraint ϕ := □ [2, 6] (|x[t]| < 2), TMA identifies x[t] as the signal-of-interest when x[t] goes above or below 2 V. Accordingly, ϕ is re-computed only at the occurrence of the next event-of-interest. TMA can monitor all seven timing constraints of Flying Paster model application at a sampling rate of 20 kHz, using only 11% of the FFs and 11.5% of LUTs on the same FPGA.
In general, for a constraint that is defined over a time interval of T , and must be monitored for the duration of experiment d, with a sampling frequency of f , the conventional approach requires O(T f d) computation time. The requirements of both, computation time and memory, depending on the interval size and the sampling rate. In contrast, our approach has a complexity of O(k), where k is the maximum number of events during time d. Case in point, both the computation and memory requirement of the monitoring logic for implementing a Globally constraint using the Jakšić et al. approach [11] increases with the interval size of the Globally operator, while the monitoring logic of TMA is independent of the time interval, and scales well. Another important point to note is that although event-based constraints (e.g, whenever signal s 1 rises above 2.5 V, the signal s 2 should fall below 1 V in less than 2 s.) can be specified in STL the logic that is generated can be complex and resource intensive since an event-based constraint is composed of several STL temporal operators. On the other hand, event-based temporal constraints are specified using TTL, Simultaneity, Chronological, Phase, Frequency, Latency, among others [13] . TTL provides for a more intuitive and simple specification (e.g., L(⟨s 1 , 2.5, ↗⟩, ⟨s 2 , 1, ↗⟩) < 2). In this paper, we apply two of the primitives, namely Latency and Simultaneity, to illustrate the online monitoring approach.
RELATED WORK
Conventional monitoring methods have high memory usage and processing time requirements since they evaluate timing constraints at every time-step. Offline tools for analyzing the timing requirements in CPS have been implemented in Breach [14] , and S-Taliro [15] . Both tools record simulation data and evaluate timing constraints after the simulation has finished. Figure 1 .a depicts the conventional monitoring approach. It plots the value of Boolean signal ψ along the time axis at the top. To evaluate the constraint □ [a,b] ψ at time t 1 , the existing techniques look at the entire interval [t 1 + a,
If the signal is true for the entire duration, the constraint is met at t 1 . Since the signal ψ was false for some time (just after t 1 + a), the constraint □ [a,b] ψ is not met at time t 1 . However, the constraint is met at t 2 . The computation required to evaluate this constraint is O(T f 2 ), where T is the time interval over which the temporal operator is defined, which in this case, is T = b −a, and f is the sampling frequency. The memory buffer required for this computation will be O(T f ). If there is a constraint with P temporal operators, and w signals, then the amount of computations is O(T Pw f 2 ), while the amount of buffer needed will be O(T Pw f ). To monitor one timing constraint with four temporal operators defined over an interval of 100 s, with a system sampling rate and analog to digital converter (ADC) resolution of 20 kHz (t s = 50 µs) and 12-bit, we need 12 MB of memory (M = 4 × 100 50 µs × 12 8 ). Primarily, because of the computational complexity, evaluating temporal constraints in real-time is not scalable. Practical CPS applications, such as power generation and distribution have numerous constraints, each containing multiple, high-frequency data signals to be monitored simultaneously, and may have evaluation time intervals over extended durations.
Recognizing the high overhead, AMT [16] proposed an incremental approach to compute the constraints at a segment granularity. However, they can reduce the complexity only by the factor of the granularity. An incremental method was proposed by Deshmukh et al. [10] where timing constraints are evaluated by traversing the parse tree generated for STL formulas. They optimize their calculation by eliminating repetitive computations.
