Keywords

1 Introduction

Hybrid systems are a powerful modeling concept, as they can exhibit both continuous and discrete dynamics. As such, they are applicable in many contexts, including autonomous vehicles, power systems, robotics, and systems biology. As the typical application areas indicate, hybrid systems are often safety-critical and thus require formal verification. Specifications for the formal verification of hybrid systems are often formalized using signal temporal logic (STL) [26], which is evaluated on real-valued signals over continuous time. STL monitoring algorithms can determine whether a concrete execution of a system satisfies an STL specification [8]. By considering the reachable set, i.e., the set of states reached by at least one execution, rather than single executions, monitoring algorithms can be adapted to verify a specification for all executions [22, 35]. While [22, 35] focus on offline monitoring algorithms, we adapt an online algorithm for incremental verification. This allows us to stop the computation of the reachable set as soon as the specification can be verified or falsified. Thus, we can use our novel method online to, e.g., verify motion plans of autonomous vehicles [3].

figure a
figure b

1.1 Related Work

Online Monitoring of Real-Time Temporal Logics: The paper that originally introduced STL also presents an offline monitoring algorithm propagating satisfaction signals of atomic subformulas up the syntax tree of the specification [26]. Later, [27] calls this method offline marking and adapts it for online monitoring. The new procedure, called incremental marking, essentially performs offline marking for each new observation and discards the already propagated parts of the signals. The tool AMT [28] implements both algorithms. Other online monitoring approaches for real-time logics rely on translating the formula to timed [10, 17] or untimed [20] automata. The algorithm in [34] rewrites the monitored metric temporal logic formula to represent remaining constraints whenever an observation is made. For robust monitoring, [15] adapts incremental marking to quantitative semantics of STL  [16].

Many-Valued Semantics of Temporal Logics: In the context of monitoring, [10] employs three-valued semantics for linear temporal logic (LTL) and timed LTL to handle uncertainty due to finite traces. To obtain a more expressive monitoring result for finite traces, [9] extends this to a four-valued semantics that distinguishes presumably true or false finite traces. The authors of [13] use a five-valued semantics of LTL to deal with uncertainties arising from finite traces and race conditions in parallel systems. Most closely related to our approach are [22, 35], which employ three-valued semantics for verification of hybrid systems. Based on reachable sets, previous work constructs three-valued satisfaction signals for the atomic predicates of an STL formula implicitly [22] or explicitly [35]. The third truth value indicates that both satisfying and violating states are reachable. To decide whether the specification is met, these are propagated akin to offline marking. Moreover, [35] employs statically determined masks to evaluate atomic predicates only where they are relevant; masking is an orthogonal approach to our proposed incremental verification.

Hybrid Systems Verification: Besides the aforementioned approaches based on three-valued semantics of STL  [22, 35], there are other verification methods using only the usual two truth values. The authors of [32] introduce a variant of STL called reachset temporal logic that is interpreted directly over the reachable set. They provide a sound transformation of STL into their logic, which is complete if all intervals in the STL formula range from 0 to a globally fixed time step. In [7], the authors propose a syntactic separation procedure for STL, which splits a formula into subformulas referring to disjoint time intervals. Based on the separated formula, they use satisfiability modulo theories (SMT) techniques to search for counterexamples bounded in length and the number of value changes; the SMT encoding is improved in [25]. Finally, there are deductive verification approaches that adapt dynamic logic suitable for software verification into differential dynamic logic suitable for hybrid systems [29, 30]. Differential dynamic logic has been augmented with a fragment of STL to derive temporal properties [1] and assumption-commitment reasoning to handle parallel hybrid systems [12].

1.2 Contributions

We propose a novel algorithm for verifying STL specifications on hybrid systems based on reachability analysis. Following the idea of the incremental marking procedure for STL monitoring [27, Sect. 3.2], our algorithm runs alongside the reachability analysis. As soon as the reachability algorithm determines the reachable set for new time steps, our algorithm uses the new information to update its verdict on specification satisfaction. Thus, we can terminate the reachability analysis as soon as we obtain a conclusive verdict. The theoretical foundation of our algorithm is a novel four-valued semantics for STL. The two new truth values handle uncertainty arising from set-based (sets might contain both states satisfying and violating a predicate) and incremental (the entire reachable set over time is not immediately available) computation.

This paper is organized as follows: After discussing preliminaries and our problem statement in Sect. 2, we give an overview of our solution concept in Sect. 3. We present our four-valued semantics for STL in Sect. 4, followed by the novel incremental verification algorithm in Sect. 5. In Sect. 6, we apply a prototype implementation to systems occurring in autonomous driving and systems biology before coming to a conclusion in Sect. 7.

2 Preliminaries and Problem Statement

After introducing the necessary interval operations, we establish the required truth values. We then define signals as functions over time and briefly discuss set-based reachability analysis of hybrid systems. Finally, we recapitulate the syntax and Boolean semantics of STL before providing our problem statement.

2.1 Intervals

We work with intervals over \(\mathbb {R}\), admitting \(\infty \) and \(-\infty \) as endpoints if the interval is open. The left-closure \({{\,\textrm{cl}\,}}_\texttt{l}(I)\) of an interval I always includes its left endpoint, except if the endpoint is infinite (e.g., \({{\,\textrm{cl}\,}}_\texttt{l}((a, b]) = [a, b]\) if \(a \ne -\infty \)). Analogously, the right-closure \({{\,\textrm{cl}\,}}_\texttt{r}(I)\) always includes the right endpoint.

For sets \(\mathcal {A}\) and \(\mathcal {B}\), their Minkowski sum \(\mathcal {A} \oplus \mathcal {B}\) is \(\{ a + b \mid a \in \mathcal {A}, b \in \mathcal {B} \}\). We will write \(a \oplus \mathcal {B}\) instead of \(\{ a \} \oplus \mathcal {B}\). We also use \(\mathcal {A} \oplus (-\mathcal {B})\) for back shifting [26], where \(-\mathcal {B} := \{ -b \mid b \in \mathcal {B} \}\). If \(\mathcal {A}\) and \(\mathcal {B}\) are intervals, so are \(\mathcal {A} \oplus \mathcal {B}\) and \(-\mathcal {B}\).

