Enhancing Temporal Logic Falsification with Specification Transformation
  and Valued Booleans by Eddeland, Johan Lidén et al.
Enhancing Temporal Logic Falsification with Specification
Transformation and Valued Booleans
Johan Lide´n Eddeland
Volvo Car Corporation
johan.eddeland@volvocars.com
johan.eddeland@chalmers.se
Koen Claessen
Chalmers University of Technology
koen@chalmers.se
Nicholas Smallbone
Chalmers University of Technology
nicsma@chalmers.se
Zahra Ramezani
Chalmers University of Technology
rzahra@chalmers.se
Sajed Miremadi
Volvo Car Corporation
sajed.miremadi@volvocars.com
Knut A˚kesson
Chalmers University of Technology
knut@chalmers.se
Abstract
Cyber-Physical Systems (CPSs) are systems with
both physical and software components, for exam-
ple cars and industrial robots. Since these systems
exhibit both discrete and continuous dynamics, they
are complex and it is thus difficult to verify that they
behave as expected. Falsification of temporal logic
properties is an approach to find counterexamples to
CPSs by means of simulation. In this paper, we pro-
pose two additions to enhance the capability of falsi-
fication and make it more viable in a large-scale in-
dustrial setting. The first addition is a framework for
transforming specifications from a signal-based model
into Signal Temporal Logic. The second addition is
the use of Valued Booleans and an additive robust se-
mantics in the falsification process. We evaluate the
performance of the additive robust semantics on a
set of benchmark models, and we can see that which
semantics are preferable depend both on the model
and on the specification.
1 Introduction
Assuring the quality of Cyber-Physical Systems
(CPSs) is an important task that is growing more and
more complex. Industrial-size systems with both dis-
crete and continuous dynamics, i.e. hybrid systems,
require durable methods for design automation [1],
as well as validation methods that are beyond the
current capabilities of e.g. model-checking [2]. Since
the general problem of finding the set of reachable
states for this kind of systems is undecidable [3], we
instead resort to testing the systems. For testing
and/or monitoring of CPSs, there are many possible
approaches (see [4, 5] for two surveys) – in this work,
we consider falsification of temporal logic specifica-
tions. Another approach is deductive methods for
proving properties of CPSs [6], but in many indus-
trial applications there is no mathematical model to
analyze, instead there is only the possibility to simu-
late the system under test. Falsification can be done
for CPSs both with the actual hardware, or as in the
case of this paper, where the hardware is being sim-
ulated.
Falsification of temporal logic specifications for
1
ar
X
iv
:1
91
0.
08
30
6v
1 
 [e
es
s.S
Y]
  1
8 O
ct 
20
19
CPSs is a method which attempts to find counterex-
amples to properties of systems by optimization over
robustness of the specification. Here, robustness is
a measure of distance to violation of the specifica-
tion. The falsification framework has been shown to
be useful for several different applications [7, 8], and
it can still be modified in many different ways. For
example, one can consider different optimization al-
gorithms to search for the counterexample (e.g. ant
colony optimization [9] or functional gradient descent
[10]).
Falsification requires use of a formal specification,
typically written in Metric Interval Temporal Logic
(MITL) [11] or Signal Temporal Logic (STL) [12] (or
some variant thereof). However, these formal logics
are not currently well established in industry, since
the specifications used in industry need to be under-
stood by engineers from many different disciplines.
This means that it can be difficult to apply falsifica-
tion when there is no formal specification available to
test against.
In an attempt to tackle this problem, we present a
framework for transforming requirements modelled in
a causal, signal-based language (e.g. Simulink [13])
into specifications in STL. This allows expert test en-
gineers to model executable requirements using a tool
they are familiar with, while also making falsification
possible for the models under development.
As an additional measure to enhance the falsifica-
tion process for industrial-size problems, we apply an
alternative robust semantics to be used in the fal-
sification problem. Specifically, we use the additive
semantics presented for the logical framework Val-
ued Booleans [14]. We evaluate the performance of
additive semantics for several specifications and see
in which cases they are preferable to the “standard”
semantics of STL robustness. To be clear, these
changes apply when we attempt to falsify a spec-
ification by means of optimization, rather than by
performing brute-force exploration of system execu-
tions.
1.1 Related work
The main focus of this paper is to adapt the frame-
work of falsification to work better in certain in-
dustrial applications. The tools Breach [15] and S-
TaLiRo [8] are used to perform falsification with STL
and MTL, respectively. Both of these tools are based
on the idea of a robustness measure for temporal logic
specifications [16]. Apart from falsification, recent re-
search has also focused on mining of temporal prop-
erties for CPSs [17], which can make it easier to un-
derstand what proper specifications could be, given
simulations of a system. A generalization of robust-
ness is presented in a recent algebraic framework for
runtime verification [18].
There exist several approaches to transform mod-
els between other design tools. In [19], the author
presents a way to go from informal requirements to
hybrid models with the use of pattern templates. In
[20], a method for generating Simulink monitors from
formal requirements is presented – this procedure is
essentially the opposite of the one presented in this
paper. In [21], a tool is introduced for translating
Simulink models into theories in the proof assistant
Isabelle [22]. To our knowledge, there has been no
previous work transforming causal signal-based spec-
ifications into STL formulas, a transformation inves-
tigated in this paper.
When it comes to improvements of the falsifica-
tion process itself, previous work has defined a mod-
ified version of STL [23], and there has been discus-
sion showing the need for similar modifications in in-
dustrial applications [24]. The main point has been
to improve the robustness information from tempo-
ral operators by averaging the robustness inside the
timed intervals in question. Another novel approach,
which can include different interpretations of robust-
ness for temporal operators, views temporal logic as
filtering [25]. This connects the fields of temporal
logic and signal processing and allows for new ways
of analysis.
Several works [26] [27] have designed methods for
faster falsification of a specific sub-class of specifi-
cations, namely request-response specifications. Re-
cently, an extension to falsification has been proposed
where meta-parameters of falsification, e.g. the num-
ber of control points, are variable and put into an
outer optimization problem [28].
Valued Booleans [14] is a recently-proposed logic
that captures both the truth value of properties, as
2
well as how severely the properties are falsified. In
this paper, we use a version of Valued Booleans to
enhance the capabilities of falsification.
1.2 Contributions
The main contributions of this work are:
i) transformation of causal signal-based require-
ments into STL specifications;
ii) application of Valued Boolean additive semantics
to the falsification process;
iii) evaluation of additive semantics for falsification
of benchmark requirements.
The rest of the paper is organized as follows: in
Section 2, STL and the falsification problem are de-
fined. The latter is used to evaluate different ro-
bust semantics later on. In Section 3, we define a
framework for translating causal signal-based specifi-
cations into STL. Section 4 details the logic of Valued
Booleans, with two kinds of robust semantics. Sec-
tion 5 compares the two robust semantics in falsifica-
tion for a set of benchmark models, and in Section 6
our conclusions are presented.
2 Signal Temporal Logic and
Falsification
The specification language STL is widely used for fal-
sification of CPSs. We omit the definition of the ro-
bust semantics of STL, as it is almost identical to the
max semantics of VBools, which we define in Section
4.1. For details on STL, we refer the reader to other
works [29].
2.1 Discrete-time signals
Throughout this paper, we discuss specifications de-
fined for signals and signal values. The semantics of
VBools is in terms of discrete-time signals, and for the
sake of consistency we also define STL this way, even
though it is usually defined in terms of continuous-
time signals [30]. The main point of doing this is to
make it clear how temporal operators can be defined
in terms of conjunction, but generalizing to continu-
ous time is possible [31] [16]. For practical purposes,
falsification and monitoring of signals is performed
on the output of simulated systems, where time has
to be discretized to numerically solve the systems.
Definition 1 A discrete-time signal is a function
x[k] from a finite subset of I ⊂ Z to R, where k ∈ I.
The set I labels the time instants of the signals, and
the signal takes on continuous values at each of those
time instants.
2.2 Signal Temporal Logic
The grammar of STL formulas is defined as
µ ::= x < r | x ≤ r | x ≥ r | x > r | x = r
ϕ ::= µ | ¬µ | ϕ ∧ ψ | [a,b]ψ | ϕ U[a,b]ψ,
where µ is a predicate, and ϕ and ψ are STL formulas.
∧ denotes logical and, [a,b] is the timed globally (or
always) operator, and U[a,b] is the timed until opera-
tor. Due to De Morgan’s laws, we can define logical
or ϕ ∨ ψ as ¬(¬ϕ ∧ ¬ψ). There is a similar iden-
tity for the temporal operators, which lets us define
timed eventually ♦[a,b]ϕ as ¬([a,b]¬ϕ). These iden-
tities will also be used in Section 4. Similarly to [32],
we define the validity of a formula ϕ with respect to
the discrete-time signal x at time instant k as
(x, k) |= µ ⇔ µ(x[k])
(x, k) |= ¬µ ⇔ ¬((x, k) |= µ)
(x, k) |= ϕ ∧ ψ ⇔ (x, k) |= ϕ ∧ (x, k) |= ψ
(x, k) |= ϕ ∨ ψ ⇔ (x, k) |= ϕ ∨ (x, k) |= ψ
(x, k) |= [a,b]ϕ ⇔ ∀k′ ∈ [k + a, k + b], (x, k′) |= ϕ
(x, k) |= ♦[a,b]ϕ ⇔ ∃k′ ∈ [k + a, k + b], (x, k′) |= ϕ
(x, k) |= ϕ U[a,b]ψ ⇔ ∃k′ ∈ [k + a, k + b] (x, k′) |= ψ
∧ ∀k′′ ∈ [k, k′), (x, k′′) |= ϕ
We will provide an example of STL specification
for clarity. The first example is a benchmark spec-
ification from [33], informally stated as “During all
simulation times, the engine speed ω and the vehi-
cle speed v never reach ω¯ and v¯, respectively.” The
corresponding STL formula is
3
φAT2 = ((ω < ω¯) ∧ (v < v¯)).