While all the previous approaches were implemented in simulation, Jakšić et al. [11] implemented a monitoring method called Counters algorithm on FPGA. The Counters algorithm reduces the computation complexity from O(n 2 ) to O(n log(n)), where n is the size of time interval of the temporal constraints. Although Jakšić et al. showed a way to reduce memory usage, the storage remains a concern (even for bounded constraints). This technique converts future STL operators into past ones and translates all constraints such that their interval starts from zero. Then, a counter is dedicated for measuring the duration of a positive pulse in each interval. The number of needed counters depends on the variability of the monitored signal and the length of the interval bound (a). In each time-step, the active counter is incremented to measure the duration of positive pulses. The maximum number of counters is ⌈ 2a b−a+1 ⌉ where each counter has ⌈log 2 a⌉ bits. For example, □ [5000,5001] ψ needs 5000 counters, each with log 2 5000 = 13 bits. Therefore, we need around 8 kB to monitor just one signal. In contrast, to monitor the same constraint using TMA, only the last two timestamps of the events-of-interest and the last two timestamps of the result are needed. Therefore, four 32 − bit variables for each operator is needed, which is independent of interval length and sampling rate, and a small memory footprint for the state machine. We need one state machine per operator and the size of each state machine is very small since it needs only 2 bits to store the state.
STL expressions are often combined and/or nested and must be evaluated recursively. Additionally, although STL has the capability to express event-based timing constraints, they are constructed out of a variety of level-based timing constraints. In order to represent only one event (rising or falling) in STL, we should use past and future operators together in one expression 1 . In contrast, TTL can easily express the event timing constraint so that the implementation test code can be succinct as well.
TIMESTAMP MONITORING APPROACH
We use TTL to specify the application timing constraints, since TTL succinctly expresses both event-based and level-based timing constraints commonly used in CPS. TTL considers temporal behavior of analog signals upon a given threshold function in level-based timing constraints. Also, this logic can express event-based timing constraints where the time at which a signal value changes (e.g. L(⟨s 1 , 2.5, ↗⟩, ⟨s 2 , 1, ↗⟩) > 2, whenever a rising s 1 signal crosses 2.5 V, a rising s 2 shall not cross 1 V earlier than 2 s). Hence, we first convert analog signals to discrete event boolean signals by the method in [13, 17] . Therefore, we have R → B to transform the analog to boolean signals. Then, timestamps corresponding to rising and falling edges are extracted. We define finite sets of rising edges Γ r and falling edges Γ f for a boolean signal, ψ , as: Figure 2 .a depicts a boolean signal ψ , which is created when the analog signal s(t) crosses a threshold, f (t) that shows after threshold crossing, the boolean signal is described by t ψ r i and t ψ f i , (i = 1, ..., n). Now, we present a boolean signal as a tuple consisting of an initial state (ψ init ), a set of rising edges (Γ r ) and a set of falling edges (Γ f ):
The differentiate operator ( ), φ = (ψ ) extracts the rising edge of a boolean signal ψ ∈ B where the value of φ is 1 if (ψ (t + )⊕ψ (t))∧ ¬ψ (t) = ⊤, and ⊥ otherwise. ⊕ is the XOR operator and, t + refers to the right neighborhood (the next time-step) of signal at time t. By applying differentiate operator on a boolean signal ψ (φ = ψ ), we provide another boolean signal, φ, which is true for a short period (sampling time) and false otherwise. Since this operator provides 1 ↑ ψ = (ψ ∧ (¬ψ ST )) ∨ (¬ψ ∧ (ψ UT )) for rising edges and ↓ ψ = (¬ψ ∧ (ψ ST )) ∨ (ψ ∧ (¬ψ UT )) for falling edge. 
Level-based Approach
In this section, we introduce three algorithms executed at each rising and falling edge to define the set of timestamps for online constraint evaluation of level-based TTL operators. 3.1.1 Globally Rules. Given a boolean signal (ψ ) expressed with a set of rising and falling edges Γ , for every new pair of timestamps, we update the set of rising and falling edges by applying Algorithm 2. The calculated timestamps are only added to the set under the constraint; a rising edge must occur after the last falling edge. Also, if the last computed falling is in the range of new pulse, the last falling should be replaced with the new falling edge to append the last pulse on the result.
