Abstract. Signal Temporal Logic (STL) is a formalism for reasoning about temporal properties of continuous-time traces of hybrid systems. Previous work on this subject mostly focuses on robust satisfaction of an STL formula for a particular trace. In contrast, we present a method solving the problem of formally verifying an STL formula for continuous and hybrid system models, which exhibit uncountably many traces. We consider an abstraction of a model as an evolution of reachable sets. Through leveraging the representation of the abstraction, the continuoustime verification problem is reduced to a discrete-time problem. For the given abstraction, the reduction to discrete-time and our decision procedure are sound and complete for finitely represented reach sequences and sampled time STL formulas. Our method does not rely on a special representation of reachable sets and thus any reachability analysis tool can be used to generate the reachable sets. The benefit of the method is illustrated on an example from the context of automated driving.
Introduction
In recent years, the functionality and complexity of products, production processes, and software has been increasing. Furthermore, the interaction between the physical parts of a system (mechanics, thermodynamics, sensors, actuators, and others) and its computational elements is becoming tighter and is organized over large networks, which has resulted in so-called cyber-physical systems [21, 14] . Due to their advanced capabilities, newly developed cyber-physical systems often fulfill safety-critical tasks that were previously only entrusted to humans; see, e. g., automated road vehicles, surgical robots, automatic operation of smart grids, and collaborative human-robot manufacturing [22, 18] . The aforementioned trends drastically increase the demand for formal verification methods of hybrid (mixed discrete/continuous) systems.
Hybrid systems contain the interplay of discrete and continuous dynamics and therefore are inherently difficult to verify formally [18, 23] . As a result, most hybrid system researchers have focused on solving reach-problems and reachavoid-problems: for all possible initial states and all possible disturbances, the system has to avoid forbidden regions while reaching a goal set [6, 13] . There are several tools for reach-avoid problems, which compute sets of reachable states over time and check for intersection of these sets with forbidden regions [2, 12] . More complicated formal specifications based on temporal logics, such as computation tree logic (CTL), linear temporal logic (LTL), or µ-calculus, have mostly been applied to the verification of purely discrete systems or timed automata [9, 7, 4] . For hybrid systems, a continuous-time and real-valued version of such temporal logics, called Signal Temporal Logic (STL), has been proposed as a formal specification language [16] . However, STL has mainly not been used for verification of hybrid systems, but for checking single traces only, e. g., for runtime monitoring and for test generation [15, 26, 27, 17, 1] . Therefore, there is a demand for formal verification techniques which are able to verify a temporal (STL) property for all (infinitely many) possible traces of a hybrid system.
In this work, we propose a new idea to verify specifications in STL for a hybrid system. Given a hybrid system S and an STL property ϕ, we propose the following steps to formally verify ϕ on S, as shown in Fig. 1: 1. A new reachset temporal logic (RTL) is defined (Sec. 3). The semantics of RTL is directly defined on the reach sequence, which corresponds to an infinite set of traces. A reach sequence is a function mapping time to the set of states reachable from a set of initial states and uncertain inputs. Therefore, with RTL, we are able to reason about infinitely many traces with a finite representation, in contrast to STL, which cannot be used to directly verify an infinite set of traces by simply evaluating the STL formula. 2. A transformation from sampled time STL to RTL is defined (Sec. 4). We prove that this transformation is sound and complete with respect to finitely represented reach sequences and give a sound transformation from general STL to sampled time STL. Therefore, we are able to translate the STL verification problem on traces to an RTL verification problem on reach sequences. 3. A model checking algorithm is introduced to formally verify an STL property on a reach sequence using the transformation from STL to RTL and the semantics of RTL (Sec. 5).
Our theory does not rely on a special representation of reach sequences. Since there exist many reachability analysis tools, such as Cora [2] , SpaceEx [12] , and C2E2 [10] , which can compute reach sequences, our approach is broadly applicable. We show the benefits of our model checking method on an example from the domain of automated driving (Sec. 6).