φAT2 contains two operators:  and ∧. The modal
depth of a formula is the deepest nesting of temporal
operators (i.e. ,♦,U) in it. For φAT2 , the modal
depth is 1.
2.3 Falsification
Temporal logic falsification is an approach to finding
counterexamples to models of CPSs, given a specifi-
cation in temporal logic. The problem of generating
a test case for the CPS is treated as an optimiza-
tion problem, where one attempts to minimize the
robustness of the STL specification, given an input
parametrization of the system. Figure 1 illustrates
the main falsification procedure used in this paper
(with the use of the tool Breach), which we have
adapted to use VBools instead of STL robust seman-
tics.
The Generator takes the input parametrization to
generate an input to the system under test. The Sim-
ulator generates a simulation trace, which is used to-
gether with the specification ϕ to evaluate VBool ro-
bustness for the simulation. The VBool robustness
is evaluated to see whether the specification is falsi-
fied or not. If it is not falsified, new parameters are
sampled and the process is repeated. The Parame-
ter Optimizer is a global optimizer which attempts
to find new input parameters that are closer to falsi-
fying the specification, i.e., parameters that lead to
a lower VBool robustness.
In this work, we investigate two modifications to
the falsification procedure. In Section 3, we introduce
a transformation of signal-based requirements into
STL (with a specification transformer) as a means
of allowing falsification to be performed by testers
who are not used to temporal logic specifications. In
Section 4, the logic of VBools is introduced which al-
lows the tester to control the objective function used
in the falsification optimization problem.
3 Signal-Based Specifications
As has been noted before [34], writing specifications
in temporal logic is not trivial. Approaches that have
been used to solve this problem are creating tools that
make it easier to write specifications [35], automati-
cally detecting faulty specifications [36], and defining
template specifications to make it easier for testers
to formulate their requirements formally [37]. In this
paper, we instead allow test engineers to write spec-
ifications in a formalism they already know, namely
a causal signal-based framework (in our case using
Simulink [13]).
The main idea behind a signal-based safety speci-
fication is to directly take signals from the simulated
system, then using different operators (blocks) to give
an output signal that at each simulated time instant
is either 1 (specification is fulfilled) or 0 (specification
is not fulfilled). The advantage of this is that a test
can easily be automatically executed and evaluated
at the same time as the system itself is simulated.
By using a signal-based specification, we exploit
the fact that the test engineers are experts at ex-
pressing specifications in, for example, Simulink. The
drawback is that a signal-based specification does not
compute robustness values, and so can not be directly
used for falsification. To solve this problem, we au-
tomatically translate signal-based specifications into
STL formulas to be used by Breach.
3.1 STL specifications in a signal-
based framework
As an example, we wish to show an implementation
of a version of φAT1 from [33], which is defined as
φAT1 = (ω < ω¯). (1)
It should be noted that since a specification imple-
mented in Simulink must be causal, temporal oper-
ators that look forward in time cannot be explicitly
modeled. However, a specification model with a sim-
ilar meaning to φAT1 (with ω¯ = 4500) is presented in
Figure 2.
Assume that the specification is evaluated on a sim-
ulation trace with a finite set of sampled data points
4
Generator Simulator
Robustness
function
Function
evaluation
Stop
Parameter
optimizer
Specification
transformer
Output S(t)
Not
falsified
Input signal
parameters k
Parameter initial
guess k Input u(t)
Objective function
value ρ
Requirement ϕ
Falsified
Figure 1: A flowchart describing a slightly modified version of the optimization-based falsification procedure
of Breach. In this paper we deal with defining a specification transformer, as well as considering alternative
robustness functions (the two shaded nodes).
'always'1
omega
Relational
Operator
1
reqLogical
Operator1
Unit	Delay
4500
omega_bar
Figure 2: A simple example of a specification ex-
pressed in Simulink. The natural language interpre-
tation is “During all simulation times t ∈ [0, T ], the
engine speed ω never reaches ω¯”. For the implemen-
tation to be correct, the initial condition of the Unit
Delay block must be non-zero.
K. The interpretation of the signal req at sample
k ∈ K is then
req[k] =
{
> if ω[k′] < 4500,∀k′ ∈ K ∩ [0, k]
⊥ otherwise, (2)
while the Boolean evaluation of the STL formula
φAT1 at time k can be informally expressed as
φAT1 [k] =
{
> if ω[k′] < 4500,∀k′ ∈ K ∩ [k, k + T ]
⊥ otherwise.
(3)
As can be easily seen, req(k) is not equal to the
Boolean evaluation of φAT1 (k) for all k, but req(T ) =
φAT1 (0). This is the only thing that is needed to
achieve equivalence between the Boolean interpreta-
tion of a causal signal-based requirement and its STL
equivalent, since the STL formula will be evaluated
for time 0, and the signal-based specification will be
evaluated at the final simulation time. We note that
another possible approach to generate specifications
in this setting would be to consider past-time op-
erators of STL, instead of future-time operators as
presented here.
3.2 Signal-based specifications ex-
pressed in STL
The goal is to be able to take any signal-based spec-
ification, and then transform it into an STL formula
so that it can be used for falsification. Ideally, each
signal in the signal-based model would be assigned
an STL formula, but since the semantics of a signal-
based framework are not typically equivalent to the
semantics of STL, they have different levels of expres-
sivity.
In this section, a Signal is a variable that has de-
fined values over time, and it can be a scalar or a
vector. A Signal corresponds to a signal in a causal
model. A Formula is a special case of a Signal,
namely a Signal that always has a Boolean value (i.e.
5
it is either true or false).
To model signals whose behaviour varies depending
on the value of a Boolean expression, we define the
types FormulaTable and SignalTable as
FormulaTable = P(Formula× Formula) (4)
SignalTable = P(Formula× Signal), (5)
where P denotes the powerset operation. A For-
mulaTable or SignalTable consists of a set of entries,
where each entry is a pair of a precondition, expressed
as an STL formula, and a consequent, which is the
value taken by the formula or signal when the pre-
condition is true. The disjunction of all preconditions
for any FormulaTable or SignalTable must be >.1
Figure 3 shows a Simulink encoding of the natu-
ral language requirement “The engine speed ω should
always be below 5000 RPM. Additionally, if we are
in third gear or lower, the speed v should be below
50 km/h; otherwise, the speed should be below 200
km/h.” The Switch block assigns a value to its out-
put signal according to the rule:
if gear ≤ 3 then
sub1 = 50
else
sub1 = 200
end if
The signal sub1 is translated into a SignalTable,
shown in Table 1. The signals sub2 and phi are
translated into FormulaTables, seen in Tables 2 and
3 respectively. Since there are two conditions, the
SignalTables and FormulaTables have two entries.
The SignalTable for sub1 has two entries because it
is the output of a Switch block; the FormulaTables
for sub2 and phi have two entries because the For-
mulaTable for the output of a block has an entry for
each possible combination of preconditions from the
block’s inputs.
To transform a binary operator2, we construct the
1In particular, if a FormulaTable or SignalTable only has
one entry, the precondition in that entry must be >.
2A unary operator is a simplification of the algorithm pre-
sented. An n-ary operator, for example ∧, is implemented
pairwise (meaning that a ∧ b ∧ c is transformed to (a ∧ b) ∧ c,
which is possible due to associativity of both max and additive
semantics).
1
omega
5000
Constant
2
speed
	~=	0
Switch
3
gear
Relational
Operator3
Constant1
Relational
Operator1
50
Constant2
200
Constant3
Logical
Operator
1
phi
Relational
Operator3
sub1
sub2
Figure 3: An example of a requirement with a con-
ditional statement, implemented with the use of a
Simulink Switch block.
Table 1: The SignalTable for the signal sub1 in the
Example in Figure 3.
Precondition Consequent
gear < 3 50
¬(gear < 3) 200
Table 2: The FormulaTable for the signal sub2 in the
Example in Figure 3.
Precondition Consequent
gear < 3 v < 50
¬(gear < 3) v < 200
Table 3: The FormulaTable for the output phi in the
Example in Figure 3.
Precondition Consequent
gear < 3 (ω < 5000) ∧ (v < 50)
¬(gear < 3) (ω < 5000) ∧ (v < 200)
following table:
{(prereq1 ∧ prereq2, operator(conseq1, conseq2))
| (prereq1, conseq1) ∈ in1, (prereq2, conseq2) ∈ in2}.
6
As can be seen, the operator of the block is applied to
each consequent of the table. The number of entries
α in the table that is produced from a block with K
inputs u1, u2, . . . , uK will be Π
K
k=1αuk , where αuk is
the number of entries in the table of input uk.