2.2 Truth Values

We use the values \(\mathbb {B}:= \{ \top , \bot \}\) to denote truth \(\top \) and falsehood \(\bot \). By extending the semantics of the usual Boolean connectives to handle a third value \({\dashv _{1}}\) denoting unknown, we can indicate that a statement could be true or false. This results in a three-valued propositional logic, such as that of Kleene [23]. For uncertainty arising from incremental computations, we add a fourth value \({\dashv _{2}}\) to denote inconclusive, indicating that the statement is either true, false, or unknown. In other words, \({\dashv _{1}}\) means “we know that we don’t know,” while \({\dashv _{2}}\) means “we don’t know whether we don’t know.” We define the sets of truth values \(\mathbb {U}_{1} := \mathbb {B}\cup \{ {\dashv _{1}} \}\) and \(\mathbb {U}_{2} := \mathbb {U}_{1} \cup \{ {\dashv _{2}} \}\). Moreover, we introduce the truth order \(\sqsubseteq _\texttt{t} \), where \(v \sqsubseteq _\texttt{t} v'\) for \(v, v' \in \mathbb {U}_{2}\) means that v is “less true” than \(v'\). Thus, we define \(\bot \sqsubseteq _\texttt{t} {\dashv _{1}} \sqsubseteq _\texttt{t} \top \) and \(\bot \sqsubseteq _\texttt{t} {\dashv _{2}} \sqsubseteq _\texttt{t} \top \); \({\dashv _{1}}\) and \({\dashv _{2}}\) are incomparable.

2.3 Signals

Let us fix \(\mathbb {R}_{\ge 0}\) as our time domain. A signal over the domain \(\mathcal {D}\), or \(\mathcal {D}\)-signal for short, is a function \(\sigma : \mathbb {R}_{\ge 0}\rightarrow \mathcal {D}\). A partial \(\mathcal {D}\)-signal \(\tilde{\sigma } : \mathcal {T} \rightarrow \mathcal {D}\) is only defined over a subset \(\mathcal {T} \subseteq \mathbb {R}_{\ge 0}\) of the time domain. We refer to signals over \(\mathbb {B}\), \(\mathbb {U}_{1}\), and \(\mathbb {U}_{2}\) as logical signals; in particular, Boolean signals are logical signals over \(\mathbb {B}\). We adopt the following naming convention for logical signals: \(\lambda \) indicates Boolean signals, \(\varLambda \) indicates \(\mathbb {U}_{1}\)-signals, and \(\tilde{\varLambda }\) indicates \(\mathbb {U}_{2}\)-signals.

Fig. 1.
figure 1

A Boolean signal \(\lambda \) and its unitary decomposition \(\{ \lambda _1, \lambda _2 \}\)

Full size image

A Boolean signal \(\lambda \) is unitary if there is one contiguous interval \(I^+_{\lambda } \subseteq \mathbb {R}_{\ge 0}\) such that \(\lambda (t) = \top \) for all \(t \in I^+_{\lambda }\) and \(\lambda (t) = \bot \) everywhere else [26]. Every Boolean signal can be represented as a disjunction of unitary signals, as shown in Fig. 1 [26]. In this work, we require this unitary decomposition to be minimal, i.e., the number of involved unitary signals must be minimal.

2.4 Reachability Analysis of Hybrid Systems

The literature provides numerous methods for describing hybrid systems. Our verification method is independent of the chosen description method as long as the system model is amenable to set-based reachability analysis (see [4] for an overview). Given the mixed continuous and discrete state space \(\mathcal {X}\) of the hybrid system \(\mathcal {H}\), an execution of \(\mathcal {H}\) is a signal \(\xi : \mathbb {R}_{\ge 0}\rightarrow \mathcal {X}\).

We are interested in the reachable set of the system \(\mathcal {H}\), i.e., the set of all states that are part of at least one execution of \(\mathcal {H}\). Formally, the reachable set of \(\mathcal {H}\) is a signal \(\mathcal {R} : \mathbb {R}_{\ge 0}\rightarrow 2^{\mathcal {X}}\) given by

$$\begin{aligned} \mathcal {R}(t) := \{ \xi (t) \mid \xi \text { is an execution of } \mathcal {H} \}. \end{aligned}$$

Since determining the exact reachable set is often computationally infeasible, tools like CORA [2], JuliaReach [11], and SpaceEx [18] typically return a discrete-time overapproximation when performing reachability analysis. To this end, they represent \(\mathcal {R}\) as a sequence of sets so that the set \(\mathcal {R}_I\) for the time interval I subsumes \(\bigcup _{t \in I} \mathcal {R}(t)\). Our verification algorithm assumes that this sequence is incrementally computed for consecutive time intervals, as is the case with the tools mentioned. To handle Taylor model representations (e.g., as used by Flow* [14]), a preprocessing step would be required to obtain a sequence of sets.

2.5 Signal Temporal Logic with Boolean Semantics

Suppose \(\mathcal{A}\mathcal{P}\) is a fixed set of atomic predicates, where each predicate is a function \(a : \mathcal {X}\rightarrow \mathbb {B}\). An STL formula \(\varphi \) over \(\mathcal{A}\mathcal{P}\) is constructed according to the grammar

$$\begin{aligned} \varphi {:}{:}= true \mid a \mid \lnot \varphi \mid \varphi _1 \wedge \varphi _2 \mid \varphi _1 {{\,\mathrm{\textbf{U}}\,}}_I \varphi _2, \end{aligned}$$

where \(a \in \mathcal{A}\mathcal{P}\) and I is an interval over \(\mathbb {R}_{\ge 0}\) with rational endpoints [26]. We use the common abbreviations \(\varphi _1 \vee \varphi _2 := \lnot (\lnot \varphi _1 \wedge \lnot \varphi _2)\), \({{\,\mathrm{\textbf{F}}\,}}_I \varphi := true {{\,\mathrm{\textbf{U}}\,}}_I \varphi \) (finally), and \({{\,\mathrm{\textbf{G}}\,}}_I \varphi := \lnot {{\,\mathrm{\textbf{F}}\,}}_I \lnot \varphi \) (globally). Note that we define \( true \) as basic syntax rather than introducing it as an abbreviation for \(a \vee \lnot a\), because the law of excluded middle does not transfer well to the four-valued semantics we define later.