Note that we are working with overapproximations of exact reach sequences, because reachability analysis for hybrid systems is undecidable in general [20] . There are already some model checking techniques for temporal properties related to LTL: in order to be able to verify an uncountable set of possible traces, one can translate a temporal logic called Hybrid LTL (HyLTL) to a (Büchi) monitor automaton [8] . After parallel composition of the monitor automaton with the hybrid system to be verified, the verification problem reduces to finding a loop in the reach sequence. A problem of the HyLTL model checking approach is that to the best of our knowledge, there is no proof for the soundness of the verification result for the proposed method using overapproximative methods and bounded time horizons, which are common for reachability analysis tools due to undecidability. Another drawback of the HyLTL approach is that parallel composition drastically complicates the hybrid automaton and the reachability analysis so that the composition typically becomes so large that it is infeasible to analyze. With our method, temporal properties can be verified without changing the hybrid automaton, see the example in Sec. 6 .
There are several works that also present approaches for model checking of hybrid systems that restrict to discrete time traces [24, 11] . However, these works typically give no formal guarantees for the satisfaction on the continuous time traces, either because they sample the time, or one has to make additional assumptions about the behavior between the sampling points. In contrast, we formally reason about the continuous time traces.
Preliminaries
Linked to our model checking method are hybrid systems and Signal Temporal Logic, which are shortly introduced in the following.
Hybrid systems
Our methods are defined on a sequence of reachable sets of states and thus are invariant to the modeling formalism that describes the evolution of a hybrid system. However, in order to describe how hybrid traces and reach sequences are generated, without loss of generality we use hybrid automata as a well-established modeling formalism [19] . In the following, we introduce hybrid automata in a non-formal way. Because the dynamics of real systems are typically not known exactly, we propose including non-deterministic behavior. Components of a hybrid automaton are visualized in Fig. 2 together with a possible reach sequence. Informally, the semantics of a hybrid automaton is as follows: The combined discrete and continuous trace ξ(t) = (v(t), x(t)) starts from (v 0 , x 0 ) and x(t) ∈ R changes according to a differential inclusionẋ(t) ∈ H(v(t), x(t), u(t)) [25] , where H(v, x, u) is a set of values based on the discrete state v(t) ∈ {v 1 , v 2 , . . . , v p }, the continuous state x(t), and the input u(t) ∈ R m , such that the differential inclusion models many possible solutions as opposed to ordinary differential equations. If the continuous state is within a guard set, the corresponding transition to a new discrete state can be taken. It has to be taken if the state would leave an invariant, which is the region in which the differential inclusion of the current discrete state is defined. After the discrete transition is taken (in zero time), the continuous state is updated according to a jump function, which models possible instantaneous changes of the continuous state. For ease of presentation, we assume that a hybrid automaton is non-Zeno and non-blocking.
A trace ξ : R ≥0 → R n of the hybrid automaton S is of the form
where ξ i : [t i , t i+1 ) → R n are the evolutions between discrete transitions. The set of all traces of a system S is denoted by Traces(S). In contrast to discrete systems, one cannot generate a tree of possible traces for a system with continuous state variables, since its number of traces is uncountably large. Thus, algorithms for computing reach sequences of systems involving continuous states do not preserve traces anymore, but only store the set of values for points in time and time intervals. A function R : R ≥0 → P(R n ) mapping to the power set
holds. The reach sequence is called exact, iff (1) holds with '⊆' replaced by '='. An evaluation R(t) for one point in time t is called a reachable set. Typically, other papers use the terminology reachable set only. However, in our work the distinction between reach sequence and reachable set is important for rigorous formulation and understandability. Due to undecidability, exact reachable sets typically cannot be obtained for hybrid systems. The set of traces corresponding to R is defined as
and contains the set of traces Traces(S) and potentially additional traces (even if R is exact), as visualized in Fig. 3 .
Remark 1.
To reduce this conservatism, reachable sets can be split resulting in a tree structure of reach sequence segments. For instance, Cora [2] uses reachable set splitting for accuracy reasons resulting in multiple branches with reach sequences that progress independently. Every path of the tree from the root to a leaf represents one reach sequence. While we focus on one reach sequence in this paper, the results can also be applied to the more general case by considering all reach sequences that can be generated from the tree.
Reachability analysis tools such as Cora can compute (overapproximative) reachable sets R i for points at time t i and reachable sets R i for time intervals [t i , t i+1 ]. We call reachable sequences of the form
finitely represented reach sequences, where R i and R i are sets of states, t 0 = 0, t m+1 = ∞, and define
The considered time structure with alternating points and open intervals is similar to the one for timed automata, see [5] .