An important difference between signal-based
specifications and STL specifications is due to con-
ditional blocks. The archetypical conditional block
is the Switch block, which takes three inputs and
lets the output be either the first or the third in-
put, depending on a user-defined condition on the
second input. The output table of a Switch block
has α = α2(α1 + α3) entries.
To translate a FormulaTable into an STL formula,
one can consider the “STL semantics” for a Simulink
switch (with inputs x1, x2, x3) as either
(x2 ∧ x1) ∨ (¬(x2) ∧ x3) (6)
or
(x2 =⇒ x1) ∧ (¬(x2) =⇒ x3). (7)
Note that these two expressions are logically equiv-
alent, but they do not necessarily yield the same ro-
bustness value.
3.3 Recursive loops in specifications
To transform a signal-based specification into STL,
we perform a backwards depth-first search from the
output of the specification, assigning a FormulaTable
or SignalTable to each signal in the specification. For
simple specifications without loops, the search algo-
rithm discussed will terminate and assign an STL for-
mula to the signal leading to the outport of the speci-
fication. However, any kind of temporal behaviour in
a specification is typically implemented as a recursive
loop, which leads to the basic search algorithm not
terminating – something that needs to be taken care
of when transforming the STL formula.
3.3.1 Handling recursive loops, approach 1
If the length of the simulation is known and finite,
we can transform a recursive loop into a formula that
explicitly computes its value in terms of the values at
all earlier time steps. For the example presented in
Figure 2, this corresponds to the final output
req(k) =
k∧
k′=0
(ω(k′) < ω¯). (8)
However, this results in large and potentially un-
readable STL formulas as soon as there is some re-
cursion involved, even for simple specifications. For
example, given a simulation time in [0, 10] and a fixed
simulation step time of 0.01, requirement (8) results
in an STL specification with 1001 ∧-connectives, and
more than 31000 characters when written in Breach
syntax. Even though the robustness values for the
formula will still be the same as for the STL formula
ϕ = [0,10](ω(t) < ω¯), we typically want something
that is as readable as possible.
3.3.2 Handling recursive loops, approach 2
If it is a goal to keep the automatically transformed
STL formulas as short as possible, we use templates of
combinations of different temporal operators that are
implemented as their own subsystems in the model.
This is in a way very similar to ST-Lib [37], but in-
stead of defining templates that can be used to build
specifications from the ground up directly in STL,
we define templates in Simulink that are associated
to predefined STL formulas.
For the example in Figure 2, one such template
could be the  operator, which in practice would be
a subsystem replacing the blocks in the shaded area.
3.3.3 Handling recursive loops, approach 3
A final possibility is to treat a recursive loop as a
black box rather than translating it to STL. To do
this, we treat the output of the delay block3 as a sig-
nal in the specification, i.e. consider anything before
the delay block to be part of the model. The value
of the signal is computed by the model, and the STL
specification simply refers to the signal. This ap-
proach is useful when we want to avoid the inefficient
encoding of approach 1 and the recursive loop does
3Note that a delay block must be present in the loop, oth-
erwise it would be an algebraic loop.
7
1
omega
2
v
omega_bar
omega_bar
v_bar
v_bar
Relational
Operator
Logical
Operator
Relational
Operator1
1
Out1
sig1
sig2
sig4
sig5
sig3
sig6
sig7
Figure 4: An implementation of the STL specification
(ω < ω¯)∧(v < v¯), which is interpreted as ”The engine
speed ω and the vehicle speed v never reach ω¯ and v¯,
respectively”.
not correspond to a predefined template. It is also
needed when a block applies a general function to its
input, in which case the function output cannot be
explicitly defined as a formula, but by treating the
function as part of the system we are still able to
translate the specification to STL.
To summarize our implementation, whenever there
is a recursive loop, approach 3 will be used unless
there is a template defined for the part of the model
containing the loop. If there is a template, approach
2 is used. This means that the specification trans-
formation is fully automatic, with the possibility to
include more detailed information about the specifi-
cation by the use of templates.
An extended example of this can be shown by con-
sidering the signal-based specification in Figure 4.
The specification itself is part of φAT2 [33]. Some dif-
ferent ways to interpret this specification, based on
which of the given signals are considered as part of
the model (logged signals), are shown in Table 4.
The advantage of this approach is that we can be
certain to translate any signal-based specification to
STL, while the disadvantage is that the generated
STL specification might be less suited to falsification
than had we translated the recursive loops to STL.
For example, the specification (ω < ω¯) ∧ (v < v¯) (for
the Automatic Transmission benchmark) has many
possible robustness values since the signals ω and v
have many different potential values. However, the
specification ¬(sig7 = 0) (which has exactly the same
Boolean truth value) only has two possible robustness
values. This makes falsification harder, since the op-
Table 4: Some Possible Interpretations of Specifica-
tion in Figure 4.
Logged signals STL Formula
- (ω < ω¯) ∧ (v < v¯)
sig1 (sig1 < ω¯) ∧ (v < v¯)
sig2 (ω < sig2) ∧ (v < v¯)
sig1, sig4 (sig1 < ω¯) ∧ (sig4 < v¯)
sig3 ¬(sig3 = 0) ∧ (v < v¯)
sig6 (ω < ω¯) ∧ ¬(sig6 = 0)
sig3, sig6 ¬(sig3 = 0) ∧ ¬(sig6 = 0)
sig7 ¬(sig7 = 0)
timization solver will not see how close the specifica-
tion came to failing.
The claim above about being able to translate any
signal-based specification to STL is a very strong one,
as there are specifications that can be modeled using
e.g. Simulink that cannot be expressed in STL, see
[38]. However, the solution presented here is that if
there is a block that is not expressible in STL, its
output will be logged (and the block is therefore not
explicitly stated using STL, as that would be impossi-
ble). Also, specific temporal behaviours that are not
expressible in STL result in logging of certain blocks
as explained earlier in this section, which means that
we can indeed transform any requirement to STL,
however parts of the requirement may not be stated
explicitly. Providing a formal proof of the correctness
of the translation is beyond the scope of this paper,
and instead considered future work. We note, how-
ever, that such a formal proof may be problematic
due to non-standard semantics of Simulink [39].
3.4 When semantics do not match
For the specification transformation framework pre-
sented in this paper, there is a difference between log-
ical formulas and signals. However, in a signal-based
setting there is not, so it is possible for a block to get
the wrong type of input. For example, consider the
8
expected inputs and outputs of the following blocks:
∧ : FormulaTable× FormulaTable→ FormulaTable
< : SignalTable× SignalTable→ FormulaTable
+ : SignalTable× SignalTable→ SignalTable
There are two cases for unexpected input types:
either a SignalTable is provided when a FormulaT-
able should be, or a FormulaTable is provided when
a SignalTable should be.
3.4.1 SignalTable provided instead of Formu-
laTable
This can occur if, for example, we apply the ∧ opera-
tor to two real-valued signals x and y. Simulink (and
MATLAB) semantics interpret the Boolean evalua-
tion of these signals as being false if they are equal
to zero, and true otherwise. This means that we
can transform a SignalTable to a FormulaTable by
comparing equality of the SignalTable’s consequent
to zero, and then applying the ¬ operator. This is
accomplished by the S2F function:
S2F : SignalTable→ FormulaTable
S2F (〈precond, conseq〉) = 〈precond,¬(conseq = 0)〉
3.4.2 FormulaTable provided instead of
SignalTable
This can occur if, for example, we try to add (using
the + operator) two predicates, such as x > 0 and
y < 10. The meaning of this is clear when interpreted
as signals according to the Simulink semantics: the
output of the + operator will have value 0 (when
both predicates are false), 1 (when exactly one of the
predicates are true), or 2 (when both predicates are
true). However, in STL we cannot define a formula
by adding logical formulas together.
In this case, if the sum is later used as a formula
by comparing it to zero (i.e. the signal expression to
be evaluated is
(
(x > 0) + (y < 10)
)
= 0), then an
equivalent STL formula would be ¬((x > 0) ∨ (y <
10)). However, it is not clear how to generalize this
observation, so instead we consider anything before
the block in question (here, the + operator) to be a
black box, and the output of the block is treated as
a signal, using the same method described in Section
3.3.3.
4 Valued Booleans
Valued Booleans (VBools) [14] is a logical framework
in which the tester can customize how robustness is
computed by choosing between several possible se-
mantics for each connective. The semantics that are
currently available are a max semantics (which is es-
sentially the same as STL) and an additive semantics.
A VBool is formally defined as a pair of a Boolean
value and a robustness value. The robustness is a
non-negative number, which may be infinite:
V = B× R≥0
Note the difference between VBools and STL. In
STL, there is no explicit Boolean value, but the ro-
bustness may be negative, and negative robustness
represents falsehood. For VBools, the Boolean value
is explicit and robustness may not be negative.
The VBool comparison operator ≤v is defined as:
≤v : R× R→ V
x ≤v y =
{
(>, y − x) if x ≤ y
(⊥, x− y) otherwise.
> and ⊥ denote true and false, respectively. The
other comparison operators are defined in terms of
≤v, except for =v which is defined as
x =v y =
{
(>,K) if x = y
(⊥,K) otherwise,
where K is an arbitrary constant. Truth values
and negation are defined as
>v = (>,∞)
⊥v = (⊥,∞)
¬v(b, x) = (¬b, x).