In Boolean semantics, an STL formula \(\varphi \) is interpreted over an execution \(\xi : \mathbb {R}_{\ge 0}\rightarrow \mathcal {X}\) to obtain a yes-or-no answer whether \(\xi \) satisfies \(\varphi \) [26, 27]. We define the Boolean satisfaction signal \(\llbracket \varphi \rrbracket _{\xi } : \mathbb {R}_{\ge 0}\rightarrow \mathbb {B}\) of \(\varphi \) over \(\xi \) inductively as

$$\begin{aligned} \llbracket true \rrbracket _{\xi }(t) &:= \top , \\ \llbracket a \rrbracket _{\xi }(t) &:= a(\xi (t)), \\ \llbracket \lnot \varphi \rrbracket _{\xi }(t) &:= \lnot \llbracket \varphi \rrbracket _{\xi }(t), \\ \llbracket \varphi _1 \wedge \varphi _2 \rrbracket _{\xi }(t) &:= \llbracket \varphi _1 \rrbracket _{\xi }(t) \wedge \llbracket \varphi _2 \rrbracket _{\xi }(t), \\ \llbracket \varphi _1 {{\,\mathrm{\textbf{U}}\,}}_I \varphi _2 \rrbracket _{\xi }(t) &:= {\left\{ \begin{array}{ll} \top &{} \begin{aligned} &{}\text {if } \exists t' \in t \oplus I : \llbracket \varphi _2 \rrbracket _{\xi }(t') = \top \\ &{}\quad \quad \text {and } \forall t'' \in (t, t') : \llbracket \varphi _1 \rrbracket _{\xi }(t'') = \top \end{aligned} \\ \bot &{} \text {otherwise} \end{array}\right. }, \end{aligned}$$

where \(a \in \mathcal{A}\mathcal{P}\). The value of the satisfaction signal at time t indicates whether \(\varphi \) holds at t. Thus, an execution \(\xi \) satisfies \(\varphi \), denoted by \(\xi \models \varphi \), if and only if \(\llbracket \varphi \rrbracket _{\xi }(0) = \top \). A hybrid system \(\mathcal {H}\) satisfies \(\varphi \), written as \(\mathcal {H} \models \varphi \), if \(\xi \models \varphi \) for all executions \(\xi \) of \(\mathcal {H}\). Note that we use the strict until semantics from [27], which does not require \(\varphi _1\) to hold at t or \(t'\), unlike the version in [26, 35]. This semantics is more expressive, as we can recover the until from [26, 35] as \(\varphi _1 \wedge \varphi _1 {{\,\mathrm{\textbf{U}}\,}}_I (\varphi _1 \wedge \varphi _2)\).

To exclude Zeno behavior, we limit ourselves to executions \(\xi \) such that, for all \(a \in \mathcal{A}\mathcal{P}\), the Boolean signal given by point-wise application of a to \(\xi \) is of finite variability. That is, it changes its value only a finite number of times in any finite time interval [6, Sect. 2.3.5]. This is a common assumption in related work [17, 26, 27, 35], albeit not always under this name; we refer the reader to [26, Sect. 4] and [27, Sect. 4] for a discussion.

2.6 Problem Statement

Given an STL formula \(\varphi \) and a hybrid system \(\mathcal {H}\), we want to determine whether \(\mathcal {H} \models \varphi \) based on the reachable set of \(\mathcal {H}\). As reachability analysis is often incremental, we need to interpret \(\varphi \) over a reachable set that is only known for some time intervals to form a preliminary verification verdict. Formally, this means we want to define and compute a \(\mathbb {U}_{2}\)-satisfaction signal \(\llbracket \varphi \rrbracket _{\tilde{\mathcal {R}}} : \mathbb {R}_{\ge 0}\rightarrow \mathbb {U}_{2}\) over a partial reachable set \(\tilde{\mathcal {R}} : \mathcal {T} \rightarrow 2^{\mathcal {X}}\), where \(\mathcal {T} \subseteq \mathbb {R}_{\ge 0}\). If our preliminary verdict is inconclusive due to partial knowledge of the reachable set, we aim to efficiently update our verdict as soon as more information becomes available. If the final verdict turns out to be \({\dashv _{1}}\), we need to refine our overapproximation of the reachable set to verify or falsify the specification.

This paper focuses on the four-valued semantics and the efficient update of the preliminary verdict. We only briefly discuss refinements of the overapproximation, as this often amounts to tuning the parameters of the reachability analysis. Moreover, it is a common step in verification approaches based on reachable sets [22, 32, 35]. An automatic refinement technique for the reachset temporal logic approach [32] is presented in [24].

3 Basic Idea and Solution Concept

As a motivating example, consider the intentionally simple dynamical system given by the differential equation \(\dot{x} = u\), where the input u lies somewhere in [0.9, 1.1] and initially \(x \in [-0.5, 0.5]\). Suppose we want to verify that x eventually becomes larger than 1 within the next five seconds, which we formalize in STL as \(\varphi := {{\,\mathrm{\textbf{F}}\,}}_{[0, 5]} x > 1\). To this end, we exploit that the reachable set \(\mathcal {R}\) of our system encloses all executions of the system. Thus, if we can prove that there exists a \(t \in [0, 5]\) such that \(x > 1\) for all states \(x \in \mathcal {R}(t)\), we have shown \(\varphi \) for all executions of our system.

Fig. 2.
figure 2

Reachable set \(\tilde{\mathcal {R}}\) and \(\mathbb {U}_{2}\)-satisfaction signals of \(x > 1\) and \({{\,\mathrm{\textbf{F}}\,}}_{[0, 5]} x > 1\) for the simple example system after reachability analysis for up to 1 s (left) and 1.8 s (right)

Full size image

Recall that the reachable set is usually computed incrementally for consecutive time intervals. We are thus dealing with a partial reachable set \(\tilde{\mathcal {R}}\), which is only determined for a subset of the time domain. For example, a reachability algorithm might first compute the reachable set for up to 1 s (top left in Fig. 2) and then continue to determine the reachable set in the next 0.8 s (top right).