Signal Temporal Logic (STL)
Values of traces are real numbers that vary over time. Hence, STL is a temporal logic to describe properties of continuous-timed and real-valued traces. We briefly introduce STL following Maler et al. [16] . An STL formula consists of atomic predicates (such as x > 3), which are composed using logical and temporal operators. The syntax of an STL formula over a finite set of atomic predicates
The trace satisfaction semantics of an STL formula ϕ for a trace ξ is defined recursively on ϕ:
using a predicate evaluation function π p and the suffix notation ξ a (t) = ξ(t+a), which shifts the trace in time. For instance, the until -operator p U [a,b] q states that p has to hold for all times until q holds for one point in time. Other common temporal operators can be derived from these operators, such as the finally-
For brevity of notation, we also introduce the continuous next-operator
An STL formula in which no temporal operators are present is called a nontemporal formula in the following. Inspired by LTL, we define the statisfaction of an STL formula on a set of traces M as
Formally, the STL verification task for a hybrid system S is to check whether Traces(S) |= T ϕ holds. Since a verification method has to reason about uncountably many traces, the problem is often replaced by falsification in practice, searching for a trace ξ with ξ |= T ϕ. However, falsification cannot prove that ϕ holds. Note that Traces(S) |= T ϕ does not imply Traces(S) |= T ¬ϕ, because of the ∀-quantifier over the traces.
Reachset Temporal Logic (RTL)
Evaluation of an STL formula cannot be directly done for an infinite set of traces. Therefore, we introduce a new temporal logic that is defined on reach sequences instead of traces (such as STL), which we refer to as Reachset Temporal Logic (RTL). By transforming an STL formula into an RTL formula, we can leverage RTL for model checking the STL formula on a hybrid system, as visualized in Fig. 1 . The syntax and semantics of RTL are defined so that STL formulas can be transferred and expressed on reach sequences and have therefore some commonalities with STL, but also important differences.
Definition 1 (RTL syntax). An RTL formula has the syntax
where is a propositional formula := p | 1 ∨ 2 | ¬ over a finite set AP of predicates p ∈ AP .
Note that since we want to work with overapproximations of exact reachable sets, we have the negation operator only for non-temporal formulas, which is the reason for the syntactic split into ψ and .
Definition 2 (RTL semantics). For a propositional formula and a state r the semantics is
For a reach sequence R and a formula ψ, the semantics is defined as
where R a (t) := R(t + a) is the shift operator and a ∈ R ≥0 , b ∈ R ≥0 with a ≤ b.
Two RTL formulas ψ 1 , ψ 2 are equivalent, denoted as ψ 1 ≡ ψ 2 , iff the satisfaction is the same for all possible reach sequences. The operators F and G are defined similarly to STL:
To give an example, we consider the formula F [0,1] A . A reach sequence R has to satisfy that holds for all states in one R(t) between time 0 and 1. Expressed on the set of traces C(R) corresponding to R, this implies that all traces satisfy for one common point in time, compared to the requirement F [0,1] for all traces:
Since a set of traces satisfies an STL formula if each trace satisfies the formula, the traces are "checked" independently of each other, i.e. it is not possible to reason about a variable point t ∈ [a, b] in time at which something holds for all traces in a set. Therefore, this cannot be expressed by STL. In contrast, RTL is able to express common satisfaction of predicates.
Transformation from STL to RTL
Differences of STL and RTL described in the previous section have some important implications for the transformation between these temporal logics. In this section we present a transformation Υ mapping an STL formula to an RTL formula. We first give some properties of a sound and complete transformation and then present a transformation for sampled time formulas and finitely represented reach sequences (Sec. 4.1). We further show that the results can be extended by transforming general STL formulas to sampled time formulas (Sec. 4.2). The methods will be used later to model check STL formulas, as shown in Fig. 1 . With a mapping Υ from STL to RTL we are able to transfer the verification task on the traces of a reach sequence C(R) |= T ϕ into a reach sequence verification task R |= R Υ (ϕ). Since we do not want to lose expressiveness, we demand from the transformation Υ that
holds, which we call soundness and completeness, respectively, for the reach sequence abstraction. If soundness and completeness is given for Υ , the semantical domain can be changed without changing the verification result. The following lemma gives some properties of a sound and complete Υ . Lemma 1. Let the STL formulas ϕ i and the non-temporal formula be given. A sound and complete transformation Υ has the following properties:
Furthermore, the ∨-distributivity
which are the points in time where a change in the trace can affect whether ϕ is true or not.