The rest of the operators are defined in two differ-
ent ways. One is called max semantics and the other
additive semantics.
9
4.1 Max semantics
The max and operator is defined as
(>, x) ∧max (>, y) = (>,min(x, y))
(⊥, x) ∧max (>, y) = (⊥, x)
(>, x) ∧max (⊥, y) = (⊥, y)
(⊥, x) ∧max (⊥, y) = (⊥,max(x, y)).
The first clause models the idea that in order to
falsify x∧y, it is enough to falsify whichever of x and
y has the lowest robustness. If we are in the second
clause, then x∧y is false, and in order to make it true,
we must make x true; the third clause is similar. The
final clause is dual to the first clause: in order to
make x ∧ y true we must make both x and y true,
and the robustness is determined by whichever of x
and y seems to be hardest to make true, i.e., has the
highest robustness as a false VBool.
The max or operator is defined in terms of
the max and operator: (bx, x) ∨max (by, y) =
¬v(¬v(bx, x) ∧max ¬v(by, y)).
The timed max always operator (over the interval
[a, b]) is also defined in terms of the max and operator
as
max,[a,b]ϕ =
b∧
max
k=a
ϕ[k],
where ϕ is a finite sequence of VBools defined for
all the discrete time instants in [a, b].
The timed max eventually-operator is defined as
♦max,[a,b]ϕ = ¬(max,[a,b](¬vϕ)). Finally, for com-
pleteness we also define the max until -operator as
ϕ Umax,[a,b] ψ
=
b∨
max
k=a
(
ψ ∧max
(
b−1∧
max
k′=a
ϕ[k′]
))
.
It can be seen that the max semantics for VBool
are almost equivalent to the robust semantics of STL,
with the only difference being that VBools distin-
guish between “true with robustness 0” and “false
with robustness 0”, while STL does not. This dif-
ference is only technical and in practice the two se-
mantics behave the same. However, a single VBool
formula can contain both max connectives and con-
nectives using other semantics, such as the additive
semantics defined below.
4.2 Additive semantics
The additive and -operator is defined as4
(>, x) ∧+ (>, y) =
(
>, 11
x +
1
y
)
(⊥, x) ∧+ (>, y) = (⊥, x)
(>, x) ∧+ (⊥, y) = (⊥, y)
(⊥, x) ∧+ (⊥, y) = (⊥, x+ y).
As with the max semantics, the additive seman-
tics for ∧ is based on the observation that in order
to falsify x ∧ y, it is enough to falsify either x or y.
The first clause is inspired by the formula for parallel
resistance; the formula 1/(1/x+ 1/y) gives a robust-
ness which is less than the maximum of x and y. It
roughly models the idea that although we need only
falsify one of x and y, we do not know which one of
them can be falsified. The second and third clauses
are the same as in the max semantics. By using addi-
tion in the fourth clause rather than max, we model
the idea that in order to make x∧ y true, we need to
make both x and y true, not just whichever of them
has the highest robustness.
The additive or -operator is defined as (bx, x) ∨+
(by, y) = ¬v(¬v(bx, x) ∧+ ¬v(by, y)), and the timed
additive always-operator (over the time interval [a, b])
is defined (similar to the max case) as
+,[a,b]ϕ =
b∧
+
k=a
(ϕ[k]#′δt),
where ϕ is a finite sequence of VBools defined for the
time instants in [a, b], δt is the simulation step time
4In the case where both x and y are true, but either x or y
is 0, we define the resulting robustness to be 0. This to avoid
division by 0, and 0 is also the limit of the expression as x or
y goes to 0.
10
for the time point in question, and #′ is defined as
(⊥, x)#′k = (⊥, x · k)
(>, x)#′k = (>, x/k).
The use of #′ makes the robustness independent of
the simulation time step, and means that the robust-
ness of +,[a,b]ϕ, if ϕ is false over the interval [a, b], is
equal to the integral of the robustness of ϕ over [a, b].
The timed additive eventually-operator is defined
as ♦+,[a,b]ϕ = ¬(+,[a,b](¬vϕ)) .
The additive until -operator is defined as
ϕ U+,[a,b] ψ
=
b∨
+
k=a
(ψ[k]#′δt) ∧+
b−1∧
+
k′=a
(ϕ[k′]#′δt)
 .
Implication is defined slightly differently than in
classical logic:
φ→+ ψ = ¬(φ#k) ∨ ψ.
Here k is an arbitrary constant, and # scales the
robustness of its argument:
(⊥, x)#k = (⊥, x · k)
(>, x)#k = (>, x · k).
By scaling the left-hand side of the implication, we
encourage the parameter optimizer to make the left-
hand side true before trying to falsify the right-hand
side.
4.3 Properties for reasoning about
Valued Booleans
Most Valued Boolean connectives have two possible
semantics, and the tester must choose one of the se-
mantics for each connective in the specification. The
max semantics corresponds closely to the existing ro-
bust semantics of STL (and for use in falsification,
they yield the same result), but the additive seman-
tics is entirely different. The purpose of using max
semantics for Valued Booleans instead of STL robust-
ness is so that the tester can freely change between
different robust semantics of VBools, even within a
single formula. This section compares the two se-
mantics of Valued Booleans and describes the differ-
ent properties they have which explain why a tester
might choose to use one or the other. For a more
thorough discussion on Valued Booleans, we refer the
reader to the work which introduced them [14]. This
section rather discusses the practical issues of using
Valued Booleans in the case of falsification.
The ultimate goal of a robust semantics is to guide
the falsification in the right direction. Therefore,
when a change in the input to the system brings a
formula closer to being falsified, the robustness of the
formula should go down. This is the property we ide-
ally want from a robust semantics. It is not always
achievable in reality (because we can never be sure
if we are really moving closer to a counterexample
or not), but the more often it holds, the better. We
are particularly interested in two special cases of this
property, monotonicity and sensitivity. For simplic-
ity we assume that formulas are in negation normal
form, i.e., negation only occurs as part of an atomic
formula.
Definition 2 A formula is monotonic if, when the
robustness of some atomic subformula decreases
(leaving the others unchanged), the robustness of the
formula does not increase.
A nonmonotonic formula is disastrous for falsifica-
tion as the parameter optimizer will, moving from a
test case to a strictly better one, observe the better
test case as being worse instead. All VBool formulas
are monotonic.
Definition 3 A formula is sensitive if changing the
robustness of some atomic subformula (leaving the
others unchanged) causes a change in the robustness
of the formula. This captures the idea that if the out-
put of the system changes then the robustness of the
formula should usually change.
4.3.1 Importance of sensitivity for falsifica-
tion
Sensitivity is vital for falsification because measuring
changes in robustness is how the parameter optimizer
explores the input space. For falsification it is only
11
important that true formulas be sensitive if the falsi-
fication stops immediately when the counter-example
is found (and robustness thus is equal to 0). If mov-
ing from a test case to a strictly better test case does
not affect robustness, then the parameter optimizer
will not know when it has found a better test case.
The traditional semantics of Boolean logic is com-
pletely insensitive, which is why a robust semantics
is needed for falsification.
Unfortunately, the max semantics is not sensitive:
only one parameter of p ∧ q is taken into account for
any given test case. For example, if p ∧ q is true,
then the semantics is only sensitive to changes in
whichever of p and q has the lowest robustness.
The additive semantics is sensitive for many true
formulas. For example, p ∧ q is fully sensitive when
p and q are both true. This means that, when fal-
sifying the conjunction of several formulas, the pa-
rameter optimizer is able to observe changes in the
robustness of any of the subformulas. However, the
formula p ∨ q is not fully sensitive when exactly one
of its arguments is true.
4.3.2 Example of max and additive semantics
Figure 5 illustrates why sensitivity is important to
falsification. Suppose that the formula to be falsified
is φ, and that this formula happened to be true in
the current test case. Figure 5(a) illustrates how the
robustness of φ varies with time in this hypothetical
test case. Recall that φ is computed by sampling φ
at each time step and taking the conjunction of each
sample, up to a constant factor depending on δt. In
this case, the robustness dips from 3 to 1 at about
t = 48s, and in both semantics, the robustness of φ
will be lower compared to if the robustness had been
a constant 3.
Now suppose that the optimizer modifies the test
case and observes the output seen in Figure 5(b). It
seems that this test case is closer to failing than Fig-
ure 5(a), because there is an extra dip in robustness.
Therefore, we would like the optimiser to prefer (b)
to (a), and for this to happen the robustness of φ
must be lower under (b) than (a). Under the additive
semantics, this is indeed the case, because of sensitiv-
ity. Under the max semantics, however, Figures 5(a)
and (b) give the same robustness for φ, as the min-
imum robustness is the same in both cases. Thus the
optimiser is not able to see that moving from Fig-
ure 5(a) to 5(b) is a good idea. Because the max
semantics is not sensitive, the parameter optimizer is
only able to notice changes in the minimum value of
φ.
It is not always the case that additive semantics is
better than max semantics. Suppose instead that the
optimizer observes the result in Figure 5(c). This test
case appears much closer to failing than Figure 5(a):
the minimum is very close to 0. However, the additive
semantics will assign Figure 5(c) a higher robustness
than Figure 5(a), because the initial segment of the
test case has a higher robustness and continues for
a long time, which cancels out the lower minimum.