If we are able to interpret our specification \(\varphi \) over such partial reachable sets, we can re-evaluate its satisfaction with every newly determined time interval and terminate the algorithm once we obtain a conclusive result. To this end, we derive a set-based version \(\hat{a} : 2^{\mathcal {X}} \rightarrow \mathbb {U}_{1}\) of every atomic predicate \(a \in \mathcal{A}\mathcal{P}\) so that

$$\begin{aligned} \hat{a}(\mathcal {X}') := {\left\{ \begin{array}{ll} \top &{} \text {if } \mathcal {X}' \ne \emptyset \text { and } \mathcal {X}' \subseteq \llbracket a \rrbracket \\ \bot &{} \text {if } \mathcal {X}' \ne \emptyset \text { and } \mathcal {X}' \cap \llbracket a \rrbracket = \emptyset \\ {\dashv _{1}} &{} \text {otherwise} \end{array}\right. } \end{aligned}$$

for \(\mathcal {X}' \subseteq \mathcal {X}\), where \(\llbracket a \rrbracket := \{ x \in \mathcal {X} \mid a(x) = \top \}\) denotes the set of states satisfying a. This enables us to construct a \(\mathbb {U}_{2}\)-satisfaction signal for atomic predicates over \(\tilde{\mathcal {R}}\) by assigning \({\dashv _{2}}\) at times where the reachable set has not yet been determined. As shown in the second row of Fig. 2, this signal becomes \({\dashv _{1}}\) as soon as the reachable set starts intersecting with our atomic predicate and changes to \(\top \) once it lies fully inside. Thus, \({\dashv _{1}}\) means that we do not know whether a predicate is true or false since the reachable set contains satisfying and violating states; \({\dashv _{2}}\) means that we do not know as we have not yet computed the set for this time.

Now that we have satisfaction signals for the atomic predicates, it remains to combine them in order to obtain satisfaction signals for compound formulas. For this, we develop operators that preserve the intended meaning of our two uncertain values \({\dashv _{1}}\) and \({\dashv _{2}}\) in Sect. 4. The third row of Fig. 2 shows the resulting satisfaction signal \(\llbracket \varphi \rrbracket _{\tilde{\mathcal {R}}}\) for our example specification: After reachability analysis for up to 1 s, the verification verdict is inconclusive, since \(\llbracket \varphi \rrbracket _{\tilde{\mathcal {R}}}(0) = {\dashv _{2}}\). Once we update the satisfaction signal to incorporate information about the next 0.8 s, we can verify that \(\varphi \) holds and terminate early. In Sect. 5, we use ideas of the incremental marking procedure [27] to perform this update efficiently.

Fig. 3.
figure 3

Evaluating \({\dashv _{1}} \wedge {\dashv _{2}}\) in \(\mathbb {U}_{2}\)-semantics: On the way down, we under- and overapproximate the input values with respect to the truth order by replacing the uncertain value of the current layer with \(\bot \) and \(\top \). In the Boolean layer, we evaluate the conjunction as usual. To move back up, we check whether the results for both approximations agree, and assign the appropriate uncertain value if this is not the case.

Full size image

4 Four-Valued Signal Temporal Logic

To compute the \(\mathbb {U}_{2}\)-satisfaction signal for an STL formula \(\varphi \) with respect to a partial reachable set, we proceed by structural recursion on \(\varphi \). The base case for \( true \) is clear, and we treat atomic predicates as described in Sect. 3. For compound formulas, i.e., negation, conjunction, and until, we combine the recursively computed satisfaction signals of their subformulas using suitable operators on signals. Instead of defining these operators directly on \(\mathbb {U}_{2}\)-signals, we under- and overapproximate a \(\mathbb {U}_{2}\)-signal using \(\mathbb {U}_{1}\)-signals. Similarly, we represent \(\mathbb {U}_{1}\)-signals by Boolean signals. Utilizing this representation, we can use the negation, conjunction, and until operators defined for Boolean signals to combine \(\mathbb {U}_{2}\)-satisfaction signals. Figure 3 shows this concept simplified to the propositional case, in which we are dealing with truth values instead of logical signals.

4.1 Computing Boolean Satisfaction Signals

To define the operators for combining Boolean satisfaction signals, we closely follow the procedure from [27]. For negation and conjunction, we lift \(\lnot \) and \(\wedge \) from Boolean values to Boolean signals by point-wise application [27, Sect. 3.1.1]. Unlike [27], we handle until directly instead of expressing it as a combination of untimed until and timed finally, thus avoiding the rather involved specification rewriting of [27, Lemma 1]. To this end, we adapt the method from [26, Sect. 3] for arbitrary intervals and strict semantics.

We first define an until operator that works only for unitary Boolean signals and generalize it later using the unitary decomposition. Unitary signals have the helpful property that \(\lambda (t) = \top = \lambda (t')\) for times \(t \le t'\) implies \(\lambda (t'') = \top \) for all \(t'' \in [t, t']\). Given unitary signals \(\lambda _1, \lambda _2\) and an interval I over \(\mathbb {R}_{\ge 0}\), we define the unitary until \({{\,\mathrm{\overline{{{\,\mathrm{\textbf{U}}\,}}}}\,}}_I\) so that \((\lambda _1 {{\,\mathrm{\overline{{{\,\mathrm{\textbf{U}}\,}}}}\,}}_{I} \lambda _2)(t) = \top \) if and only if \(t \in I_1 \cup I_2\), where

$$\begin{aligned} I_1 := \left[ \left( I^+_{\lambda _2} \cap {{\,\textrm{cl}\,}}_\texttt{r}(I^+_{\lambda _1}) \right) \oplus (-(I \setminus \{ 0 \})) \right] \cap {{\,\textrm{cl}\,}}_\texttt{l}(I^+_{\lambda _1}), \! {} & {} I_2 := {\left\{ \begin{array}{ll} I^+_{\lambda _2} &{} \text {if } 0 \in I \\ \emptyset &{} \text {otherwise} \end{array}\right. }. \end{aligned}$$
(1)

Here, \(I \setminus \{ 0 \}\) is always an interval, since \(I \subseteq \mathbb {R}_{\ge 0}= [0, \infty )\). We prove that \({{\,\mathrm{\overline{{{\,\mathrm{\textbf{U}}\,}}}}\,}}_I\) implements the until semantics for unitary signals.