Proof. For non-temporal properties , (10) follows from
From soundness and completeness of Υ and the RTL semantics follows
which proves (11) . The equivalences (13) and (15) hold also for ∨. Let us assume C(R) : ξ |= T ϕ 1 ∨ ϕ 2 holds, but not C(R) : ξ |= T ϕ 1 ∨ C(R) : ξ |= T ϕ 2 . Then, there exist ξ 1 , ξ 2 with ξ 1 |= T ϕ 1 and ξ 2 |= T ϕ 2 . Because of the empty time support intersection and the special structure of C(R), we can construct ξ with ξ(t) = ξ 1 (t) for t ∈ tsupp(ϕ 1 ) and ξ(t) = ξ 2 (t) otherwise. Since ξ ∈ C(R) and ξ |= T ϕ 1 , ξ |= T ϕ 2 , this is a contradiction and therefore (12) holds, because the other direction can also be easily shown.
Based on the properties from Lemma 1, one can see the subtle differences between a well-defined complete and a non-complete transformation. Let us consider the STL formula ϕ := ( 0 ∧ X 1 1 ) ∨ X 1 0 , which could be transformed to ψ := (A 0 ∧ X 1 A 1 ) ∨ X 1 A 0 by simply adding the A-operator to the nontemporal subformulas of the STL formula ϕ. However, if we first rewrite ϕ to the equivalent formula ( 0 ∨ X 1 0 ) ∧ X 1 ( 0 ∨ 1 ) and transform it, we get
The formula ψ does not force all the traces to satisfy 1 at time 1, if one trace does not satisfy 0 at time 1. Since ψ also implies ϕ, it is a sound transformation of ϕ which is less restrictive than ψ. As one can see from this example, a sound and complete transformation cannot simply be constructed by structural induction over the parts of an STL formula, even if no nested temporal operators are used. Different parts of a formula are able to interact with each other if they are composed with the ∨-operator. In the following, we build upon Lemma 1 and give a sound and complete transformation function for sampled time formulas.
Sound and complete transformation for sampled time formulas
Operators can appear arbitrarily nested in STL formulas. Given a fixed c > 0, we call the subclass of STL which restricts formulas to
sampled time STL with timestep c. For example p∨F (0,c) p∨X c p ∨ F (0,c) p ∨ X c p can be seen as a sampled time version of the STL formula F [0,2c] p. Since standard equivalences hold on STL formulas, such as ¬X c ϕ ≡ X c ¬ϕ, ¬F (0,c) ϕ ≡ G (0,c) ¬ϕ, and X c (ϕ 1 ∨ ϕ 2 ) ≡ X c ϕ 1 ∨ X c ϕ 2 , each sampled time formula has an equivalent sampled time formula in conjunctive normal form i j X j c (ϕ ij ∨ ij ) with ϕ ij of the form k F (0,c) k ∨ l G (0,c) l , non-temporal formulas ij , and the Xoperator in series X j c := X j·c . Based on the conjunctive normal form, we are able to introduce a sound and complete transformation Υ considering finitely represented reach sequences and given that c divides all time intervals of the reach sequence. Since finitely represented reach sequences can be produced by Cora [2] and SpaceEx [12] for instance, this is of practical relevance.
Lemma 2. Let a sampled time formula be given in conjunctive normal form. Then, the transformation Υ from STL to RTL defined via
with := k∈K k is sound and complete for finitely represented reach sequences R = (t 0 , R 0 ) ((t 0 , t 1 ), R 0 ) (t 1 , R 1 ) . . . ((t m , t m+1 ) , R m ), which are c-divisible, where c-divisibility holds if and only if t i ∈ Nc := {0, c, 2c, . . .} holds for all i.
