Monitoring Temporal Properties of Continuous Signals
Oded Maler and Dejan Nickovic
VERIMAG, 2 Av. de Vignate, 38610 Gi
`
eres, France
[Dejan.Nickovic | Oded.Maler]@imag.fr
Abstract. In this paper we introduce a variant of temporal logic tailored for spec-
ifying desired properties of continuous signals. The logic is based on a bounded
subset of the real-time logic
MITL, augmented with a static mapping from con-
tinuous domains into propositions. From formulae in this logic we create auto-
matically property monitors that can check whether a given signal of bounded
length and finite variability satisfies the property. A prototype implementation of
this procedure was used to check properties of simulation traces generated by
Matlab/Simulink.
1 Introduction
Temporal logic [MP95] is a rigorous formalism for specifying desired behaviors of
discrete systems such as programs or digital circuits. The algorithmic approach to ver-
ification [Kur94,CGP99,BBF
+
01,VW86] consists of checking whether all (finite and
infinite) state-event sequences generated by a system S satisfy a formula ϕ, that is, ef-
fectively deciding the language inclusion [[ S]] ⊆ [[ ϕ]] . Recently a version of a temporal
logic-based specification formalism, PSL-Sugar [BBDE
+
02], has been adopted by the
hardware industry as a standard specification language.
For systems which are outside the scope of automatic verification tools, either due to
the incorporation of unbounded variables (numbers, queues) or simply due to size, sim-
ulation/testing is still the preferred validation method. It has been suggested by several
authors that the specification component of verification can be exported toward sim-
ulation through property monitors (observers, testers). In the software context this is
called run-time verification [HR02a,SV03]. The idea is simple: unlike the inclusion test
[[ S]] ⊆ [[ ϕ]] used in verification, in monitoring one performs each time a much simpler
membership test ξ ∈ [[ ϕ]] on an individual simulation trace ξ ∈ [[ S]] and the responsibil-
ity for exhaustive coverage is delegated to the test generation procedure (or abandoned
altogether).
The essence of this approach is the automatic construction of a monitor from the
formula in the form of a program that can be interfaced with the simulator and alert the
user if the property is violated by a simulation trace. This process is much more reliable
than manual (visual or textual) inspection of simulation traces, or manual construction
of property monitors.
This work was partially supported by the EC projects IST-2001-33520 CC (Control and Com-
putation), IST-2001-35302 AMETIST (Advanced Methods for Timed Systems) and IST-2003-
507219 PROSYD (Property-Based System Design).
Temporal logic has been used as the specification language in a number of monitor-
ing tools, including Temporal Rover (TR) [Dru00], FoCs [ABG
+
00], Java PathExplorer
(JPaX) [HR01] and MaCS [KLS
+
02]. TR is a commercial tool that allows to annotate
programs with temporal logic formulae and then monitor them. FoCs is a monitoring
system developed at IBM that automatically transforms PSL-Sugar properties into de-
terministic property checkers in the form of simulation blocks compatible with various
HDL simulators. JPaX is a software-oriented runtime verification system for data race
analysis, deadlock detection and temporal specifications. MaCS is another software-
oriented monitoring framework aimed at runtime checking (and steering) of real-time
programs.
Unlike verification, where the availability of the system model allows one to reason
about infinite computations (carried by cycles in the transition graph), monitoring is
usually restricted to finite traces. One thread of monitoring research attempts to redefine
the semantics of temporal formulae on finite (truncated) runs [EFH
+
03]. We avoid this
problem altogether by considering a temporal logic with bounded time modalities which
interprets naturally over finite traces.
The main contribution of this work is the definition of a temporal logic for spec-
ifying properties of dense-time real-valued signals and the automatic generation of
property monitors for this language. The motivation to do so stems from the need to
improve validation methodology for continuous and hybrid systems. Two prime exam-
ples of such systems are control systems, where the continuous variables are used to
model the physical plant under control, and analog and mixed-signal circuits where
such variables represent currents and voltages throughout the circuit. The natural mod-
els for such systems are differential equations, for purely continuous systems, or hybrid
automata, a combination of automata with differential equations, when the dynamics is
mixed and contains mode switching, saturation, etc. The exact exhaustive verification
of continuous and hybrid systems is impossible due to undecidability except for some
trivial sub-classes. Even approximate verification is very hard, restricted in the current
state-of-the-art to systems with very few continuous variables. Consequently, numer-
ical simulation is the commonly-used method to validate such systems and our work
can be seen as a step toward making this process more systematic and rigorous. Some
primitive forms of monitoring do exist in certain numerical simulation tools but their
temporal (“sequential”) sophistication is very limited.
The rest of the paper is organized as follows. In Section 2 we introduce the real-time
temporal logic
MITL
[a,b]
, a restricted version of the logic MITL of Alur and Henzinger
[AFH96] along with its semantic domain, Boolean signals of finite variability defined
over finite prefixes of the positive real time axis. In Section 3 we describe a simple
offline monitoring procedure which reads a formula ϕ and a signal s of a sufficient
length (relative to the formula) and determines whether s satisfies ϕ. This procedure by
itself can be used to monitor dense real-time properties of digital circuits and programs.