Lemma 1

Suppose \(\lambda _1\) and \(\lambda _2\) are unitary Boolean signals, and I is an interval over \(\mathbb {R}_{\ge 0}\). For all \(t \in \mathbb {R}_{\ge 0}\), we have

$$\begin{aligned} (\lambda _1 {{\,\mathrm{\overline{{{\,\mathrm{\textbf{U}}\,}}}}\,}}_{I} \lambda _2)(t) = {\left\{ \begin{array}{ll} \top &{} \text {if } \exists t' \in t \oplus I : \lambda _2(t') = \top \text { and } \forall t'' \in (t, t') : \lambda _1(t'') = \top \\ \bot &{} \text {otherwise} \end{array}\right. }. \end{aligned}$$

Proof

Let \(I_1\) and \(I_2\) be given as in (1) so that \((\lambda _1 {{\,\mathrm{\overline{{{\,\mathrm{\textbf{U}}\,}}}}\,}}_{I} \lambda _2)(t) = \top \) if and only if \(t \in I_1 \cup I_2\). For an arbitrary \(t \in \mathbb {R}_{\ge 0}\), we first prove that \(I_1\) treats the case \(t' > t\):

$$\begin{aligned} t \in I_1 &\iff t \in \left[ \left( I^+_{\lambda _2} \cap {{\,\textrm{cl}\,}}_\texttt{r}(I^+_{\lambda _1}) \right) \oplus (-(I \setminus \{ 0 \})) \right] \cap {{\,\textrm{cl}\,}}_\texttt{l}(I^+_{\lambda _1}) \\ &\iff \exists t' \in t \oplus (I \setminus \{ 0 \}) : t' \in I^+_{\lambda _2} \text { and } t' \in {{\,\textrm{cl}\,}}_\texttt{r}(I^+_{\lambda _1}) \text { and } t \in {{\,\textrm{cl}\,}}_\texttt{l}(I^+_{\lambda _1}) \\ &\iff \exists t' \in t \oplus (I \setminus \{ 0 \}) : \lambda _2(t') = \top \text { and } \forall t'' \in (t, t') : \lambda _1(t'') = \top . \end{aligned}$$

For the second step, observe that \(\mathcal {A} \oplus (-\mathcal {B}) = \{ x \mid \exists a \in x \oplus \mathcal {B} : a \in \mathcal {A} \}\). The last equivalence uses that \(\lambda _1\) is unitary: If \(\lambda _1\) is \(\top \) both immediately after t, i.e., \(t \in {{\,\textrm{cl}\,}}_\texttt{l}(I^+_{\lambda _1})\), and immediately before \(t'\), i.e., \(t' \in {{\,\textrm{cl}\,}}_\texttt{r}(I^+_{\lambda _1})\), the signal must also be \(\top \) throughout \((t, t')\), since \(I^+_{\lambda _1}\) is contiguous. For the converse, note that \(\emptyset \subsetneq (t, t') \subseteq I^+_{\lambda _1}\) implies \(t \in {{\,\textrm{cl}\,}}_\texttt{l}(I^+_{\lambda _1})\) and \(t' \in {{\,\textrm{cl}\,}}_\texttt{r}(I^+_{\lambda _1})\). If \(0 \notin I\), we are done, as \(I = I \setminus \{ 0 \}\) and \(I_2 = \emptyset \). Otherwise, \(I_2\) handles the case \(t' = t\), where \(t \oplus \{ 0 \} = \{ t \}\) and the universal quantifier is vacuously satisfied:

$$\begin{aligned} t \in I_2 &\iff t \in I^+_{\lambda _2} \\ &\iff \lambda _2(t) = \top \\ &\iff \exists t' \in t \oplus \{ 0 \} : \lambda _2(t') = \top \text { and } \forall t'' \in (t, t') : \lambda _1(t'') = \top .\quad \;\;\qquad \qquad \square \end{aligned}$$

Using that all Boolean signals admit a unitary decomposition, we generalize \({{\,\mathrm{\overline{{{\,\mathrm{\textbf{U}}\,}}}}\,}}_I\) to Boolean signals \(\lambda _1\) and \(\lambda _2\) that are not necessarily unitary. We define

$$\begin{aligned} (\lambda _1 {{\,\mathrm{\textbf{U}}\,}}_{I} \lambda _2)(t) := \bigvee _{1 \le i \le n_1} \bigvee _{1 \le j \le n_2} (\lambda _{1, i} {{\,\mathrm{\overline{{{\,\mathrm{\textbf{U}}\,}}}}\,}}_{I} \lambda _{2, j})(t), \end{aligned}$$

where \(t \in \mathbb {R}_{\ge 0}\) and \(\{ \lambda _{k, 1}, \dots , \lambda _{k, n_k} \}\) is the unitary decomposition of \(\lambda _k\) for \(k \in \{ 1, 2 \}\). We prove that this is a general implementation of the until semantics.

Lemma 2

Let \(\lambda _1\) and \(\lambda _2\) be Boolean signals and I be an interval over \(\mathbb {R}_{\ge 0}\). For all \(t \in \mathbb {R}_{\ge 0}\), we have

$$\begin{aligned} (\lambda _1 {{\,\mathrm{\textbf{U}}\,}}_{I} \lambda _2)(t) = {\left\{ \begin{array}{ll} \top &{}\text {if } \exists t' \in t \oplus I : \lambda _2(t') = \top \text { and } \forall t'' \in (t, t') : \lambda _1(t'') = \top \\ \bot &{} \text {otherwise} \end{array}\right. }. \end{aligned}$$

In particular, we obtain \(\llbracket \varphi _1 {{\,\mathrm{\textbf{U}}\,}}_I \varphi _2 \rrbracket _{\xi } = \llbracket \varphi _1 \rrbracket _{\xi } {{\,\mathrm{\textbf{U}}\,}}_{I} \llbracket \varphi _2 \rrbracket _{\xi }\).

Proof

Observe that the second statement is a specialization of the first by the Boolean semantics of STL. Let \(t \in \mathbb {R}_{\ge 0}\) be arbitrary. If \((\lambda _1 {{\,\mathrm{\textbf{U}}\,}}_{I} \lambda _2)(t) = \top \), there must be i and j so that \((\lambda _{1, i} {{\,\mathrm{\overline{{{\,\mathrm{\textbf{U}}\,}}}}\,}}_{I} \lambda _{2, j})(t) = \top \), and we can immediately conclude with Lemma 1. Conversely, let \(t' \in t \oplus I\) so that \(\lambda _2(t') = \top \) and \(\lambda _1(t'') = \top \) for all \(t'' \in (t, t')\). Since \(\lambda _2(t') = \top \), there exists j such that \(\lambda _{2, j}(t') = \top \). As the unitary decomposition of \(\lambda _1\) is minimal, the union of two or more of the \(I^+_{\lambda _{1, i}}\) cannot yield a contiguous interval (otherwise, we could merge them for a smaller decomposition). Hence, there exists i such that \((t, t') \subseteq I^+_{\lambda _{1, i}}\), or, in other words, \(\lambda _{1, i}(t'') = \top \) for all \(t'' \in (t, t')\). Applying Lemma 1 again concludes the proof.    \(\square \)