Proof. Soundness and completeness can be proven by structural induction. Since we define the transformation such that Υ (ϕ 1 ∧ ϕ 2 ) ≡ Υ (ϕ 1 ) ∧ Υ (ϕ) holds, it can be shown similarly as in Lemma 1 that it is sufficient to show soundness and completeness for j X j c (ϕ ij ∨ ij ), which works similarly, because different time branches have different time supports tsupp(X j c (ϕ ij ∨ ij )) ⊆ [j, j + 1). Therefore it is sufficient to show soundness and completeness for (17) . For brevity reasons, we do not give the proof for general formulas, but prove that the two terms
are equivalent. Let us assume that (19) holds and therefore without loss of gen-
Since R is a finitely represented reach sequence which changes values only at points in time divisible by c, also R |= R G (0,c) A( 1 ∨ 3 ) and therefore C(R) |= T G (0,c) ( 1 ∨ 3 ) holds, which implies (18) . On the other hand, let us assume (19) does not hold. Therefore
holds. Hence, Eq. (18) does not hold, because the trace
2 , c any r ∈ R(t), otherwise is contained in C(R) but does not satisfy the formula in (18) . Lemma 2 proves that the RTL formula ψ := (A 0 ∧ X 1 A( 0 ∨ 1 )) ∨ X 1 A 0 is a sound and complete transformation of the formula ( 0 ∧ X 1 1 ) ∨ X 1 0 considered in the previous section. As we have seen above, the formula F [0,2c] p has an equivalent sampled time notation. Therefore, it can be transformed to ψ :
Ap using Lemma 2. Since we do not have any temporal operators but the shift operator in ψ and ψ , the formulas can easily be checked on a reach sequence. This is the basis for our model checking approach in Sec. 5. Note that 
Transformation of general STL to sampled time STL
Rewriting a general STL formula as an sampled time formula enables us to use the results of the previous section for general STL formulas. The rewriting is sound and therefore, we are able to reason about the satisfaction of an STL formula on reach sequences. The main idea is to leverage the finite representation of a given STL formula ϕ for rewriting and use rules of the form ξ |= T ϕ ⇐ ξ |= T ϕ to rewrite ϕ to a sampled time version ϕ in a sound manner. If we have such rules, they can also be applied to C(R).
Lemma 3. Let ϕ be an STL formula which can be written as f (ϕ 1 , . . . , ϕ n ), where f is a function composing ϕ i by ∧, ∨, and
Proof. Let us assume ξ |= T ϕ 1 ∧ ϕ 2 , which is equivalent to ξ |= T ϕ 1 ∧ ξ |= T ϕ 2 , holds for all ξ. From the rewriting rules it follows that ξ |= T ϕ 1 ∧ ξ |= T ϕ 2 and therefore ξ |= T ϕ 1 ∧ ϕ 2 holds also. The proof follows from
by structural induction over ∧, ∨, and X c .
Finally, we need a set of rewriting rules that are sufficient to rewrite general STL formulas as sampled time ones.
Lemma 4. Let an STL formula ϕ be given, which is c-divisible, where c-divisibility holds if c divides all bounds of temporal operators of ϕ. Without loss of generality, we assume that ϕ is in negation normal form. Hence, ϕ can be written as f (ϕ 1 , . . . , ϕ n ), where f is a function composing ϕ i by ∧, ∨, and X c and the outmost operator of each ϕ i is a temporal operator or ϕ i is non-temporal. Then, for any temporal ϕ i there is a rewriting in Table 1 or one of the following equivalences using subformulas ϕ i
such that ϕ can be rewritten to rw (ϕ) = f (ϕ 1 , . . . , ϕ n ) in a sound manner. The formula ϕ can be rewritten to a sampled time version with timestep c by iteratively using the rewriting ϕ → rw (ϕ) → rw 2 (ϕ) → . . . until no rewriting rule matches anymore. Table 1 . For all ξ the formula ξ |=T ϕi ⇐ ξ |=T ϕ i holds for each pair ϕi, ϕ i in the table. For readability reasons, we use I = (0, c) and assume c = 1.
Proof. Since we assume c-divisibility and negation normal form, each temporal operator of the subformula is a U-operator or an R-operator and one of the first 4 rewriting rules of Table 1 can be applied. After the first rewriting step, there are potentially formulas nested in G I or F I . For every possible operator there is exactly one rewriting rule. With Lemma 3, it is sufficient to prove the soundness of the rewriting rules in Table 1 . Let us consider c = 1 and the formula ϕ 1 U [0,j] ϕ 2 , which is true if ϕ 2 holds, ∃t ∈ (0, 1) :
holds. By overapproximating ∃t ∈ (0, 1) :
we obtain the rewritten formula. The other formulas can be proven similarly.
