Cyber-Physical Systems (CPSs) are systems with both physical and software components, for example cars and industrial robots. Since these systems exhibit both discrete and continuous dynamics, they are complex and it is thus difficult to verify that they behave as expected. Falsification of temporal logic properties is an approach to find counterexamples to CPSs by means of simulation. In this paper, we propose two additions to enhance the capability of falsification and make it more viable in a large-scale industrial setting. The first addition is a framework for transforming specifications from a signal-based model into Signal Temporal Logic. The second addition is the use of Valued Booleans and an additive robust semantics in the falsification process. We evaluate the performance of the additive robust semantics on a set of benchmark models, and we can see that which semantics are preferable depend both on the model and on the specification. arXiv:1910.08306v1 [eess.SY] 
Introduction
Assuring the quality of Cyber-Physical Systems (CPSs) is an important task that is growing more and more complex. Industrial-size systems with both discrete and continuous dynamics, i.e. hybrid systems, require durable methods for design automation [1] , as well as validation methods that are beyond the current capabilities of e.g. model-checking [2] . Since the general problem of finding the set of reachable states for this kind of systems is undecidable [3] , we instead resort to testing the systems. For testing and/or monitoring of CPSs, there are many possible approaches (see [4, 5] for two surveys) -in this work, we consider falsification of temporal logic specifications. Another approach is deductive methods for proving properties of CPSs [6] , but in many industrial applications there is no mathematical model to analyze, instead there is only the possibility to simulate the system under test. Falsification can be done for CPSs both with the actual hardware, or as in the case of this paper, where the hardware is being simulated.
Falsification of temporal logic specifications for 1 CPSs is a method which attempts to find counterexamples to properties of systems by optimization over robustness of the specification. Here, robustness is a measure of distance to violation of the specification. The falsification framework has been shown to be useful for several different applications [7, 8] , and it can still be modified in many different ways. For example, one can consider different optimization algorithms to search for the counterexample (e.g. ant colony optimization [9] or functional gradient descent [10] ). Falsification requires use of a formal specification, typically written in Metric Interval Temporal Logic (MITL) [11] or Signal Temporal Logic (STL) [12] (or some variant thereof). However, these formal logics are not currently well established in industry, since the specifications used in industry need to be understood by engineers from many different disciplines. This means that it can be difficult to apply falsification when there is no formal specification available to test against.
In an attempt to tackle this problem, we present a framework for transforming requirements modelled in a causal, signal-based language (e.g. Simulink [13] ) into specifications in STL. This allows expert test engineers to model executable requirements using a tool they are familiar with, while also making falsification possible for the models under development.
As an additional measure to enhance the falsification process for industrial-size problems, we apply an alternative robust semantics to be used in the falsification problem. Specifically, we use the additive semantics presented for the logical framework Valued Booleans [14] . We evaluate the performance of additive semantics for several specifications and see in which cases they are preferable to the "standard" semantics of STL robustness. To be clear, these changes apply when we attempt to falsify a specification by means of optimization, rather than by performing brute-force exploration of system executions.
Related work
The main focus of this paper is to adapt the framework of falsification to work better in certain in-dustrial applications. The tools Breach [15] and S-TaLiRo [8] are used to perform falsification with STL and MTL, respectively. Both of these tools are based on the idea of a robustness measure for temporal logic specifications [16] . Apart from falsification, recent research has also focused on mining of temporal properties for CPSs [17] , which can make it easier to understand what proper specifications could be, given simulations of a system. A generalization of robustness is presented in a recent algebraic framework for runtime verification [18] .
There exist several approaches to transform models between other design tools. In [19] , the author presents a way to go from informal requirements to hybrid models with the use of pattern templates. In [20] , a method for generating Simulink monitors from formal requirements is presented -this procedure is essentially the opposite of the one presented in this paper. In [21] , a tool is introduced for translating Simulink models into theories in the proof assistant Isabelle [22] . To our knowledge, there has been no previous work transforming causal signal-based specifications into STL formulas, a transformation investigated in this paper.
When it comes to improvements of the falsification process itself, previous work has defined a modified version of STL [23] , and there has been discussion showing the need for similar modifications in industrial applications [24] . The main point has been to improve the robustness information from temporal operators by averaging the robustness inside the timed intervals in question. Another novel approach, which can include different interpretations of robustness for temporal operators, views temporal logic as filtering [25] . This connects the fields of temporal logic and signal processing and allows for new ways of analysis.
Several works [26] [27] have designed methods for faster falsification of a specific sub-class of specifications, namely request-response specifications. Recently, an extension to falsification has been proposed where meta-parameters of falsification, e.g. the number of control points, are variable and put into an outer optimization problem [28] .
Valued Booleans [14] is a recently-proposed logic that captures both the truth value of properties, as well as how severely the properties are falsified. In this paper, we use a version of Valued Booleans to enhance the capabilities of falsification.
Contributions
The main contributions of this work are: i) transformation of causal signal-based requirements into STL specifications;
ii) application of Valued Boolean additive semantics to the falsification process;
iii) evaluation of additive semantics for falsification of benchmark requirements.
The rest of the paper is organized as follows: in Section 2, STL and the falsification problem are defined. The latter is used to evaluate different robust semantics later on. In Section 3, we define a framework for translating causal signal-based specifications into STL. Section 4 details the logic of Valued Booleans, with two kinds of robust semantics. Section 5 compares the two robust semantics in falsification for a set of benchmark models, and in Section 6 our conclusions are presented.