4.2 Computing Three-Valued Satisfaction Signals

To compute the \(\mathbb {U}_{1}\)-satisfaction signal of an STL formula over a reachable set, we represent \(\mathbb {U}_{1}\)-signals using Boolean signals and then reuse the techniques from Sect. 4.1. Recall from Sect. 2.2 that \({\dashv _{1}}\) means that we do not know whether a statement is true or false. Thus, every \(\mathbb {U}_{1}\)-signal \(\varLambda \) induces a set of Boolean signals, called refinements of \(\varLambda \), in which the occurrences of \({\dashv _{1}}\) are replaced with \(\top \) or \(\bot \). Formally, a Boolean signal \(\lambda \) refines \(\varLambda \), denoted as \(\lambda \prec \varLambda \), if \(\varLambda (t) \ne {\dashv _{1}}\) implies \(\lambda (t) = \varLambda (t)\) for all \(t \in \mathbb {R}_{\ge 0}\). Since the set of refinements is unique for each \(\mathbb {U}_{1}\)-signal \(\varLambda \), we use it to represent \(\varLambda \). We argue that the two special refinements

$$\begin{aligned} \lfloor \varLambda \rfloor (t) := {\left\{ \begin{array}{ll} \bot &{} \text {if } \varLambda (t) = {\dashv _{1}} \\ \varLambda (t) &{} \text {otherwise} \end{array}\right. } {} & {} \text {and} {} & {} \lceil \varLambda \rceil (t) := {\left\{ \begin{array}{ll} \top &{} \text {if } \varLambda (t) = {\dashv _{1}} \\ \varLambda (t) &{} \text {otherwise} \end{array}\right. } \end{aligned}$$

adequately characterize this set. Lifting the truth order \(\sqsubseteq _\texttt{t} \) to a partial order on logical signals by point-wise application, we find that the Boolean signal \(\lambda \) refines \(\varLambda \) if and only if \(\lfloor \varLambda \rfloor \sqsubseteq _\texttt{t} \lambda \sqsubseteq _\texttt{t} \lceil \varLambda \rceil \). Hence, \(\lfloor \varLambda \rfloor \) underapproximates the refinements of \(\varLambda \), while \(\lceil \varLambda \rceil \) overapproximates them. We can recover \(\varLambda (t)\) as \(\lfloor \varLambda \rfloor (t) \sqcup _{1} \lceil \varLambda \rceil (t)\), where \(v \sqcup _{1} v'\) with \(v, v' \in \mathbb {B}\) yields v if and only if \(v = v'\) and \({\dashv _{1}}\) otherwise.

The operator \({{\,\mathrm{\textbf{U}}\,}}_I\) on Boolean signals is monotone, i.e., we have \(\lambda _1 {{\,\mathrm{\textbf{U}}\,}}_{I} \lambda _2 \sqsubseteq _\texttt{t} \lambda '_1 {{\,\mathrm{\textbf{U}}\,}}_{I} \lambda '_2\) given that \(\lambda _i \sqsubseteq _\texttt{t} \lambda '_i\) for \(i \in \{ 1, 2 \}\). Intuitively, this means that if we set the inputs to \(\top \) at more time points, the output signal will also be \(\top \) more often. Thus, \(\lfloor \varLambda _1 \rfloor {{\,\mathrm{\textbf{U}}\,}}_{I} \lfloor \varLambda _2 \rfloor \) is a faithful underapproximation of \(\lambda _1 {{\,\mathrm{\textbf{U}}\,}}_{I} \lambda _2\), given that \(\lambda _i \prec \varLambda _i\) for \(i \in \{ 1, 2 \}\). Similarly, \(\lceil \varLambda _1 \rceil {{\,\mathrm{\textbf{U}}\,}}_{I} \lceil \varLambda _2 \rceil \) is an overapproximation. Figure 4 visualizes this for a derived finally operator \({{\,\mathrm{\textbf{F}}\,}}_I \lambda := \lambda _\top {{\,\mathrm{\textbf{U}}\,}}_{I} \lambda \), where \(\lambda _\top \) is \(\top \) everywhere. To show monotonicity of \({{\,\mathrm{\textbf{U}}\,}}_I\), we apply Lemma 2 and use that \(\lambda _i(t) = \top \) implies \(\lambda '_i(t) = \top \). The operator \(\wedge \) is also monotone. In contrast, \(\lnot \) is antitone, i.e., \(\lambda \sqsubseteq _\texttt{t} \lambda '\) implies \(\lnot \lambda ' \sqsubseteq _\texttt{t} \lnot \lambda \). So, \(\lnot \lceil \varLambda \rceil \) is an underapproximation, while \(\lnot \lfloor \varLambda \rfloor \) is an overapproximation. We define the operators \(\lnot \), \(\wedge \), and \({{\,\mathrm{\textbf{U}}\,}}_I\) on \(\mathbb {U}_{1}\)-signals such that they recover a \(\mathbb {U}_{1}\)-signal from these over- and underapproximations:

$$\begin{aligned} (\lnot \varLambda )(t) &:= (\lnot \lfloor \varLambda \rfloor )(t) \sqcup _{1} (\lnot \lceil \varLambda \rceil )(t), \\ (\varLambda _1 \wedge \varLambda _2)(t) &:= (\lfloor \varLambda _1 \rfloor \wedge \lfloor \varLambda _2 \rfloor )(t) \sqcup _{1} (\lceil \varLambda _1 \rceil \wedge \lceil \varLambda _2 \rceil )(t), \\ (\varLambda _1 {{\,\mathrm{\textbf{U}}\,}}_{I} \varLambda _2)(t) &:= (\lfloor \varLambda _1 \rfloor {{\,\mathrm{\textbf{U}}\,}}_{I} \lfloor \varLambda _2 \rfloor )(t) \sqcup _{1} (\lceil \varLambda _1 \rceil {{\,\mathrm{\textbf{U}}\,}}_{I} \lceil \varLambda _2 \rceil )(t). \end{aligned}$$
Fig. 4.
figure 4

Top: All refinements \(\lambda \) of a \(\mathbb {U}_{1}\)-signal \(\varLambda \) lie between the underapproximation \(\lfloor \varLambda \rfloor \) and the overapproximation \(\lceil \varLambda \rceil \). Bottom: After applying the monotone finally operator to all three Boolean signals, the refinement is still between the approximations. We omit the markers at the jumps, as they are irrelevant to the point of this example.