If needed, temporal formula such as p U [0,0.9] q can als be rewritten to p U [0,1] q in a sound manner, if c = 1 should be enforced. However, this is typically not needed since one can choose alternatives such as c = 0.9 or c = 0.1 which also depends on the reach sequence. As an example, the formula ϕ := p U [0,2] q with atomic propositions p and q can be rewritten as follows:
Now that we have solved the problem of transforming an STL formula to an RTL formula defined on the reach sequence, we present a model checking algorithm in the next section. 
STL Model Checking
Our model checking approach for STL formulas is presented in the following. The foundation of the approach follows from Lemma 2 to 4 and is summarized in the following theorem.
Theorem 1. Let ϕ be an STL formula, R be a reach sequence of a hybrid automaton S, and R and ϕ be c-divisible. The formula ϕ can be transformed to an RTL formula ψ = i j X j c 2 k A ijk with non-temporal properties ijk , where
holds and therefore, the transformation is sound. If ϕ is equivalent to a sampled time STL formula, the transformation is complete. Hence, R |= R ψ implies Traces(S) |= T ϕ, which proves ϕ for the hybrid automaton S.
It remains to show how
k A ijk can be evaluated on a reach sequence R. This can be reduced to the problem R |= R X j c 2 A ijk . The satisfaction result is obtained by evaluating all such subformulas and then computing the Boolean value of the remaining logical formula.
Our RTL syntax and semantics, as well as the transformation from STL to RTL, are independent of the representation of the reachable sets R(t) and the predicates used. However, to implement a model checking algorithm, we have to define a representation and a set of predicates we rely on. Therefore, we assume that the reachable sets are represented by (sets of) polytopes as in SpaceEx [12] and Cora [2] . Given a set of vectors c 1 , . . . , c k and values d 1 , . . . , d k , a polytope is defined as the set poly(c 1 , . . . , c k , d 1 
which is the intersection of halfspaces. We consider the set AP of atomic predicates of the form a T x ∼ b, where a ∈ R n , b ∈ R, and ∼ ∈ {<, ≤, >, ≥}, which are also halfspace restrictions. For instance, the evaluation of A(x ≤ 5) for a reach sequence is visualized in Fig. 5 . Note that the formula is only satisfied if all states x satisfy x ≤ 5.
Given a formula of the type A , the logical part can be transformed into disjunctive normal form = i j (a T ij x ∼ b ij ) with ∼∈ {<, ≤}. Because j (a T ij x ∼ b ij ) corresponds to the polytope region poly i = poly(a i1 , . . . , b i1 , . . .), the check R |= R X t A can be performed by the polytope inclusion check R(t) ⊆ poly i , which can be implemented using standard polytope libraries. 
Example
In the following, we provide an example for our model checking method from the domain of automated driving. For automated driving, it is important to verify safety properties such as the absence of collisions. While driving, this can be done by periodically checking that a collision is not possible for a bounded time of the planned trajectory using the reach sequence [3] . However, there are also other safety relevant temporal properties which should be verified. Based on the results in this paper, the verification of these properties can be easily integrated in the existing verification scheme. For example, when a vehicle is traversing a crossing, it should not block the crossing and should maintain a certain velocity until it reaches the other side. This can be expressed on the traces as an STL property similar to ϕ := v ≥ 10 U [0,2] x ≥ 10, where v is the velocity and x is the distance covered. We use Cora [2] and the vehicle model of Althoff and Dolan [3] to compute the reachable sequence of the vehicle as visualized in Fig. 6 . To verify ϕ with the reach sequence, we transform ϕ to a sampled time RTL formula. An exemplary transformation result for ϕ is RTL for finitely represented reach sequences; (iii) introducing a rewriting scheme for general STL formula to sampled time STL formula; and (iv) introducing a model checking method for RTL formulas obtained by the transformation. The approach is especially useful for non-deterministic models that naturally exhibit uncountably many traces due to necessary abstractions from original dynamics. Our model checking technique is independent of the way reach sequences are obtained and represented. Therefore, all reachability analysis tools can benefit from our approach by extending their reasoning from non-temporal (safety) properties to temporal properties. This is demonstrated by an example from automated driving, where the online verification of the absence of collisions is extended to online verification of temporal properties.
Future work could intensify the interconnection of the reachability analysis and the verification part to develop the method further. Additionally, the semantics of RTL can be extended in the sense of robust semantics as used by Metric Temporal Logic [11] .