Signal Temporal Logic and Falsification
The specification language STL is widely used for falsification of CPSs. We omit the definition of the robust semantics of STL, as it is almost identical to the max semantics of VBools, which we define in Section 4.1. For details on STL, we refer the reader to other works [29] .
Discrete-time signals
Throughout this paper, we discuss specifications defined for signals and signal values. The semantics of VBools is in terms of discrete-time signals, and for the sake of consistency we also define STL this way, even though it is usually defined in terms of continuoustime signals [30] . The main point of doing this is to make it clear how temporal operators can be defined in terms of conjunction, but generalizing to continuous time is possible [31] [16] . For practical purposes, falsification and monitoring of signals is performed on the output of simulated systems, where time has to be discretized to numerically solve the systems.
The set I labels the time instants of the signals, and the signal takes on continuous values at each of those time instants.
Signal Temporal Logic
The grammar of STL formulas is defined as
where µ is a predicate, and ϕ and ψ are STL formulas. ∧ denotes logical and, [a,b] is the timed globally (or always) operator, and U [a,b] is the timed until operator. Due to De Morgan's laws, we can define logical or ϕ ∨ ψ as ¬(¬ϕ ∧ ¬ψ). There is a similar identity for the temporal operators, which lets us define timed eventually ♦ [a,b] ϕ as ¬( [a,b] ¬ϕ). These identities will also be used in Section 4. Similarly to [32] , we define the validity of a formula ϕ with respect to the discrete-time signal x at time instant k as
We will provide an example of STL specification for clarity. The first example is a benchmark specification from [33] , informally stated as "During all simulation times, the engine speed ω and the vehicle speed v never reachω andv, respectively." The corresponding STL formula is
contains two operators:
and ∧. The modal depth of a formula is the deepest nesting of temporal operators (i.e.
, ♦, U) in it. For φ AT 2 , the modal depth is 1.
Falsification
Temporal logic falsification is an approach to finding counterexamples to models of CPSs, given a specification in temporal logic. The problem of generating a test case for the CPS is treated as an optimization problem, where one attempts to minimize the robustness of the STL specification, given an input parametrization of the system. Figure 1 illustrates the main falsification procedure used in this paper (with the use of the tool Breach), which we have adapted to use VBools instead of STL robust semantics.
The Generator takes the input parametrization to generate an input to the system under test. The Simulator generates a simulation trace, which is used together with the specification ϕ to evaluate VBool robustness for the simulation. The VBool robustness is evaluated to see whether the specification is falsified or not. If it is not falsified, new parameters are sampled and the process is repeated. The Parameter Optimizer is a global optimizer which attempts to find new input parameters that are closer to falsifying the specification, i.e., parameters that lead to a lower VBool robustness.
In this work, we investigate two modifications to the falsification procedure. In Section 3, we introduce a transformation of signal-based requirements into STL (with a specification transformer ) as a means of allowing falsification to be performed by testers who are not used to temporal logic specifications. In Section 4, the logic of VBools is introduced which allows the tester to control the objective function used in the falsification optimization problem.
Signal-Based Specifications
As has been noted before [34] , writing specifications in temporal logic is not trivial. Approaches that have been used to solve this problem are creating tools that make it easier to write specifications [35] , automatically detecting faulty specifications [36] , and defining template specifications to make it easier for testers to formulate their requirements formally [37] . In this paper, we instead allow test engineers to write specifications in a formalism they already know, namely a causal signal-based framework (in our case using Simulink [13] ).
The main idea behind a signal-based safety specification is to directly take signals from the simulated system, then using different operators (blocks) to give an output signal that at each simulated time instant is either 1 (specification is fulfilled) or 0 (specification is not fulfilled). The advantage of this is that a test can easily be automatically executed and evaluated at the same time as the system itself is simulated.
By using a signal-based specification, we exploit the fact that the test engineers are experts at expressing specifications in, for example, Simulink. The drawback is that a signal-based specification does not compute robustness values, and so can not be directly used for falsification. To solve this problem, we automatically translate signal-based specifications into STL formulas to be used by Breach.
STL specifications in a signalbased framework
As an example, we wish to show an implementation of a version of φ AT 1 from [33] , which is defined as
It should be noted that since a specification implemented in Simulink must be causal, temporal operators that look forward in time cannot be explicitly modeled. However, a specification model with a similar meaning to φ AT 1 (withω = 4500) is presented in Figure 2 .
Assume that the specification is evaluated on a simulation trace with a finite set of sampled data points Figure 1 : A flowchart describing a slightly modified version of the optimization-based falsification procedure of Breach. In this paper we deal with defining a specification transformer, as well as considering alternative robustness functions (the two shaded nodes). Figure 2 : A simple example of a specification expressed in Simulink. The natural language interpretation is "During all simulation times t ∈ [0, T ], the engine speed ω never reachesω". For the implementation to be correct, the initial condition of the Unit Delay block must be non-zero.