Full size image

Finally, we define the \(\mathbb {U}_{1}\)-satisfaction signal \(\llbracket \varphi \rrbracket _{\mathcal {R}} : \mathbb {R}_{\ge 0}\rightarrow \mathbb {U}_{1}\) of an STL formula \(\varphi \) with respect to a reachable set \(\mathcal {R} : \mathbb {R}_{\ge 0}\rightarrow 2^{\mathcal {X}}\) using our operators. For all \(t \in \mathbb {R}_{\ge 0}\), we define

$$\begin{aligned} \llbracket true \rrbracket _{\mathcal {R}}(t) := \top {} & {} \text {and} {} & {} \llbracket a \rrbracket _{\mathcal {R}}(t) := \hat{a}(\mathcal {R}(t)), \end{aligned}$$

where \(a \in \mathcal{A}\mathcal{P}\) and \(\hat{a}\) is defined as in Sect. 3. Moreover, we define

$$\begin{aligned} \llbracket \lnot \varphi \rrbracket _{\mathcal {R}} &:= \lnot \llbracket \varphi \rrbracket _{\mathcal {R}}, \\ \llbracket \varphi _1 \wedge \varphi _2 \rrbracket _{\mathcal {R}} &:= \llbracket \varphi _1 \rrbracket _{\mathcal {R}} \wedge \llbracket \varphi _2 \rrbracket _{\mathcal {R}}, \\ \llbracket \varphi _1 {{\,\mathrm{\textbf{U}}\,}}_I \varphi _2 \rrbracket _{\mathcal {R}} &:= \llbracket \varphi _1 \rrbracket _{\mathcal {R}} {{\,\mathrm{\textbf{U}}\,}}_{I} \llbracket \varphi _2 \rrbracket _{\mathcal {R}}. \end{aligned}$$

To relate this to the Boolean semantics, we show that \(\llbracket \varphi \rrbracket _{\xi }\) refines \(\llbracket \varphi \rrbracket _{\mathcal {R}}\), if \(\mathcal {R}\) covers the execution \(\xi \). We say a reachable set \(\mathcal {R}\) covers an execution \(\xi \), denoted as \(\xi \prec \mathcal {R}\), if \(\xi (t) \in \mathcal {R}(t)\) for all \(t \in \mathbb {R}_{\ge 0}\).

Theorem 1

Suppose \(\mathcal {R}\) is a reachable set and \(\varphi \) an STL formula. For every execution \(\xi \) covered by \(\mathcal {R}\), we have \(\llbracket \varphi \rrbracket _{\xi } \prec \llbracket \varphi \rrbracket _{\mathcal {R}}\). In other words, if \(\llbracket \varphi \rrbracket _{\mathcal {R}}(t) = v\), we have \(\llbracket \varphi \rrbracket _{\xi }(t) = v\) for all \(\xi \prec \mathcal {R}\), \(v \in \mathbb {B}\), and \(t \in \mathbb {R}_{\ge 0}\).

Proof

We proceed by structural induction on \(\varphi \). Let \(t \in \mathbb {R}_{\ge 0}\) be arbitrary.

Base Cases: The case for \(\varphi = true \) is straightforward, as \( true \) always evaluates to \(\top \) in Boolean and \(\mathbb {U}_{1}\)-semantics. For an atomic predicate \(a \in \mathcal{A}\mathcal{P}\), we find

$$\begin{aligned} \hat{a}(\mathcal {R}(t)) = \top \iff \mathcal {R}(t) \ne \emptyset \text { and } \mathcal {R}(t) \subseteq \llbracket a \rrbracket \implies \forall \xi \prec \mathcal {R} : a(\xi (t)) = \top , \end{aligned}$$

and thus \(\llbracket a \rrbracket _{\mathcal {R}}(t) = \top \implies \forall \xi \prec \mathcal {R} : \llbracket a \rrbracket _{\xi }(t) = \top \). The argument for \(\bot \) is similar.

Direct Semantics: Turning to the inductive cases, we notice that our operators on \(\mathbb {U}_{1}\)-signals depend on their Boolean counterparts. This makes them easy to implement, but difficult to handle in proofs. Therefore, we first show that they adhere to the following direct semantics that work without this dependency:Footnote 1

$$\begin{aligned} (\lnot \varLambda )(t) &= {\left\{ \begin{array}{ll} \top &{} \text {if } \varLambda (t) = \bot \\ \bot &{} \text {if } \varLambda (t) = \top \\ {\dashv _{1}} &{} \text {otherwise} \end{array}\right. }, \nonumber \\ (\varLambda _1 \wedge \varLambda _2)(t) &= {\left\{ \begin{array}{ll} \top &{} \text {if } \varLambda _1(t) = \top \text { and } \varLambda _2(t) = \top \\ \bot &{} \text {if } \varLambda _1(t) = \bot \text { or } \varLambda _2(t) = \bot \\ {\dashv _{1}} &{} \text {otherwise} \end{array}\right. }, \\ (\varLambda _1 {{\,\mathrm{\textbf{U}}\,}}_{I} \varLambda _2)(t) &= {\left\{ \begin{array}{ll} \top &{} \text {if } \exists t' \in t \oplus I : \varLambda _2(t') = \top \text { and } \forall t'' \in (t, t') : \varLambda _1(t'') = \top \\ \bot &{} \text {if } \forall t' \in t \oplus I : \varLambda _2(t') = \bot \text { or } \exists t'' \in (t, t') : \varLambda _1(t'') = \bot \\ {\dashv _{1}} &{} \text {otherwise} \end{array}\right. }. \nonumber \end{aligned}$$
(2)

Proof of the Direct Semantics: First, consider the case where \((\varLambda _1 {{\,\mathrm{\textbf{U}}\,}}_{I} \varLambda _2)(t)\) is \(\top \). Recalling that \(v \sqcup _{1} v'\) only yields \(\top \) if \(v = \top = v'\), we derive

$$\begin{aligned} (\varLambda _1 {{\,\mathrm{\textbf{U}}\,}}_{I} \varLambda _2)(t) = \top &\iff (\lfloor \varLambda _1 \rfloor {{\,\mathrm{\textbf{U}}\,}}_{I} \lfloor \varLambda _2 \rfloor )(t) = \top = (\lceil \varLambda _1 \rceil {{\,\mathrm{\textbf{U}}\,}}_{I} \lceil \varLambda _2 \rceil )(t) \\ &\iff \forall \lambda _1 \prec \varLambda _1 : \forall \lambda _2 \prec \varLambda _2 : (\lambda _1 {{\,\mathrm{\textbf{U}}\,}}_{I} \lambda _2)(t) = \top . \end{aligned}$$