In section 4 we introduce the logic
STL (Signal Temporal Logic), discuss its semantic
domain and show how monitoring for its formulae can be reduced, via static Boolean
abstraction, to monitoring of
MITL
[a,b]
formulae. The behavior of a prototype imple-
mentation on simulation traces generated by Matlab/Simulink is illustrated in Section 5,
followed by discussions of related and future work.
2 Signals and their Temporal Logic
2.1 Signals
Let the time domain T be the set R
≥0
of non-negative real numbers. A finite length
signal s over a domain D is a partial function s : T → D whose domain of definition
is the interval I =[0,r), r ∈ Q
≥0
. We say that the length of the signal is r and denote
this fact by |s| = r. We use the notation s[t]=⊥ for every t ≥|s|.
Signals over different domains can be combined and separated using the standard
pairing and projection operators as well as any pointwise operation. Let s
1
: T → D
1
,
s
2
: T → D
2
, s
12
: T → D
1
×D
2
and s
3
: T → D
3
be signals and let f : D
1
×D
2
→ D
3
be a function. The pairing function is defined as
s
1
s
2
= s
12
if ∀ts
12
[t]=(s
1
[t],s
2
[t]).
and its inverse operation, projection as:
s
1
= π
1
(s
12
) s
2
= π
2
(s
12
).
The lifting of f to signals is defined as
s
3
= f(s
1
,s
2
) if ∀ts
3
[t]=f(s
1
[t],s
2
[t]).
Note that if s
1
and s
2
differ in length, the convention f(x, ⊥)=f(⊥,x)=⊥ guaran-
tees that |s
3
| =min(|s
1
|, |s
2
|).
In the rest of this paper, unless otherwise stated, we restrict our attention to Boolean
signals, D = B . In this case (and for discrete domains in general) all reasonable signals
are piecewise-constant
1
and can be represented by their values on a countable number
of intervals. An interval covering for an interval I =[0,r) is a sequence I = I
1
,I
2
...
of left-closed right-open intervals such that
I
i
= I and I
i
∩ I
j
= ∅ for every i = j.
An interval covering I is said to be consistent with a signal s if s[t]=s[t
] for every
t, t
belonging to the same interval I
i
. In that case we can abuse notation and write
s(I
i
). We say that a signal s is of finite variability if it has a finite interval covering
[AFH96]. It is not hard to see that such signals are closed under pointwise operations,
pairing and projection. We restrict ourselves to signals of finite variability which are,
by definition, non-Zeno. An interval covering I is said to refine I
, denoted by I≺I
if ∀I ∈I∃I
∈I
such that I ⊆ I
. Clearly, if I
is consistent with s,soisI.
We denote by I
s
the minimal interval covering consistent with a finite variability
signal s. The set of positive intervals of s is I
+
s
= {I ∈I
s
: s(I)=1} and the set of
negative intervals is I
−
s
= I
s
−I
+
s
. A Boolean signal s : T → B can be represented
by the pair (|s|, I
+
s
). Such a signal is said to be unitary if I
+
s
is a singleton. Clearly any
Boolean signal s of finite variability can be written as s = s
1
∨s
2
∨...∨s
k
where all s
i
are unitary and the boundaries of their corresponding positive intervals do not intersect.
1
Pathological signals which are 1 on rationals and 0 on irrationals are out of the scope of this
work.
2.2 Real-time Temporal Logic
We consider the logic
MITL
[a,b]
as a fragment of the real-time temporal logic MITL
[AFH96], such that all temporal modalities are restricted to intervals of the form [a, b]
with 0 ≤ a<band a, b ∈ Q
≥0
. More on various dialects of real-time logic can
be found in [AH92,Hen98]. The use of bounded temporal properties is justified by
the nature of monitoring where the behavior of a system is observed for a finite time
interval. The basic formulae of
MITL
[a,b]
are defined by the grammar
ϕ := p |¬ϕ | ϕ
1
∨ ϕ
2
| ϕ
1
U
[a,b]
ϕ
2
where p belongs to a set P = {p
1
,...,p
n
} of propositions. From basic MITL
[a,b]
op-
erators one can derive other standard Boolean and temporal operators, in particular the
time-constrained eventually and always operators:
3
[a,b]
ϕ = T U
[a,b]
ϕ and 2
[a,b]
ϕ = ¬3
[a,b]
¬ϕ
In this paper,
MITL
[a,b]
formulae are interpreted over n-dimensional Boolean sig-
nals. The satisfaction relation (s, t) |= ϕ, indicating that signal s satisfies ϕ starting
from position t, is defined inductively as follows:
(s, t) |= p ↔ π
p
(s)[t]=T
(s, t) |= ¬ϕ ↔ (s, t) |= ϕ
(s, t) |= ϕ
1
∨ ϕ
2
↔ (s, t) |= ϕ
1
or (s, t) |= ϕ
2
(s, t) |= ϕ
1
U
[a,b]
ϕ
2
↔∃t
∈ [t + a, t + b](s, t
) |= ϕ
2
and ∀t
∈ [t, t
], (s, t
) |= ϕ
1
Note that our definition of the semantics of the time-bounded until operator differs
slightly from its conventional definition since it requires a time instant t
∈ [t + a, t + b]
where both (s, t
) |= ϕ
2
and (s, t
) |= ϕ
1
. This definition does not have any repercus-
sion on the derived eventually and always operators which retain their usual seman-
tics:
(s, t) |= 3
[a,b]
ϕ ↔∃t
∈ t +[a, b](s, t
) |= ϕ
(s, t) |= 2
[a,b]
ϕ ↔∀t
∈ t +[a, b](s, t
) |= ϕ
A signal s satisfies the formula ϕ iff (s, 0) |= ϕ.