K. The interpretation of the signal req at sample k ∈ K is then
while the Boolean evaluation of the STL formula φ AT 1 at time k can be informally expressed as
As can be easily seen, req(k) is not equal to the Boolean evaluation of φ AT 1 (k) for all k, but req(T ) = φ AT 1 (0). This is the only thing that is needed to achieve equivalence between the Boolean interpretation of a causal signal-based requirement and its STL equivalent, since the STL formula will be evaluated for time 0, and the signal-based specification will be evaluated at the final simulation time. We note that another possible approach to generate specifications in this setting would be to consider past-time operators of STL, instead of future-time operators as presented here.
Signal-based specifications expressed in STL
The goal is to be able to take any signal-based specification, and then transform it into an STL formula so that it can be used for falsification. Ideally, each signal in the signal-based model would be assigned an STL formula, but since the semantics of a signalbased framework are not typically equivalent to the semantics of STL, they have different levels of expressivity.
In this section, a Signal is a variable that has defined values over time, and it can be a scalar or a vector. A Signal corresponds to a signal in a causal model. A Formula is a special case of a Signal, namely a Signal that always has a Boolean value (i.e. it is either true or false).
To model signals whose behaviour varies depending on the value of a Boolean expression, we define the types FormulaTable and SignalTable as F ormulaT able = P(F ormula × F ormula) (4)
where P denotes the powerset operation. A For-mulaTable or SignalTable consists of a set of entries, where each entry is a pair of a precondition, expressed as an STL formula, and a consequent, which is the value taken by the formula or signal when the precondition is true. The disjunction of all preconditions for any FormulaTable or SignalTable must be . 1 Figure 3 shows a Simulink encoding of the natural language requirement "The engine speed ω should always be below 5000 RPM. Additionally, if we are in third gear or lower, the speed v should be below 50 km/h; otherwise, the speed should be below 200 km/h." The Switch block assigns a value to its output signal according to the rule:
The signal sub1 is translated into a SignalTable, shown in Table 1 . The signals sub2 and phi are translated into FormulaTables, seen in Tables 2 and  3 respectively. Since there are two conditions, the SignalTables and FormulaTables have two entries. The SignalTable for sub1 has two entries because it is the output of a Switch block; the FormulaTables for sub2 and phi have two entries because the For-mulaTable for the output of a block has an entry for each possible combination of preconditions from the block's inputs.
To transform a binary operator 2 , we construct the 1 In particular, if a FormulaTable or SignalTable only has one entry, the precondition in that entry must be .
2 A unary operator is a simplification of the algorithm presented. An n-ary operator, for example ∧, is implemented pairwise (meaning that a ∧ b ∧ c is transformed to (a ∧ b) ∧ c, which is possible due to associativity of both max and additive semantics). Figure 3 . Table 3 : The FormulaTable for the output phi in the Example in Figure 3 .
Precondition Consequent
gear < 3 v < 50 ¬(gear < 3) v < 200
following table:
As can be seen, the operator of the block is applied to each consequent of the table. The number of entries α in the table that is produced from a block with K inputs u 1 , u 2 , . . . , u K will be Π K k=1 α u k , where α u k is the number of entries in the table of input u k .
An important difference between signal-based specifications and STL specifications is due to conditional blocks. The archetypical conditional block is the Switch block, which takes three inputs and lets the output be either the first or the third input, depending on a user-defined condition on the second input. The output table of a Switch block has α = α 2 (α 1 + α 3 ) entries.
To translate a FormulaTable into an STL formula, one can consider the "STL semantics" for a Simulink switch (with inputs x 1 , x 2 , x 3 ) as either
or
Note that these two expressions are logically equivalent, but they do not necessarily yield the same robustness value.
Recursive loops in specifications
To transform a signal-based specification into STL, we perform a backwards depth-first search from the output of the specification, assigning a FormulaTable or SignalTable to each signal in the specification. For simple specifications without loops, the search algorithm discussed will terminate and assign an STL formula to the signal leading to the outport of the specification. However, any kind of temporal behaviour in a specification is typically implemented as a recursive loop, which leads to the basic search algorithm not terminating -something that needs to be taken care of when transforming the STL formula.
Handling recursive loops, approach 1
If the length of the simulation is known and finite, we can transform a recursive loop into a formula that explicitly computes its value in terms of the values at all earlier time steps. For the example presented in Figure 2 , this corresponds to the final output
However, this results in large and potentially unreadable STL formulas as soon as there is some recursion involved, even for simple specifications. For example, given a simulation time in [0, 10] and a fixed simulation step time of 0.01, requirement (8) results in an STL specification with 1001 ∧-connectives, and more than 31000 characters when written in Breach syntax. Even though the robustness values for the formula will still be the same as for the STL formula ϕ = [0,10] (ω(t) <ω), we typically want something that is as readable as possible.
Handling recursive loops, approach 2
If it is a goal to keep the automatically transformed STL formulas as short as possible, we use templates of combinations of different temporal operators that are implemented as their own subsystems in the model. This is in a way very similar to ST-Lib [37] , but instead of defining templates that can be used to build specifications from the ground up directly in STL, we define templates in Simulink that are associated to predefined STL formulas.
For the example in Figure 2 , one such template could be the operator, which in practice would be a subsystem replacing the blocks in the shaded area.