3.1.3 Until Rules. Given two boolean signals, ψ 1 and ψ 2 , with new rising and falling edges t 
Γ r = Γ r + {t r i } 8:
at line 3, new edges are either appended or discarded, depending on whether or not they comply with the signals. For example, any negative time value and any set of edges with a falling happening before a corresponding rising edge indicate the constraint is not satisfied. Similarly, any edge with rising that comes before the falling edge of the previous set is discarded and the previous falling is replaced with the new falling since the last positive pulse should be extended to the new falling edge. A pair of timestamps appended to Γ U r and Γ U f signifies that there is a new valid interval where the constraint,ψ 1 U [a,b] ψ 2 , was met. As depicted in the Until example in Figure 2 .b, we have t U r 1 = max(1, 2−4) = 1 and t U ≤ t U r 2 they must be disregarded rather than appended to Γ U r and Γ U f . This concludes that U [2, 4] , were met in the interval from time t = 1 to t = 3, when the first pulse of ψ 1 must hold until the rising event on ψ 2 is true at some time step between a and b 2 . The Finite State Machine (FSM) in Figure 3 , calculates the result of Until operator with just four states (two bits) 3 .
Event-based Approach
The second category of operators in TTL is event-based. They deal with timestamps of events (Θ set) and produce boolean signals represented by rising and falling sets (Γ r and Γ f ).
3.2.1 Simultaneity Constraint. To determine the satisfiability of the Simultaneity constraint, the point in time where a set of events have occurred within a time tolerance of ϵ is evaluated. Figure 4 .a shows the example of three events occurring within ϵ so that the constraint is met between θ min − b and θ max − a. We use timed-automata to evaluate this timing constraint. As Figure 4 .b, if the timed-automata detects n events and ϵ duration passed after observing the first event the constraint can be calculated.
There is no event
An event on The timed-automata to calculate Simultaneity constraint.
Latency Constraint.
A latency constraint specifies the time difference between the occurrence of two events. A simple example of a latency constraint is the minimum, maximum or exact time interval between two events, denoted as follows: L(φ 1 , φ 2 ) ▽ c where ▽ ∈ {>, <, ==}. The test code generation takes as input two events (φ 1 and φ 2 ) and compares the difference between the event timestamps with a real number c. Since the signals are singletons, the sets of Θ φ 1 and Θ φ 2 each contain one element. Hence, whenever event Θ φ 2 is received, the latency can be calculated. The latency constraint evaluation is comprised of two steps: (1) calculating the delay ∆t between two timestamps, θ 
EMPIRICAL EVALUATION
In this section, we applied TMA method to monitor timing constraints in Flying Paster application and compared the required number of FFs and LUTs with the Counters algorithm in [11] . Also, we implemented Globally operator with different time intervals to show the required memory for an FPGA implementation (Table 1) . 
Case Study: Flying Paster Application
The schematic diagram of Flying Paster application [18, 19] is shown in Figure 5 . The active roll B feeds the paper and should make contact with the reserve roll A before B runs out of paper, for continuous operations. C and E are idler wheels. Sensor H measures the radius of the paper on B and whenever the radius is less than a threshold, it generates an Approaching Out of Paper (AOP) event.
Then, roll A starts to rotate. On the outer side of the reserve roll paper, there is a double-sided adhesive tape, which can be detected by sensors F and G. To calculate the angular velocity of roll A, sensors F and J are utilized. When the velocity of the paper at the edge of A becomes the same as roll B, match signal is generated. Once match is observed, after detecting two rotations, G can detect the tape. When G detects it, idler wheel E pushes the belt to the spare roll A, such that after tapeToContactAnдle, papers on A and B attach together by the adhesive tape and then the paper on roll A follows the path. Cutter D should cut the paper on roll B after tapeToCutAnдle. In order to ensure that the new paper is attached properly, we should have tapeToContactAnдle < tapeToCutAnдle. [18] . Active roll, B, is replace by reserve one, A, to feed the web.