According to the standard semantics for temporal logic, the satisfaction of a formula
with unbounded modalities can rarely be determined with respect to a finite signal or
sequence. In fact, only the satisfaction of 3p or the violation of 2p can be detected in
finite time. By using bounded modalities we avoid the problems related to the ambigu-
ity of |= when applied to finite signals or sequences. Nevertheless, even for M
ITL
[a,b]
certain signals are too short to determine satisfaction of the formula, for example the
property 2
[a,b]
3
[c,d]
p cannot be evaluated on signals shorter than b + d. Hence we re-
strict ourselves to signals which are sufficiently long. The necessary length associated
with a formula ϕ,denoted by ||ϕ||, is defined inductively on the structure of the formula:
||p|| =0
||¬ϕ|| = ||ϕ||
||ϕ
1
∨ ϕ
2
|| =max(||ϕ
1
||, ||ϕ
2
||)
||ϕ
1
U
[a,b]
ϕ
2
|| =max(||ϕ
1
||, ||ϕ
2
||)+b
The reader can verify that s |= ϕ is well defined whenever |s| > ||ϕ||.
3 Monitoring MITL
[a,b]
Formulae
In this section we present a procedure for deciding the satisfiability of an MITL
[a,b]
formula by a sufficiently long signal. This procedure, partly inspired by [Pnu03] and
[HR02b], is very simple. It works in a bottom-up fashion on the parse tree of the for-
mula. Starting from the leaves we construct for every sub-formula ψ a signal s
ψ
such
that s
ψ
[t]=1iff (s, t) |= ψ. When the process is completed we have the signal s
ϕ
for
the formula whose value at 0 determines satisfiability. Since future temporal modalities
talk about truth now as a function of some truth in the future, it is natural that our pro-
cedure goes backwards, propagating, for example, the truth value of p at time t, toward
the truth of 3
[a,b]
p at [t − b, t − a]. This procedure is not causal and has to wait for the
termination of the simulation before starting the evaluation of the signal with respect to
the formula.
For Boolean operators the computation of (a representation of) a signal for a formula
from (the representations of) the signals of its sub-formulae is rather straightforward.
For negation we have I
+
¬p
= I
−
p
. For disjunction ψ = p ∨ q we first construct a refined
interval covering I = {I
1
,...I
k
} for p||q and then for each I
i
, let ψ(I
i
)=p(I
i
)∨q(I
i
).
Finally we merge adjacent positive intervals to obtain I
+
ψ
(see Figure 1).
p
q
p
q
p
∨ q
p ∨ q
Fig.1. To compute p ∨ q we first refine the interval covering to obtain the a representation of
the signals by p
and q
, then perform interval-wise operations to obtain p
∨ q
and then merge
adjacent positive intervals.
To treat the until we need to shift intervals backwards. Let I =[m, n) and [a, b] be
intervals in T. The [a, b]-back shifting of I,is
I [a, b]=[m − b, n − a) ∩ T.
This is essentially the inverse of the Minkowski sum with saturation at zero (see Fig-
ure 2).
Claim (Unitary Until). Let p and q be two unitary signals with I
+
p
= {I
p
} and I
+
q
=
{I
q
}. Then the signal ψ = pU
[a,b]
q is a unitary signal satisfying
I
+
ψ
= {((I
p
∩ I
q
) [a, b]) ∩ I
p
}.
![Fig. 2. Three instances of back shifting I ′ = [m, n) [a, b]: (a) I ′ = [m − b, n − a); (b) I ′ = [0, n − a] because m − b < 0; (c) I ′ = ∅ because n − a < 0](/figures/fig-2-three-instances-of-back-shifting-i-m-n-a-b-a-i-m-b-n-a-2xyex6f3.webp)
![Fig. 3. (a) Applying back shifting to non-unitary signals leads to wrong results for pU [a,b]q; (b) Applying back shifting to the unitary decomposition of p and q leads to correct results. The computation with p1 is omitted as it has an empty intersection with q.](/figures/fig-3-a-applying-back-shifting-to-non-unitary-signals-leads-8tx04dvx.webp)
 ⇒ [3,5](x2 > 0.7)): (a) The generating system; (b) The property is satisfied; (c) The property is violated.](/figures/fig-5-monitoring-two-2-dimensional-continuous-signals-h6r3ckyz.webp)
: (a) The formula parse tree; (b) The property is satisfied; (c) The formula is violated.](/figures/fig-4-monitoring-two-2-dimensional-signals-against-the-ctgwgxxq.webp)