The max semantics considers 5(c) to have lower ro-
bustness than 5(a), as we might hope.
This problem only occurs because the robustness
of the initial segment of the test case is quite large.
Figure 5(d) shows a less extreme variant. Both the
additive and the max semantics judge this test case
as having lower robustness than Figure 5(a). This is
because, if we take two true VBools (>, x) and (>, y),
their conjunction under the additive semantics is
(>, z) where z = 1/(1/x+ 1/y). Now we can observe
that if x  y, then 1x  1y , so z = 1/( 1x + 1y ) ≈ x.
That is, when taking the conjunction of a set of for-
mulas, formulas that have a low robustness have a
disproportionate effect on the result. In particular,
in the formula ϕ, a small decrease in the minimum
value cancels out quite a large increase in the max-
imum value. We also note that 1/(1/x + 1/y) is al-
ways less than min(x, y), i.e., the additive robustness
of a conjunction between two true VBools is always
smaller than the max robustness. However, as there
is no meaning in explicitly comparing the additive
robustness value to the max, this does not affect our
choice of robustness in any way.
Figure 6 illustrates the robustness of p ∧+ q and
p ∧max q. The x-axis gives the robustness of p and
the y-axis gives the robustness of q; negative values
here stand for false VBools. The graph illustrates the
robustness of p∧q using isolines, which connect points
that have equal robustness. Where an isoline is ver-
tical or horizontal, the connective is insensitive: only
12
 0
 1
 2
 3
 4
 5
 6
 0  10  20  30  40  50  60
ro
bu
st
ne
ss
 o
f ϕ
time (s)
(a) An example of a signal defining a property φ. Robust-
ness is lowest at about 48 seconds.
 0
 1
 2
 3
 4
 5
 6
 0  10  20  30  40  50  60
ro
bu
st
ne
ss
 o
f ϕ
time (s)
(b) In this trace, the property comes close to being fal-
sified twice, at 20 seconds and 48 seconds. The “max”
semantics assigns this trace the same robustness as for
figure (a), even though it is strictly worse. The “+” se-
mantics assigns it a lower robustness.
 0
 1
 2
 3
 4
 5
 6
 0  10  20  30  40  50  60
ro
bu
st
ne
ss
 o
f ϕ
time (s)
(c) This trace is similar to figure (a), but the robustness
in the initial part of the trace is even higher. The “+” se-
mantics assigns this trace a higher robustness than figure
(a), even though it appears much closer to being falsified.
 0
 1
 2
 3
 4
 5
 6
 0  10  20  30  40  50  60
ro
bu
st
ne
ss
 o
f ϕ
time (s)
(d) In this trace, the property comes very close to being
falsified at 48 seconds, but is more robustly true the rest
of the time. The “max” semantics assigns this trace a
lower robustness than figure (a). The “+” semantics also
assigns it a slightly lower robustness.
Figure 5: Four graphs showing the value of a hypothetical property φ over time. The different definitions of
robustness assign a different robustness to φ.
changes in a particular argument have an effect on
robustness. We see in the upper-right quadrant that
when p and q have very different robustnesses, p∧+ q
assigns much more importance to the lower robust-
ness (it starts to approximate the max semantics),
but that it always remains sensitive. This weighting
is a deliberate feature of the additive semantics: a
subformula with low robustness is likely to be a bet-
ter target for optimization than a subformula with
high robustness, as it it more likely to be easily falsi-
fiable.
4.4 Other properties of VBools
Apart from monotonicity and sensitivity, there are
several more commonplace properties that we would
like our semantics to have. The most essential is
soundness: a Valued Boolean formula (e.g. p ∧+
13
(¬V q ∨+r)) and the corresponding Boolean formula
(in this case, p ∧ (¬q ∨ r) should always evaluate to
the same Boolean result; the only difference is that
the Valued Boolean also computes a robustness. All
of the connectives we have defined are easily seen to
be sound, since the Boolean part of each definition
uses the corresponding Boolean connective. There-
fore, the choice of semantics only affects the opti-
mization process, not the truth or falsehood of the
property.
We would also like the usual laws of Boolean logic
to hold: connectives should be associative, commu-
tative, idempotent, have an identity element, have a
zero element, and obey the usual distributivity and
negation laws. As mentioned above, these laws all
hold if one ignores the computed robustness, but
we would like robustness to respect these laws too.
These properties are important because we do not
want the robustness of a formula to depend on, for
example, how conjunctions are bracketed or what or-
der they are written in, and we do not want the tester
to have to think about what arrangement of brackets
is most suitable.
The max semantics obeys many laws of Boolean
logic. Conjunction and disjunction are associative,
commutative, idempotent and have >v and ⊥v as
identity and zero elements. Distributivity holds,
as do De Morgan’s laws. What fails are the laws
p ∨max ¬vp = > and p ∧max ¬vp = ⊥, since the left
and right hand sides may have different robustnesses.
Proofs of these laws for VBools are omitted due to
space constraints, but they are straightforward and
only require an exhaustive case analysis on whether
each VBool is true or false.
The additive connectives satisfy fewer laws than
the max semantics. They are associative, commuta-
tive, have >v and ⊥v as identity and zero elements,
and respect de Morgan’s laws. They do not satisfy
idempotence or distributivity. Idempotence fails be-
cause, for example, p∧+ p is a Valued Boolean whose
robustness is either twice that of p (if p is false) or
half that of p (if p is true). Distributivity fails for a
similar reason, because expanding p ∧+ (q ∨+ r) du-
plicates p, increasing its influence on the robustness
computation. We are not aware of a semantics that
combines associativity, commutativity, idempotence
-10 -5  0  5  10
-10
-5
 0
 5
 10
(a) The robustness of x∧+y.
-10 -5  0  5  10
-10
-5
 0
 5
 10
(b) The robustness of
x ∧max y.
Figure 6: Isobar plots of the robustness of the two
semantics of ∧. Here, negative robustnesses represent
false VBools.
and sensitivity; we conjecture that these four prop-
erties are incompatible.5
To summarise, both max and additive semantics
satisfy many Boolean properties, but max satisfies
more; in return for giving up some properties, the ad-
ditive semantics gains sensitivity, which is useful for
falsification. In an additive conjunction, the parame-
ter optimizer is able to see when any of the conjuncts’
robustness decreases, which is not the case for the
max semantics. A final observation is that the addi-
tive semantics for conjunction assigns greater weight
to less robust conjuncts, which means that when a
conjunct is close to being falsified it can be reduced
even if this causes the robustness of other conjuncts
to increase markedly.
5 Results and Discussion
To show the performance of using additive seman-
tics for STL during falsification (compared to max
semantics), we perform falsification with additive se-
mantics for four examples. Each of the four examples
comes from (or is inspired by) other work, so we refer
the reader to these original works for further details
about each model. The results are presented in a set
5One could for example recover idempotence by multiplying
or dividing by 2 in the definition of ∧+, but this would destroy
associativity.
14
of tables, and the layout of each table is the same.
The results are shown in Sections 5.1 - 5.4.
The rows of the tables show which specification is
attempted to be falsified, which parameters or spe-
cific settings are used, and also which semantics are
used. We use the max and additive semantics defined
earlier in the paper, but we also include a third con-
stant semantics. The robustness value for a constant
semantics is equal to 100 if the specification is true,
and -100 if the specification is not true. This con-
stant semantics is used as a baseline to verify whether
max and additive semantics yield better results than
purely random testing6.
For each parameter setting, the “Succ” column
shows how many times the specification was actu-
ally falsified, and the “Iter” column shows the av-
erage number of iterations used by the optimization
solver in each falsification attempt (the maximum is
set to 1000). The “Iter/Succ” column shows the aver-
age number of iterations for the falsification attempts
that were successful. The optimization solver used in
these examples is a Simulated Annealing solver [40].
5.1 Automatic Transmission Bench-
mark
The model takes as input the throttle and brake of
a vehicle, and simulates the automatic transmission
system (for details, see [33]). The model has been
used in several other works [17, 23], and in this work
we perform falsification with the Breach toolbox. The
outputs of the system are the vehicle speed (v), the
engine speed (ω), and the gear. The model contains
69 blocks in total.
The model is simulated with a fixed-step setting
(automatic step size), using the MATLAB solver
ode5 (Dormand-Prince).
6We have also implemented a random semantics, where the
robustness at each sample is a uniform random number, but
with correct sign (for STL robustness). Falsification for ran
dom semantics performs worse than max, additive and con-
stant semantics for all the examples in this paper.
Table 5: Specifications to Falsify for the Automatic
Transmission Benchmark.
Specification Formula
ϕ1 ♦[0,T ](ω ≥ 2000)
ϕ2 ♦[0,T ](ω ≤ 3500 ∨ ω ≥ 4500)
ϕ3 [0,T ](¬(gear == 4))
ϕ4 ♦([0,T ](gear == 3))
ϕ5
∧
i=1,...,4 ((¬(gear == i) ∧ ♦[0,](gear == i)
=⇒ ([,T+](gear == i)))
ϕ6 [0,T ](v ≤ 85) ∨ ♦(ω ≥ 4500)
ϕ7 ([0,1]gear == 1) ∧ ([2,4]gear == 2)
∧([5,7]gear == 3) ∧ ([8,10]gear == 3)
∧([12,15]gear == 2)
ϕ8 [0,20]
(
(gear == 4 ∧ throttle > 45
∧throttle < 50) =⇒ ω < ω¯)
5.1.1 Falsification parameters
The throttle is generated using 7 control points dis-
tributed evenly in time, interpolated using the MAT-
LAB interpolation setting pchip. Each control point
has a value in the range [0, 100]. The brake input is
interpolated similarly but only using 3 control points,
each in the range [0, 500].