Handling recursive loops, approach 3
A final possibility is to treat a recursive loop as a black box rather than translating it to STL. To do this, we treat the output of the delay block 3 as a signal in the specification, i.e. consider anything before the delay block to be part of the model. The value of the signal is computed by the model, and the STL specification simply refers to the signal. This approach is useful when we want to avoid the inefficient encoding of approach 1 and the recursive loop does not correspond to a predefined template. It is also needed when a block applies a general function to its input, in which case the function output cannot be explicitly defined as a formula, but by treating the function as part of the system we are still able to translate the specification to STL.
To summarize our implementation, whenever there is a recursive loop, approach 3 will be used unless there is a template defined for the part of the model containing the loop. If there is a template, approach 2 is used. This means that the specification transformation is fully automatic, with the possibility to include more detailed information about the specification by the use of templates.
An extended example of this can be shown by considering the signal-based specification in Figure 4 . The specification itself is part of φ AT 2 [33] . Some different ways to interpret this specification, based on which of the given signals are considered as part of the model (logged signals), are shown in Table 4 .
The advantage of this approach is that we can be certain to translate any signal-based specification to STL, while the disadvantage is that the generated STL specification might be less suited to falsification than had we translated the recursive loops to STL. For example, the specification (ω <ω) ∧ (v <v) (for the Automatic Transmission benchmark) has many possible robustness values since the signals ω and v have many different potential values. However, the specification ¬(sig7 = 0) (which has exactly the same Boolean truth value) only has two possible robustness values. This makes falsification harder, since the op- Figure 4 .
timization solver will not see how close the specification came to failing. The claim above about being able to translate any signal-based specification to STL is a very strong one, as there are specifications that can be modeled using e.g. Simulink that cannot be expressed in STL, see [38] . However, the solution presented here is that if there is a block that is not expressible in STL, its output will be logged (and the block is therefore not explicitly stated using STL, as that would be impossible). Also, specific temporal behaviours that are not expressible in STL result in logging of certain blocks as explained earlier in this section, which means that we can indeed transform any requirement to STL, however parts of the requirement may not be stated explicitly. Providing a formal proof of the correctness of the translation is beyond the scope of this paper, and instead considered future work. We note, however, that such a formal proof may be problematic due to non-standard semantics of Simulink [39] .
When semantics do not match
For the specification transformation framework presented in this paper, there is a difference between logical formulas and signals. However, in a signal-based setting there is not, so it is possible for a block to get the wrong type of input. For example, consider the 8 expected inputs and outputs of the following blocks:
∧ : F ormulaT able × F ormulaT able → F ormulaT able < : SignalT able × SignalT able → F ormulaT able
There are two cases for unexpected input types: either a SignalTable is provided when a FormulaTable should be, or a FormulaTable is provided when a SignalTable should be.
SignalTable provided instead of Formu-laTable
This can occur if, for example, we apply the ∧ operator to two real-valued signals x and y. Simulink (and MATLAB) semantics interpret the Boolean evaluation of these signals as being false if they are equal to zero, and true otherwise. This means that we can transform a SignalTable to a FormulaTable by comparing equality of the SignalTable's consequent to zero, and then applying the ¬ operator. This is accomplished by the S2F function:
S2F : SignalT able → F ormulaT able S2F ( precond, conseq ) = precond, ¬(conseq = 0)
FormulaTable provided instead of SignalTable
This can occur if, for example, we try to add (using the + operator) two predicates, such as x > 0 and y < 10. The meaning of this is clear when interpreted as signals according to the Simulink semantics: the output of the + operator will have value 0 (when both predicates are false), 1 (when exactly one of the predicates are true), or 2 (when both predicates are true). However, in STL we cannot define a formula by adding logical formulas together. In this case, if the sum is later used as a formula by comparing it to zero (i.e. the signal expression to be evaluated is (x > 0) + (y < 10) = 0), then an equivalent STL formula would be ¬((x > 0) ∨ (y < 10)). However, it is not clear how to generalize this observation, so instead we consider anything before the block in question (here, the + operator) to be a black box, and the output of the block is treated as a signal, using the same method described in Section 3.3.3.
Valued Booleans
Valued Booleans (VBools) [14] is a logical framework in which the tester can customize how robustness is computed by choosing between several possible semantics for each connective. The semantics that are currently available are a max semantics (which is essentially the same as STL) and an additive semantics.
A VBool is formally defined as a pair of a Boolean value and a robustness value. The robustness is a non-negative number, which may be infinite:
Note the difference between VBools and STL. In STL, there is no explicit Boolean value, but the robustness may be negative, and negative robustness represents falsehood. For VBools, the Boolean value is explicit and robustness may not be negative.
The VBool comparison operator ≤ v is defined as:
and ⊥ denote true and false, respectively. The other comparison operators are defined in terms of ≤ v , except for = v which is defined as
where K is an arbitrary constant. Truth values and negation are defined as
The rest of the operators are defined in two different ways. One is called max semantics and the other additive semantics. 9 
Max semantics
The max and operator is defined as max(x, y) ).
The first clause models the idea that in order to falsify x ∧ y, it is enough to falsify whichever of x and y has the lowest robustness. If we are in the second clause, then x∧y is false, and in order to make it true, we must make x true; the third clause is similar. The final clause is dual to the first clause: in order to make x ∧ y true we must make both x and y true, and the robustness is determined by whichever of x and y seems to be hardest to make true, i.e., has the highest robustness as a false VBool.