To implement this application, we used two Hansen DC motors as rolls A and B. Motors are driven by an Arduino Mega2560 board to control the speed and also to generate AOP, match, contact and cut signals. On each motor, we installed a dialed disk with a drilled hole at zero degree ( Figure 6 ). An Omron EESX970C1 sensor was installed close to each disk to detect the drilled hole and hence, measure the rotation speed of each motor. We utilized an NI-cRIO 9035 with an on-board FPGA, Xilinx Kintex-7 7K70T, containing 82,000 FFs and 41,000 LUTs with a 40 MHz clock frequency. For signal monitoring, we used a 20 kHz NI-9381 I/O module and it uses a 12-bit ADC. The pins of NI-9381 were directly connected to photomicrosensors, AOP, match, cut and contact signals.
Active Motor Spare Motor Sensor2 Sensor1 Monitoring Device Figure 6 : Implemented Flying paster comprises 2 motors and is monitored by reconfigurable data acquisition system.
Next, we express timing constraints of flying paster application based on STL. The notations for the case study variables are as follows: linear velocity (V ), radius (r ) and angular velocity (ω). 1) The velocity of the paper on active roll should be constant:
V ac t iv e = (r ac t iv e × ω ac t iv e ) ± 1% m/s
The time interval between AOP rising to match rising edge must be no more than t act ion : □(↑ AOP ⇒ [0,t ac t ion ] (↑ match)) 3) After match, the paper speed of the spare should remain the same as active: V act ive = r act ive × ω act ive and V spar e = V act ive ± 1% (↑ cut )
7) AOP to cut should not be more than t t e r minat ion .
[t AO P , t AO P +t t e r minat ion ] (↑ cut )
We implemented the timing constraints of Flying Paster with three approaches (conventional, Jakšić [11] and TMA) on FPGA.
Temporal Logic Expression.
We began with the conventional method describing the constraints in STL. We changed the future STL formulas to the past ones [11] , and we represented the same timing constraint in TTL for TMA. 
) Therefore, the example is converted to:
2) Jakšić in [11] method: Future STL should be converted into past:
The edge (↑) operator should be replaced by the equivalent constraint like the conventional method. 3) TMA method: Since the constraint is a latency between AOP and match, it can be easily written in TTL as:
L(⟨AOP, 2.5 V , ↗⟩, ⟨match, 2.5 V , ↗⟩) ≤ t act ion The level threshold, 2.5 V, is the threshold to detect true or false on the boolean signal (0 V and 5 V correspond to f alse and true, respectively). Next, we implemented the constraint specifications on the FPGA using the three monitoring methods. As Figure 7 depicts, conventional and Jakšić methods required more FFs and LUTs in the case study. With increasing intervals, the FF and LUT utilization increases linearly for the Jakšić method. In − [a,b] 
, the variability is b − a + 1. In contrast, TMA takes a constant amount of memory in all scenarios because it does not require retention of signal history. When a signal event is observed, the result can be deduced. Moreover, the computation part -that affects the LUT size -is minimal by reducing operators (either event-based or level-based) to simple computations.
Low variability signals
We evaluate the last timing constraint of flying paster application ( [t AO P ,t AO P +t t e r minat ion ] (↑ cut)), using all three methods to see the efficiency of TMA in monitoring low variability signals for different values of t t erminat ion as shown in the third row of Table  2 . Figure 8 compares the FF utilization based upon the conventional, Jakšić, and TMA approaches for constraint evaluation in the case study application, where TMA used the least amount of memory.
CONCLUSION
We propose a lightweight monitoring methodology, TMA, for CPS timing constraints and demonstrated the efficiencies gained based on an initial case study. The approach utilizes signal timestamps to compute the range for a constraint, rather than processing the levels of signals, requiring data at each sample. The proposed method minimizes computation overhead compared to existing monitoring approaches. The implementation is independent of the constraint interval, allowing the memory usage to be constant for any interval. TMA is particularly geared towards monitoring constraints in TTL, which allows for the succinct description of common timing constraints in CPS, thus simplifying the description and the constraint evaluation algorithms. Future research in this area includes expansion of constraint primitives, such as duration, to fully capture and express temporal constraints in CPS. Disclaimer: Certain commercial entities, equipment, or materials are identified in this document in order to describe the experimental design or to illustrate concepts. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology or the institutions of the other authors, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