The specifications to falsify are shown in Table 5.
Specifications ϕ1–ϕ6 are taken from [23]. Note, how-
ever, that we do not modify the specifications to im-
prove the falsification capability of our additive se-
mantics.
The comparison between max semantics and addi-
tive semantics for each specification is shown in Table
6.
5.2 Abstract Fuel Control Benchmark
The model is an Abstract Fuel Control system imple-
mented in Simulink, and it has been proposed as a
benchmark for temporal logic falsification [41]. The
inputs to the model are the input throttle θ (in de-
grees) and the engine speed ω. The outputs of inter-
15
est are the Air/Fuel ratio λ and the controller mode
(either closed-loop or open-loop). The reference value
λref is equal to 14.7 for the specifications we are con-
sidering. The model contains 253 blocks in total.
The model is simulated with a variable-step setting
using the MATLAB solver ode15s (stiff/NDF).
5.2.1 Falsification parameters
The engine speed is constant and allowed to be in the
range [900, 1100]. The throttle angle is generated as
a pulse signal with a base value of 8.9, a delay of 3,
a period in the range [10, 30] and amplitude in the
range [0.161]. Thus, the throttle angle always has a
value in the range [8.9, 69.9], always switching back
and forth between two values at different times of
each simulation. We always simulate the system for
40 seconds.
The specifications to falsify are shown in Table 7.
The specifications are variations of Req. (26) and
(27) in [41], using η = 1.
The results for the Abstract Fuel Control bench-
mark are shown in Table 8.
5.3 Third Order ∆− Σ Modulator
The third order ∆ − Σ modulator is used as a tech-
nique for analog to digital conversion. The model is
described in detail in [42] and has previously been
used for falsification benchmark purposes [40, 28].
The model has one input U , three states x1, x2, x3,
and three initial conditions xinit1 , x
init
2 , x
init
3 . The
model contains 27 blocks in total.
The model is simulated with a fixed-step setting
(automatic step size), using the MATLAB solver dis-
crete (no continuous states).
5.3.1 Falsification parameters and specifica-
tion
The input U is constant during the whole simulation,
and the allowed values are in different sets for differ-
ent scenarios (see Table 10 for detailed scenarios).
The initial conditions are all in the range [−0.1, 0.1].
The specifications to falsify are shown in Table 9
(note that ϕ∆−Σ1 is equivalent to ((ϕ
∆−Σ
2 ∧ ϕ∆−Σ3 ) ∧
ϕ∆−Σ4 )).
The results for the modulator benchmark are
shown in Table 10.
5.4 Static Switched System
The static switched system has no dynamics and is in-
cluded to show that both max and additive semantics
can worsen the performance of falsification, compared
to falsifying with Boolean semantics. The model is in-
spired by [43], and it has two inputs (u1, u2) ∈ [0, 1]2
which are kept constant. The model contains 16
blocks in total. The output y(t) is assigned according
to
y =
{
−2(u1 + u2)− 5 if ui ≥ thresh, ∀i
2((u1 + 1)
2 + (u2 + 1)
2) otherwise.
The specification to falsify is ϕSS = (y ≥ 0).
In other words, the falsification problem consists of
finding a scenario where both inputs have a value
above thresh. This is difficult since the gradient of
the robustness (for max and additive) with respect to
the input parameters will point away from the area
where the specification is falsified. The results for the
static switched system are shown in Table 11.
5.5 Transforming Volvo requirements
to STL
We have successfully implemented the framework
presented in this paper for transforming causal signal-
based specifications into STL. We have transformed
the requirements for two industrial models at Volvo
Car Corporation, which model the electric machine of
an electric vehicle, as well as the battery for an elec-
tric vehicle. The models contain 19846 and 18294
blocks, respectively7. Note that the specifications
have not been translated manually, only automati-
cally using the procedure presented in this paper. For
all the automatically translated specifications, cor-
rectness has been asserted during falsification runs,
7The block counts include blocks in referenced models.
16
i.e., the Boolean satisfaction of the translated formu-
las have coincided with the signal value of the specifi-
cation modeled in Simulink. However, a formal proof
of the correctness is out of the scope of this paper,
and is considered future work.
In total, there are 58 transformed requirements for
the first model and 36 transformed requirements for
the second model. The transformation of require-
ments into STL specifications have enabled the use
of temporal logic falsification for both models. Falsi-
fication is now being run continuously for both mod-
els, in order to catch software defects during devel-
opment. Statistics for the transformed STL formu-
las are shown in Table 12. The sheer number of re-
quirements combined with the complexity of the for-
mulas shown in the table indicate that writing the
specifications in STL manually would be very time-
consuming.
5.6 Discussion
For the specifications shown in this paper, we can see
that no specific semantics perform better than the
other two for all models. For several specifications,
the constant semantics performs just as well as one
or other of the robust semantics.
It is clear from the tables that sometimes
max semantics are preferable, and sometimes ad-
ditive semantics are preferable. For example,
for specifications ϕ1, ϕ2, ϕ7, ϕ8 additive semantics
clearly perform better, while for specifications
ϕ5, ϕ6, ϕ
AFC
1 , ϕ
AFC
2 max semantics clearly perform
better. The static switched system was also intro-
duced to show that the constant semantics (i.e. ran-
dom testing) can be better than max or additive se-
mantics. It is clear that ϕSS is easier to falsify for
the constant semantics than for the other semantics.
Whether a specific semantics outperforms the oth-
ers depends not only on the specification, but also on
the system that is being falsified.
5.6.1 Preferable semantics for different spec-
ifications
The intuitive explanation for why additive semantics
can be better in some cases is that it takes into ac-
count all the different subformulas of ∧ and ∨ formu-
las (and by extension also the temporal operators). In
a conjunction, if only the highest robustness value de-
creases in between simulations, it is not certain that
the max semantics will capture the change, but it
will affect the total additive robustness. On the other
hand, if one robustness increases while the other ro-
bustness decreases, the additive semantics robustness
may not be affected, while the max semantics robust-
ness will.
An example of when it is preferable to notice
changes in all clauses of a conjunction is ϕ7. Here,
each clause is not difficult to falsify individually, but
to be able to falsify them all at once it helps a great
deal to include more detailed robustness information
about each clause. As such, having conjunctions with
many clauses in a specification can indicate that ad-
ditive semantics would be preferable for that (sub)-
specification.
5.6.2 Preferable semantics for different sys-
tems
For some system behaviour, it can be non-beneficial
to consider changes in all parts of a conjunction. An
example of this is the third order ∆ − Σ modulator.
The results in Table 10 indicate that ϕ∆−Σ4 is by far
the easiest sub-specification of ϕ∆−Σ1 to falsify. In-
cluding more detailed robustness information about
the other sub-specifications (ϕ∆−Σ2 and ϕ
∆−Σ
3 ) makes
the robustness information from ϕ∆−Σ4 diluted in a
sense, meaning that changing from max to additive
semantics will not increase falsification capability.
6 Conclusions
We have presented two additions to potentially in-
crease the capability of falsification of temporal logic
specification for Cyber-Physical Systems (CPSs).
The first addition is a specification transformation
framework, which takes requirements modeled in a
causal signal-based frameworks and transforms them
into Signal Temporal Logic (STL) formulas. The
framework has been implemented for the specifica-
tions in two industrial-sized models at Volvo Car Cor-
17
poration, and it has enabled the use of falsification for
both of the models. The specification transformation
outputs a specification where we also have informa-
tion about which preconditions should be fulfilled for
different parts of the specification to be evaluated for
given signal values and a given time.
The second addition is the introduction of additive
semantics in the falsification process. Considering the
established robust semantics of STL formulas as the
max semantics, the difference for additive semantics
is that the robustness of each clause in a conjunction
can affect the total robustness of the conjunction,
even if only one of the clause’s robustness changes.
Disjunction and temporal operators are defined in
terms of conjunction for the additive semantics.
To indicate the usability of additive semantics for
falsification, we have compared them to max se-
mantics as well as constant semantics (essentially
only Boolean information and no robustness) for sev-
eral different models and specifications. The models
we show results for are both well-known benchmark
models, as well as a simple non-dynamic model to
prove that all three choices of semantics can be the
most viable. Previous work on falsification has over-
looked the need to compare against the constant se-
mantics as a baseline; our evaluation made it clear
that for some specifications, falsification had no ben-
efit over random testing. However, for most cases
excluding the system in Section 5.4, it is clear that
constant semantics perform worse that the others, in-
dicating that robustness-based falsification is a rea-
sonable way of finding faults in CPSs. We encourage
other researchers to include a baseline comparison in
their future work.
Which of the three semantics performs best de-
pends both on the specification and the model. In
a black-box setting, it is thus very difficult to de-
cide which semantics to use for which operator in the
specification to get the best results for falsification.