The max or operator is defined in terms of the max and operator:
The timed max always operator (over the interval [a, b]) is also defined in terms of the max and operator as max, [a,b] 
where ϕ is a finite sequence of VBools defined for all the discrete time instants in [a, b].
The timed max eventually-operator is defined as
). Finally, for completeness we also define the max until -operator as
.
It can be seen that the max semantics for VBool are almost equivalent to the robust semantics of STL, with the only difference being that VBools distinguish between "true with robustness 0" and "false with robustness 0", while STL does not. This difference is only technical and in practice the two semantics behave the same. However, a single VBool formula can contain both max connectives and connectives using other semantics, such as the additive semantics defined below.
Additive semantics
The additive and -operator is defined as 4
As with the max semantics, the additive semantics for ∧ is based on the observation that in order to falsify x ∧ y, it is enough to falsify either x or y. The first clause is inspired by the formula for parallel resistance; the formula 1/(1/x + 1/y) gives a robustness which is less than the maximum of x and y. It roughly models the idea that although we need only falsify one of x and y, we do not know which one of them can be falsified. The second and third clauses are the same as in the max semantics. By using addition in the fourth clause rather than max, we model the idea that in order to make x ∧ y true, we need to make both x and y true, not just whichever of them has the highest robustness.
The additive or -operator is defined as y) ), and the timed additive always-operator (over the time interval [a, b]) is defined (similar to the max case) as The timed additive eventually-operator is defined as ♦ +, [a,b] 
The additive until -operator is defined as
Implication is defined slightly differently than in classical logic:
Here k is an arbitrary constant, and # scales the robustness of its argument:
By scaling the left-hand side of the implication, we encourage the parameter optimizer to make the lefthand side true before trying to falsify the right-hand side.
Properties for reasoning about Valued Booleans
Most Valued Boolean connectives have two possible semantics, and the tester must choose one of the semantics for each connective in the specification. The max semantics corresponds closely to the existing robust semantics of STL (and for use in falsification, they yield the same result), but the additive semantics is entirely different. The purpose of using max semantics for Valued Booleans instead of STL robustness is so that the tester can freely change between different robust semantics of VBools, even within a single formula. This section compares the two semantics of Valued Booleans and describes the different properties they have which explain why a tester might choose to use one or the other. For a more thorough discussion on Valued Booleans, we refer the reader to the work which introduced them [14] . This section rather discusses the practical issues of using Valued Booleans in the case of falsification. The ultimate goal of a robust semantics is to guide the falsification in the right direction. Therefore, when a change in the input to the system brings a formula closer to being falsified, the robustness of the formula should go down. This is the property we ideally want from a robust semantics. It is not always achievable in reality (because we can never be sure if we are really moving closer to a counterexample or not), but the more often it holds, the better. We are particularly interested in two special cases of this property, monotonicity and sensitivity. For simplicity we assume that formulas are in negation normal form, i.e., negation only occurs as part of an atomic formula.
Definition 2 A formula is monotonic if, when the robustness of some atomic subformula decreases (leaving the others unchanged), the robustness of the formula does not increase.
A nonmonotonic formula is disastrous for falsification as the parameter optimizer will, moving from a test case to a strictly better one, observe the better test case as being worse instead. All VBool formulas are monotonic.
Definition 3 A formula is sensitive if changing the robustness of some atomic subformula (leaving the others unchanged) causes a change in the robustness of the formula. This captures the idea that if the output of the system changes then the robustness of the formula should usually change.
Importance of sensitivity for falsification
Sensitivity is vital for falsification because measuring changes in robustness is how the parameter optimizer explores the input space. For falsification it is only important that true formulas be sensitive if the falsification stops immediately when the counter-example is found (and robustness thus is equal to 0). If moving from a test case to a strictly better test case does not affect robustness, then the parameter optimizer will not know when it has found a better test case. The traditional semantics of Boolean logic is completely insensitive, which is why a robust semantics is needed for falsification. Unfortunately, the max semantics is not sensitive: only one parameter of p ∧ q is taken into account for any given test case. For example, if p ∧ q is true, then the semantics is only sensitive to changes in whichever of p and q has the lowest robustness.
The additive semantics is sensitive for many true formulas. For example, p ∧ q is fully sensitive when p and q are both true. This means that, when falsifying the conjunction of several formulas, the parameter optimizer is able to observe changes in the robustness of any of the subformulas. However, the formula p ∨ q is not fully sensitive when exactly one of its arguments is true. Figure 5 illustrates why sensitivity is important to falsification. Suppose that the formula to be falsified is φ, and that this formula happened to be true in the current test case. Figure 5 (a) illustrates how the robustness of φ varies with time in this hypothetical test case. Recall that φ is computed by sampling φ at each time step and taking the conjunction of each sample, up to a constant factor depending on δt. In this case, the robustness dips from 3 to 1 at about t = 48s, and in both semantics, the robustness of φ will be lower compared to if the robustness had been a constant 3. Now suppose that the optimizer modifies the test case and observes the output seen in Figure 5 (b). It seems that this test case is closer to failing than Figure 5(a) , because there is an extra dip in robustness. Therefore, we would like the optimiser to prefer (b) to (a), and for this to happen the robustness of φ must be lower under (b) than (a). Under the additive semantics, this is indeed the case, because of sensitivity. Under the max semantics, however, Figures 5(a) and (b) give the same robustness for φ, as the minimum robustness is the same in both cases. Thus the optimiser is not able to see that moving from Figure 5(a) to 5(b) is a good idea. Because the max semantics is not sensitive, the parameter optimizer is only able to notice changes in the minimum value of φ.