6.1 Future work
We have so far defined two semantics for Valued
Booleans. There are most likely many more, each
with their own trade-offs; we plan to explore these.
Also, since the best choice of semantics can be dif-
ferent for each connective in a given specification, we
would like to both
• formulate principles that can guide a tester in
choosing a suitable semantics for each operator
in a given specification, and
• analyze both the model and the specification to
reason about which semantics would be best for
falsification (i.e. grey-box or white-box testing).
Evaluating the effect of different robust semantics
in falsification of generated specifications for the in-
dustrial examples presented in this paper is also a
path we plan to explore. A more theoretical approach
is about how the additive robustness relates to the
view of temporal logic as filtering. Finally, it would
be interesting to look at falsification which includes
the extra information that we get from the specifica-
tion transformation presented in this paper – namely,
the information about all the preconditions that need
to be fulfilled for different parts of the specification
to be evaluated.
Acknowledgment
The authors would like to thank Alexandre Donze´
for his helpful comments on a draft of this paper.
This work has been performed with support from
the Swedish Governmental Agency for Innovation
Systems (VINNOVA) project TESTRON 2015-04893
and from the Swedish Research Council (VR) project
SyTeC 2016-06204. This support is gratefully ac-
knowledged.
References
[1] S. A. Seshia, S. Hu, W. Li, and Q. Zhu,
“Design automation of cyber-physical systems:
Challenges, advances, and opportunities,” IEEE
Transactions on Computer-Aided Design of In-
tegrated Circuits and Systems, vol. 36, no. 9, pp.
1421–1434, 2017.
[2] E. M. Clarke, E. A. Emerson, and J. Sifakis,
“Model checking: algorithmic verification and
18
debugging,” Communications of the ACM,
vol. 52, no. 11, pp. 74–84, 2009.
[3] T. A. Henzinger, P. W. Kopke, A. Puri, and
P. Varaiya, “What’s decidable about hybrid au-
tomata?” in Proceedings of the twenty-seventh
annual ACM symposium on Theory of comput-
ing. ACM, 1995, pp. 373–382.
[4] E. Bartocci, J. Deshmukh, A. Donze´,
G. Fainekos, O. Maler, D. Nicˇkovic´, and
S. Sankaranarayanan, “Specification-based
monitoring of cyber-physical systems: a survey
on theory, tools and applications,” in Lectures
on Runtime Verification. Springer, 2018, pp.
135–175.
[5] J. Kapinski, J. V. Deshmukh, X. Jin, H. Ito,
and K. Butts, “Simulation-based approaches for
verification of embedded control systems: An
overview of traditional and advanced modeling,
testing, and verification techniques,” IEEE Con-
trol Systems Magazine, vol. 36, no. 6, pp. 45–64,
2016.
[6] A. Platzer, Logical Foundations of Cyber-
Physical Systems. Springer, 2018.
[7] G. E. Fainekos, S. Sankaranarayanan, K. Ueda,
and H. Yazarel, “Verification of automotive con-
trol applications using s-taliro,” in American
Control Conference (ACC), 2012. IEEE, 2012,
pp. 3567–3572.
[8] Y. Annpureddy, C. Liu, G. E. Fainekos, and
S. Sankaranarayanan, “S-TaLiRo: A tool for
temporal logic falsification for hybrid systems.”
in TACAS, vol. 6605. Springer, 2011, pp. 254–
257.
[9] Y. S. R. Annapureddy and G. E. Fainekos, “Ant
colonies for temporal logic falsification of hybrid
systems,” in IECON 2010-36th Annual Con-
ference on IEEE Industrial Electronics Society.
IEEE, 2010, pp. 91–96.
[10] H. Abbas, A. Winn, G. Fainekos, and A. A.
Julius, “Functional gradient descent method for
metric temporal logic specifications,” in Amer-
ican Control Conference (ACC), 2014. IEEE,
2014, pp. 2312–2317.
[11] R. Koymans, “Specifying real-time properties
with metric temporal logic,” Real-time systems,
vol. 2, no. 4, pp. 255–299, 1990.
[12] O. Maler and D. Nickovic, “Monitoring tempo-
ral properties of continuous signals,” in Formal
Techniques, Modelling and Analysis of Timed
and Fault-Tolerant Systems. Springer, 2004, pp.
152–166.
[13] The MathWorks, Inc., Natick, Massachusetts,
“Simulink R2013b,” 2017.
[14] K. Claessen, N. Smallbone, J. Eddeland,
Z. Ramezani, and K. A˚kesson, “Using valued
booleans to find simpler counterexamples in ran-
dom testing of cyber-physical systems,” IFAC-
PapersOnLine, vol. 51, no. 7, pp. 408–415, 2018.
[15] A. Donze´, “Breach, a toolbox for verification and
parameter synthesis of hybrid systems.” in CAV,
vol. 10. Springer, 2010, pp. 167–170.
[16] G. E. Fainekos and G. J. Pappas, “Robustness of
temporal logic specifications for continuous-time
signals,” Theoretical Computer Science, vol. 410,
no. 42, pp. 4262–4291, 2009.
[17] X. Jin, A. Donze´, J. V. Deshmukh, and
S. A. Seshia, “Mining requirements from closed-
loop control models,” IEEE Transactions on
Computer-Aided Design of Integrated Circuits
and Systems, vol. 34, no. 11, pp. 1704–1717,
2015.
[18] S. Jaksˇic´, E. Bartocci, R. Grosu, and
D. Nicˇkovic´, “An algebraic framework for
runtime verification,” IEEE Transactions on
Computer-Aided Design of Integrated Circuits
and Systems, vol. 37, no. 11, pp. 2233–2243,
2018.
[19] N. Kekatos, “Formal verification of cyber-
physical systems in the industrial model-based
design process,” Ph.D. dissertation, Universite´
Grenoble Alpes, 2018.
19
[20] A. Balsini, M. Di Natale, M. Celia, and V. Tsa-
chouridis, “Generation of simulink monitors for
control applications from formal requirements,”
in 2017 12th IEEE International Symposium on
Industrial Embedded Systems (SIES). IEEE,
2017, pp. 1–9.
[21] I. Dragomir, V. Preoteasa, and S. Tripakis, “The
refinement calculus of reactive systems toolset,”
in International Conference on Tools and Algo-
rithms for the Construction and Analysis of Sys-
tems. Springer, 2018, pp. 201–208.
[22] T. Nipkow, L. C. Paulson, and M. Wenzel, Is-
abelle/HOL: a proof assistant for higher-order
logic. Springer Science & Business Media, 2002,
vol. 2283.
[23] T. Akazaki and I. Hasuo, “Time robustness in
MTL and expressivity in hybrid system falsifica-
tion,” in International Conference on Computer
Aided Verification. Springer, 2015, pp. 356–374.
[24] J. Eddeland, S. Miremadi, M. Fabian, and
K. A˚kesson, “Objective functions for falsifica-
tion of signal temporal logic properties in cyber-
physical systems,” in International Conference
on Automation Science and Engineering, 2017,
pp. 1326–1331.
[25] A. Rodionova, E. Bartocci, D. Nickovic, and
R. Grosu, “Temporal logic as filtering,” in Pro-
ceedings of the 19th International Conference
on Hybrid Systems: Computation and Control.
ACM, 2016, pp. 11–20.
[26] A. Dokhanchi, S. Yaghoubi, B. Hoxha, and
G. Fainekos, “Vacuity aware falsification for mtl
request-response specifications,” in Proceedings
of the 13th IEEE Conference on Automation
Science and Engineering (CASE17), 2017.
[27] T. Akazaki, “Falsification of conditional safety
properties for cyber-physical systems with gaus-
sian process regression,” in International Con-
ference on Runtime Verification. Springer,
2016, pp. 439–446.
[28] A. Aerts, B. Tong Minh, M. Reza Mousavi, and
M. A. Reniers, “Temporal logic falsification of
cyber-physical systems: An input-signal space
optimization approach,” in 14th Workshop on
Advances in Model Based Testing (A-MOST),
2018.
[29] A. Donze´ and O. Maler, “Robust satisfaction of
temporal logic over real-valued signals,” in For-
mal Modeling and Analysis of Timed Systems:
8th International Conference, FORMATS 2010,
Klosterneuburg, Austria, September 8-10, 2010.
Proceedings, K. Chatterjee and T. A. Henzinger,
Eds. Berlin, Heidelberg: Springer Berlin Hei-
delberg, 2010, pp. 92–106.
[30] A. Donze´ and O. Maler, “Robust satisfaction of
temporal logic over real-valued signals.” in FOR-
MATS, vol. 6246. Springer, 2010, pp. 92–106.
[31] G. E. Fainekos and G. J. Pappas, “Robust sam-
pling for mitl specifications,” in International
Conference on Formal Modeling and Analysis of
Timed Systems. Springer, 2007, pp. 147–162.
[32] V. Raman, A. Donze´, D. Sadigh, R. M. Murray,
and S. A. Seshia, “Reactive synthesis from signal
temporal logic specifications,” in Proceedings of
the 18th international conference on hybrid sys-
tems: Computation and control. ACM, 2015,
pp. 239–248.
[33] B. Hoxha, H. Abbas, and G. Fainekos, “Bench-
marks for temporal logic requirements for auto-
motive systems,” Proc. of Applied Verification
for Continuous and Hybrid Systems, 2014.
[34] A. Dokhanchi, B. Hoxha, and G. Fainekos,
“Metric interval temporal logic specification
elicitation and debugging,” in Formal Meth-
ods and Models for Codesign (MEMOCODE),
2015 ACM/IEEE International Conference on.
IEEE, 2015, pp. 70–79.
[35] B. Hoxha, N. Mavridis, and G. Fainekos, “Vis-
pec: A graphical tool for elicitation of mtl re-
quirements,” in Intelligent Robots and Systems
(IROS), 2015 IEEE/RSJ International Confer-
ence on. IEEE, 2015, pp. 3486–3492.
20
[36] A. Dokhanchi, B. Hoxha, and G. Fainekos,
“Formal requirement debugging for testing and
verification of cyber-physical systems,” ACM
Transactions on Embedded Computing Systems
(TECS), vol. 17, no. 2, p. 34, 2018.
[37] J. Kapinski, X. Jin, J. Deshmukh, A. Donze,
T. Yamaguchi, H. Ito, T. Kaga, S. Kobuna, and
S. Seshia, “St-lib: A library for specifying and
classifying model behaviors,” SAE Technical Pa-
per, Tech. Rep., 2016.
[38] L. Brim, P. Dluhosˇ, D. Sˇafra´nek, and T. Vej-
pustek, “Stl*: Extending signal temporal logic
with signal-value freezing operator,” Informa-
tion and computation, vol. 236, pp. 52–67, 2014.
[39] A. Benveniste, T. Bourke, B. Caillaud, and
M. Pouzet, “Non-standard semantics of hybrid
systems modelers,” Journal of Computer and
System Sciences, vol. 78, no. 3, pp. 877–910,
2012.
[40] H. Abbas, G. Fainekos, S. Sankaranarayanan,
F. Ivancˇic´, and A. Gupta, “Probabilistic tem-
poral logic falsification of cyber-physical sys-
tems,” ACM Transactions on Embedded Com-
puting Systems (TECS), vol. 12, no. 2s, p. 95,
2013.
[41] X. Jin, J. V. Deshmukh, J. Kapinski, K. Ueda,
and K. Butts, “Powertrain control verification
benchmark,” in Proceedings of the 17th interna-
tional conference on Hybrid systems: computa-
tion and control. ACM, 2014, pp. 253–262.
[42] T. Dang, A. Donze´, and O. Maler, “Verification
of analog and mixed-signal circuits using hybrid
system techniques,” in International Conference
on Formal Methods in Computer-Aided Design.
Springer, 2004, pp. 21–36.
[43] A. Dokhanchi, A. Zutshi, R. T. Sriniva,
S. Sankaranarayanan, and G. Fainekos, “Re-
quirements driven falsification with coverage
metrics,” in Proceedings of the 12th Interna-
tional Conference on Embedded Software. IEEE
Press, 2015, pp. 31–40.
21
Table 6: Results for the automatic transmission benchmark.
Specification Semantics Parameters
T = 20 T = 30 T = 40
Succ Iter Iter/Succ Succ Iter Iter/Succ Succ Iter Iter/Succ
ϕ1
Max 20 103.1 103.1 19 209.1 167.5 14 500.6 286.6
Additive 20 80.3 80.3 20 133.2 133.2 20 215.1 215.1
Constant 14 734.0 619.9 3 930.5 536.3 0 1000.0 -
T = 10
Succ Iter Iter/Succ
ϕ2
Max 16 247.9 59.9
Additive 20 172.1 172.1
Constant 20 277.3 277.3
T = 4 T = 4.5 T = 5
Succ Iter Iter/Succ Succ Iter Iter/Succ Succ Iter Iter/Succ
ϕ3
Max 0 1000.0 - 9 796.4 547.6 17 467.8 373.9
Additive 0 1000.0 - 10 736.0 472.0 17 532.9 450.4
Constant 0 1000.0 - 11 641.9 348.8 16 472.9 341.1
T = 1 T = 2
Succ Iter Iter/Succ Succ Iter Iter/Succ
ϕ4
Max 5 852.7 410.8 20 182.0 182.0
Additive 6 795.2 317.3 20 90.6 90.6
Constant 1 998.4 967.0 20 160.0 160.0
T = 0.8 T = 1 T = 2
Succ Iter Iter/Succ Succ Iter Iter/Succ Succ Iter Iter/Succ
ϕ5
Max 0 1000.0 - 12 754.4 590.7 20 60.1 60.1
Additive 0 1000.0 - 4 864.5 322.5 20 90.7 90.7
Constant 0 1000.0 - 13 704.6 545.5 20 64.7 64.7
T = 10 T = 12
Succ Iter Iter/Succ Succ Iter Iter/Succ
ϕ6
Max 9 731.4 403.0 20 153.5 153.5
Additive 12 665.9 443.1 20 182.9 182.9
Constant 0 1000.0 - 4 899.1 495.5
Succ Iter Iter/Succ
ϕ7
Max 4 905.4 527.0
Additive 15 493.3 324.4
Constant 4 836.7 183.5
ωˆ = 3000 ωˆ = 3500
Succ Iter Iter/Succ Succ Iter Iter/Succ
ϕ8
Max 20 16.9 16.9 0 1000.0 -
Additive 20 20.4 20.4 19 296.1 259.1
Constant 20 10.1 10.1 0 1000.0 -
22
Table 7: Specifications to Falsify for the Abstract
Fuel Control benchmark.
Specification Formula
ϕAFC1 [11,40](|λ(t)−λrefλref | < tol)
ϕAFC2 [11,35]
(
(θ(t) < θ(t+ 0.01) ∨ θ(t) > θ(t+ 0.01))
=⇒ [1,5](|λ−λrefλref | < tol)
)
23
Table 8: Results for the Abstract Fuel Control benchmark.
Specification Semantics Parameters
tol = 0.16 tol = 0.17 tol = 0.18
Succ Iter Iter/Succ Succ Iter Iter/Succ Succ Iter Iter/Succ
ϕAFC1
Max 20 313.2 313.2 9 758.6 463.7 3 934.1 560.7
Additive 19 589.2 567.6 7 837.8 536.6 2 962.0 620.0
Constant 14 564.4 377.7 2 967.8 678.0 1 971.1 423.0
tol = 0.16 tol = 0.17 tol = 0.18
Succ Iter Iter/Succ Succ Iter Iter/Succ Succ Iter Iter/Succ
ϕAFC2
Max 20 319.4 319.4 7 786.6 390.4 2 954.8 548.0
Additive 19 545.5 521.6 2 942.8 428.0 2 962.5 625.5
Constant 12 680.8 468.0 3 937.8 585.0 3 929.1 527.7
Table 9: Specifications to Falsify for the Third Order
∆− Σ Modulator.
Specification Formula
ϕ∆−Σ1 
(∧3
i=1(−1 ≤ xi ∧ xi ≤ 1)
)
.
ϕ∆−Σ2  (−1 ≤ x1 ∧ x1 ≤ 1)
ϕ∆−Σ3  (−1 ≤ x2 ∧ x2 ≤ 1)
ϕ∆−Σ4  (−1 ≤ x3 ∧ x3 ≤ 1)
24
Table 10: Results for the Third Order ∆− Σ modulator.
Specification Semantics Parameters
U ∈ [−0.35, 0.35] U ∈ [−0.40, 0.40] U ∈ [−0.45, 0.45]
Succ Iter Iter/Succ Succ Iter Iter/Succ Succ Iter Iter/Succ
ϕ∆−Σ1
Max 12 799.7 666.2 19 281.6 243.7 20 144.3 144.3
Additive 20 296.8 296.8 20 335.1 335.1 12 730.8 551.3
Constant 20 205.5 205.5 17 513.3 427.4 4 875.0 374.8
U ∈ [−0.35,−0.35]
Succ Iter Iter/Succ
ϕ∆−Σ2
Max 0 1000.0 -
Additive 0 1000.0 -
Constant 0 1000.0 -
U ∈ [−0.35,−0.35]
Succ Iter Iter/Succ
ϕ∆−Σ3
Max 0 1000.0 -
Additive 0 1000.0 -
Constant 0 1000.0 -
U ∈ [−0.35,−0.35]
Succ Iter Iter/Succ
ϕ∆−Σ4
Max 13 627.0 426.2
Additive 12 739.5 565.9
Constant 5 872.6 490.4
Table 11: Results for the Static Switched System.
Specification Semantics Parameters
thresh = 0.7 thresh = 0.8 thresh = 0.9
Succ Iter Iter/Succ Succ Iter Iter/Succ Succ Iter Iter/Succ
ϕSS
Max 15 566.3 421.7 10 741.1 482.2 3 937.7 584.7
Additive 16 518.4 397.9 7 861.3 603.7 3 943.3 622.0
Constant 20 118.3 118.3 20 136.1 136.1 20 373.4 373.4
Table 12: Statistics of STL Formulas for the two Volvo models.
Model
Number of operators Depth Modal depth
Min Mean Max Min Mean Max Min Mean Max
Electric machine 1 61.1 336 1 7.65 15 1 2.02 4
Battery 2 33.5 171 1 7.95 16 1 2.08 4
25