Example of max and additive semantics
It is not always the case that additive semantics is better than max semantics. Suppose instead that the optimizer observes the result in Figure 5(c) . This test case appears much closer to failing than Figure 5(a) : the minimum is very close to 0. However, the additive semantics will assign Figure 5 (c) a higher robustness than Figure 5(a) , because the initial segment of the test case has a higher robustness and continues for a long time, which cancels out the lower minimum. The max semantics considers 5(c) to have lower robustness than 5(a), as we might hope.
This problem only occurs because the robustness of the initial segment of the test case is quite large. Figure 5(d) shows a less extreme variant. Both the additive and the max semantics judge this test case as having lower robustness than Figure 5(a) . This is because, if we take two true VBools ( , x) and ( , y), their conjunction under the additive semantics is ( , z) where z = 1/(1/x + 1/y). Now we can observe that if x y, then 1
That is, when taking the conjunction of a set of formulas, formulas that have a low robustness have a disproportionate effect on the result. In particular, in the formula ϕ, a small decrease in the minimum value cancels out quite a large increase in the maximum value. We also note that 1/(1/x + 1/y) is always less than min(x, y), i.e., the additive robustness of a conjunction between two true VBools is always smaller than the max robustness. However, as there is no meaning in explicitly comparing the additive robustness value to the max, this does not affect our choice of robustness in any way. Figure 6 illustrates the robustness of p ∧ + q and p ∧ max q. The x-axis gives the robustness of p and the y-axis gives the robustness of q; negative values here stand for false VBools. The graph illustrates the robustness of p∧q using isolines, which connect points that have equal robustness. Where an isoline is vertical or horizontal, the connective is insensitive: only figure (a) , but the robustness in the initial part of the trace is even higher. The "+" semantics assigns this trace a higher robustness than figure (a), even though it appears much closer to being falsified. changes in a particular argument have an effect on robustness. We see in the upper-right quadrant that when p and q have very different robustnesses, p ∧ + q assigns much more importance to the lower robustness (it starts to approximate the max semantics), but that it always remains sensitive. This weighting is a deliberate feature of the additive semantics: a subformula with low robustness is likely to be a better target for optimization than a subformula with high robustness, as it it more likely to be easily falsifiable.
Other properties of VBools
Apart from monotonicity and sensitivity, there are several more commonplace properties that we would like our semantics to have. The most essential is soundness: a Valued Boolean formula (e.g. p ∧ + (¬ V q ∨ +r)) and the corresponding Boolean formula (in this case, p ∧ (¬q ∨ r) should always evaluate to the same Boolean result; the only difference is that the Valued Boolean also computes a robustness. All of the connectives we have defined are easily seen to be sound, since the Boolean part of each definition uses the corresponding Boolean connective. Therefore, the choice of semantics only affects the optimization process, not the truth or falsehood of the property. We would also like the usual laws of Boolean logic to hold: connectives should be associative, commutative, idempotent, have an identity element, have a zero element, and obey the usual distributivity and negation laws. As mentioned above, these laws all hold if one ignores the computed robustness, but we would like robustness to respect these laws too. These properties are important because we do not want the robustness of a formula to depend on, for example, how conjunctions are bracketed or what order they are written in, and we do not want the tester to have to think about what arrangement of brackets is most suitable.
The max semantics obeys many laws of Boolean logic. Conjunction and disjunction are associative, commutative, idempotent and have v and ⊥ v as identity and zero elements. Distributivity holds, as do De Morgan's laws. What fails are the laws p ∨ max ¬ v p = and p ∧ max ¬ v p = ⊥, since the left and right hand sides may have different robustnesses. Proofs of these laws for VBools are omitted due to space constraints, but they are straightforward and only require an exhaustive case analysis on whether each VBool is true or false.
The additive connectives satisfy fewer laws than the max semantics. They are associative, commutative, have v and ⊥ v as identity and zero elements, and respect de Morgan's laws. They do not satisfy idempotence or distributivity. Idempotence fails because, for example, p ∧ + p is a Valued Boolean whose robustness is either twice that of p (if p is false) or half that of p (if p is true). Distributivity fails for a similar reason, because expanding p ∧ + (q ∨ + r) duplicates p, increasing its influence on the robustness computation. We are not aware of a semantics that combines associativity, commutativity, idempotence and sensitivity; we conjecture that these four properties are incompatible. 5 To summarise, both max and additive semantics satisfy many Boolean properties, but max satisfies more; in return for giving up some properties, the additive semantics gains sensitivity, which is useful for falsification. In an additive conjunction, the parameter optimizer is able to see when any of the conjuncts' robustness decreases, which is not the case for the max semantics. A final observation is that the additive semantics for conjunction assigns greater weight to less robust conjuncts, which means that when a conjunct is close to being falsified it can be reduced even if this causes the robustness of other conjuncts to increase markedly.
Results and Discussion
To show the performance of using additive semantics for STL during falsification (compared to max semantics), we perform falsification with additive semantics for four examples. Each of the four examples comes from (or is inspired by) other work, so we refer the reader to these original works for further details about each model. The results are presented in a set of tables, and the layout of each table is the same. The results are shown in Sections 5.1 -5.4.
The rows of the tables show which specification is attempted to be falsified, which parameters or specific settings are used, and also which semantics are used. We use the max and additive semantics defined earlier in the paper, but we also include a third constant semantics. The robustness value for a constant semantics is equal to 100 if the specification is true, and -100 if the specification is not true. This constant semantics is used as a baseline to verify whether max and additive semantics yield better results than purely random testing 6 .
For each parameter setting, the "Succ" column shows how many times the specification was actually falsified, and the "Iter" column shows the average number of iterations used by the optimization solver in each falsification attempt (the maximum is set to 1000). The "Iter/Succ" column shows the average number of iterations for the falsification attempts that were successful. The optimization solver used in these examples is a Simulated Annealing solver [40] .
Automatic Transmission Benchmark
The model takes as input the throttle and brake of a vehicle, and simulates the automatic transmission system (for details, see [33] ). The model has been used in several other works [17, 23] , and in this work we perform falsification with the Breach toolbox. The outputs of the system are the vehicle speed (v), the engine speed (ω), and the gear. The model contains 69 blocks in total.
The model is simulated with a fixed-step setting (automatic step size), using the MATLAB solver ode5 (Dormand-Prince). 
Specification
Formula
∧( [5, 7] gear == 3) ∧ ( [8, 10] gear == 3)
∧( [12, 15] gear == 2) 20] (gear == 4 ∧ throttle > 45 ∧throttle < 50) =⇒ ω <ω
Falsification parameters
The throttle is generated using 7 control points distributed evenly in time, interpolated using the MAT-LAB interpolation setting pchip. Each control point has a value in the range [0, 100]. The brake input is interpolated similarly but only using 3 control points, each in the range [0, 500]. The specifications to falsify are shown in Table 5 . Specifications ϕ 1 -ϕ 6 are taken from [23] . Note, however, that we do not modify the specifications to improve the falsification capability of our additive semantics.
The comparison between max semantics and additive semantics for each specification is shown in Table  6 .
Abstract Fuel Control Benchmark
The model is an Abstract Fuel Control system implemented in Simulink, and it has been proposed as a benchmark for temporal logic falsification [41] . The inputs to the model are the input throttle θ (in degrees) and the engine speed ω. The outputs of inter-est are the Air/Fuel ratio λ and the controller mode (either closed-loop or open-loop). The reference value λ ref is equal to 14.7 for the specifications we are considering. The model contains 253 blocks in total.
The model is simulated with a variable-step setting using the MATLAB solver ode15s (stiff/NDF).
Falsification parameters
The engine speed is constant and allowed to be in the range [900, 1100] . The throttle angle is generated as a pulse signal with a base value of 8.9, a delay of 3, a period in the range [10, 30] and amplitude in the range [0.161]. Thus, the throttle angle always has a value in the range [8.9, 69.9] , always switching back and forth between two values at different times of each simulation. We always simulate the system for 40 seconds.
The specifications to falsify are shown in Table 7 . The specifications are variations of Req. (26) and (27) in [41] , using η = 1.
The results for the Abstract Fuel Control benchmark are shown in Table 8 .
Third Order ∆ − Σ Modulator
The third order ∆ − Σ modulator is used as a technique for analog to digital conversion. The model is described in detail in [42] and has previously been used for falsification benchmark purposes [40, 28] . The model has one input U , three states x 1 , x 2 , x 3 , and three initial conditions x init 1 , x init 2 , x init 3 . The model contains 27 blocks in total.
The model is simulated with a fixed-step setting (automatic step size), using the MATLAB solver discrete (no continuous states).
Falsification parameters and specification
The input U is constant during the whole simulation, and the allowed values are in different sets for different scenarios (see Table 10 for detailed scenarios).
The initial conditions are all in the range [−0.1, 0.1]. The specifications to falsify are shown in Table 9 (note that
The results for the modulator benchmark are shown in Table 10 .
Static Switched System
The static switched system has no dynamics and is included to show that both max and additive semantics can worsen the performance of falsification, compared to falsifying with Boolean semantics. The model is inspired by [43] , and it has two inputs (u 1 , u 2 ) ∈ [0, 1] 2 which are kept constant. The model contains 16 blocks in total. The output y(t) is assigned according to
The specification to falsify is ϕ SS = (y ≥ 0). In other words, the falsification problem consists of finding a scenario where both inputs have a value above thresh. This is difficult since the gradient of the robustness (for max and additive) with respect to the input parameters will point away from the area where the specification is falsified. The results for the static switched system are shown in Table 11 .
Transforming Volvo requirements to STL
We have successfully implemented the framework presented in this paper for transforming causal signalbased specifications into STL. We have transformed the requirements for two industrial models at Volvo Car Corporation, which model the electric machine of an electric vehicle, as well as the battery for an electric vehicle. The models contain 19846 and 18294 blocks, respectively 7 . Note that the specifications have not been translated manually, only automatically using the procedure presented in this paper. For all the automatically translated specifications, correctness has been asserted during falsification runs,
i.e., the Boolean satisfaction of the translated formulas have coincided with the signal value of the specification modeled in Simulink. However, a formal proof of the correctness is out of the scope of this paper, and is considered future work. In total, there are 58 transformed requirements for the first model and 36 transformed requirements for the second model. The transformation of requirements into STL specifications have enabled the use of temporal logic falsification for both models. Falsification is now being run continuously for both models, in order to catch software defects during development. Statistics for the transformed STL formulas are shown in Table 12 . The sheer number of requirements combined with the complexity of the formulas shown in the table indicate that writing the specifications in STL manually would be very timeconsuming.
Discussion
For the specifications shown in this paper, we can see that no specific semantics perform better than the other two for all models. For several specifications, the constant semantics performs just as well as one or other of the robust semantics.
It is clear from the tables that sometimes max semantics are preferable, and sometimes additive semantics are preferable.
For example, for specifications ϕ 1 , ϕ 2 , ϕ 7 , ϕ 8 additive semantics clearly perform better, while for specifications ϕ 5 , ϕ 6 , ϕ AF C 1 , ϕ AF C 2 max semantics clearly perform better. The static switched system was also introduced to show that the constant semantics (i.e. random testing) can be better than max or additive semantics. It is clear that ϕ SS is easier to falsify for the constant semantics than for the other semantics.
Whether a specific semantics outperforms the others depends not only on the specification, but also on the system that is being falsified.
Preferable semantics for different specifications
The intuitive explanation for why additive semantics can be better in some cases is that it takes into ac-count all the different subformulas of ∧ and ∨ formulas (and by extension also the temporal operators). In a conjunction, if only the highest robustness value decreases in between simulations, it is not certain that the max semantics will capture the change, but it will affect the total additive robustness. On the other hand, if one robustness increases while the other robustness decreases, the additive semantics robustness may not be affected, while the max semantics robustness will. An example of when it is preferable to notice changes in all clauses of a conjunction is ϕ 7 . Here, each clause is not difficult to falsify individually, but to be able to falsify them all at once it helps a great deal to include more detailed robustness information about each clause. As such, having conjunctions with many clauses in a specification can indicate that additive semantics would be preferable for that (sub)specification.
Preferable semantics for different systems
For some system behaviour, it can be non-beneficial to consider changes in all parts of a conjunction. An example of this is the third order ∆ − Σ modulator. The results in Table 10 indicate that ϕ ∆−Σ 4 is by far the easiest sub-specification of ϕ ∆−Σ 1 to falsify. Including more detailed robustness information about the other sub-specifications (ϕ ∆−Σ 2 and ϕ ∆−Σ 3 ) makes the robustness information from ϕ ∆−Σ 4 diluted in a sense, meaning that changing from max to additive semantics will not increase falsification capability.
Conclusions
We have presented two additions to potentially increase the capability of falsification of temporal logic specification for Cyber-Physical Systems (CPSs).
The first addition is a specification transformation framework, which takes requirements modeled in a causal signal-based frameworks and transforms them into Signal Temporal Logic (STL) formulas. The framework has been implemented for the specifications in two industrial-sized models at Volvo Car Cor-poration, and it has enabled the use of falsification for both of the models. The specification transformation outputs a specification where we also have information about which preconditions should be fulfilled for different parts of the specification to be evaluated for given signal values and a given time.
The second addition is the introduction of additive semantics in the falsification process. Considering the established robust semantics of STL formulas as the max semantics, the difference for additive semantics is that the robustness of each clause in a conjunction can affect the total robustness of the conjunction, even if only one of the clause's robustness changes. Disjunction and temporal operators are defined in terms of conjunction for the additive semantics.
To indicate the usability of additive semantics for falsification, we have compared them to max semantics as well as constant semantics (essentially only Boolean information and no robustness) for several different models and specifications. The models we show results for are both well-known benchmark models, as well as a simple non-dynamic model to prove that all three choices of semantics can be the most viable. Previous work on falsification has overlooked the need to compare against the constant semantics as a baseline; our evaluation made it clear that for some specifications, falsification had no benefit over random testing. However, for most cases excluding the system in Section 5.4, it is clear that constant semantics perform worse that the others, indicating that robustness-based falsification is a reasonable way of finding faults in CPSs. We encourage other researchers to include a baseline comparison in their future work.
Which of the three semantics performs best depends both on the specification and the model. In a black-box setting, it is thus very difficult to decide which semantics to use for which operator in the specification to get the best results for falsification.
Future work
We have so far defined two semantics for Valued Booleans. There are most likely many more, each with their own trade-offs; we plan to explore these. Also, since the best choice of semantics can be dif-ferent for each connective in a given specification, we would like to both • formulate principles that can guide a tester in choosing a suitable semantics for each operator in a given specification, and
• analyze both the model and the specification to reason about which semantics would be best for falsification (i.e. grey-box or white-box testing).
Evaluating the effect of different robust semantics in falsification of generated specifications for the industrial examples presented in this paper is also a path we plan to explore. A more theoretical approach is about how the additive robustness relates to the view of temporal logic as filtering. Finally, it would be interesting to look at falsification which includes the extra information that we get from the specification transformation presented in this paper -namely, the information about all the preconditions that need to be fulfilled for different parts of the specification to be evaluated. [11, 35] (θ(t) < θ(t + 0.01) ∨ θ(t) > θ(t + 0.01)) =⇒ [1, 5] 