The second equivalence is due to the monotonicity of \({{\,\mathrm{\textbf{U}}\,}}_I\) over Boolean signals: If \(\lambda _i \prec \varLambda _i\), we know that \(\lfloor \varLambda _i \rfloor \sqsubseteq _\texttt{t} \lambda _i \sqsubseteq _\texttt{t} \lceil \varLambda _i \rceil \) for \(i \in \{ 1, 2 \}\). Thus, we also have \(\lfloor \varLambda _1 \rfloor {{\,\mathrm{\textbf{U}}\,}}_{I} \lfloor \varLambda _2 \rfloor \sqsubseteq _\texttt{t} \lambda _1 {{\,\mathrm{\textbf{U}}\,}}_{I} \lambda _2 \sqsubseteq _\texttt{t} \lceil \varLambda _1 \rceil {{\,\mathrm{\textbf{U}}\,}}_{I} \lceil \varLambda _2 \rceil \). Hence, \((\lambda _1 {{\,\mathrm{\textbf{U}}\,}}_{I} \lambda _2)(t)\) must be \(\top \) due to the antisymmetry of \(\sqsubseteq _\texttt{t} \). The converse is clear, as \(\lfloor \varLambda _i \rfloor \) and \(\lceil \varLambda _i \rceil \) are particular refinements of \(\varLambda _i\). We continue our derivation by applying Lemma 2 and find

$$\begin{aligned} \dots &\iff \begin{aligned} &\forall \lambda _1 \prec \varLambda _1 : \forall \lambda _2 \prec \varLambda _2 : \\ &\quad \exists t' \in t \oplus I : \lambda _2(t') = \top \text { and } \forall t'' \in (t, t') : \lambda _1(t'') = \top \end{aligned} \\ &\iff \exists t' \in t \oplus I : \varLambda _2(t') = \top \text { and } \forall t'' \in (t, t') : \varLambda _1(t'') = \top . \end{aligned}$$

To explain the forward direction of the last equivalence, we consider the refinements \(\lfloor \varLambda _1 \rfloor \) and \(\lfloor \varLambda _2 \rfloor \). Instantiating the universal quantifiers, we find that

$$\begin{aligned} \exists t' \in t \oplus I : \lfloor \varLambda _2 \rfloor (t') = \top \text { and } \forall t'' \in (t, t') : \lfloor \varLambda _1 \rfloor (t'') = \top . \end{aligned}$$

Since \(\lfloor \varLambda _i \rfloor (t) = \top \) if and only if \(\varLambda _i(t) = \top \), this establishes the forward direction. For \((\varLambda _1 {{\,\mathrm{\textbf{U}}\,}}_{I} \varLambda _2)(t) = \bot \), we argue analogously, and then the case for \({\dashv _{1}}\) follows by elimination. The reasoning for the remaining operators is similar.

Inductive Cases: We are now equipped to prove the inductive cases for our main statement. Using the direct semantics (2), we exemplarily show the case for until:

$$\begin{aligned} \llbracket \varphi _1 {{\,\mathrm{\textbf{U}}\,}}_I \varphi _2 \rrbracket _{\mathcal {R}}(t) = \top \iff {} & \begin{aligned} &\exists t' \in t \oplus I : \llbracket \varphi _2 \rrbracket _{\mathcal {R}}(t') = \top \\ &\quad \text {and } \forall t'' \in (t, t') : \llbracket \varphi _1 \rrbracket _{\mathcal {R}}(t'') = \top \end{aligned} \\ \implies {} & \begin{aligned} &\exists t' \in t \oplus I : (\forall \xi \prec \mathcal {R} : \llbracket \varphi _2 \rrbracket _{\xi }(t') = \top ) \\ &\quad \text {and } \forall t'' \in (t, t') : \forall \xi \prec \mathcal {R} : \llbracket \varphi _1 \rrbracket _{\xi }(t'') = \top \end{aligned} {} & {} (\text {IH}) \\ \implies {} & \begin{aligned} &\forall \xi \prec \mathcal {R} : \exists t' \in t \oplus I : \llbracket \varphi _2 \rrbracket _{\xi }(t') = \top \\ &\quad \text {and } \forall t'' \in (t, t') : \llbracket \varphi _1 \rrbracket _{\xi }(t'') = \top \end{aligned} {} & {} (*) \\ \iff {} &\forall \xi \prec \mathcal {R} : \llbracket \varphi _1 {{\,\mathrm{\textbf{U}}\,}}_I \varphi _2 \rrbracket _{\xi }(t) = \top . \end{aligned}$$

To derive \(\llbracket \varphi _1 {{\,\mathrm{\textbf{U}}\,}}_I \varphi _2 \rrbracket _{\mathcal {R}}(t) = \bot \implies \forall \xi \prec \mathcal {R} : \llbracket \varphi _1 {{\,\mathrm{\textbf{U}}\,}}_I \varphi _2 \rrbracket _{\xi }(t) = \bot \), we argue similarly. Note that the step marked with \((*)\) is not an equivalence since we need to swap an existential and a universal quantifier. Intuitively, this means that the Boolean semantics allow us to choose the time when \(\varphi _2\) becomes true for each refinement individually, while we have to choose the same time for all refinements in the \(\mathbb {U}_{1}\)-semantics. A similar step is necessary in the \(\bot \) case of conjunction, where we have to choose which subformula is false.    \(\square \)

4.3 Computing Four-Valued Satisfaction Signals

In the previous section, we used two Boolean signals to over- and underapproximate the refinements of a \(\mathbb {U}_{1}\)-signal. This enabled us to reuse the operators defined on Boolean signals for computing a \(\mathbb {U}_{1}\)-satisfaction signal of an STL formula with respect to a reachable set. Following the same pattern, we can over- and underapproximate the refinements of a \(\mathbb {U}_{2}\)-signal by two \(\mathbb {U}_{1}\)-signals to compute \(\mathbb {U}_{2}\)-satisfaction signals over partial reachable sets. Hence, many concepts, definitions, and proofs are analogous to Sect. 4.2, so we only sketch them here.

Given a \(\mathbb {U}_{2}\)-signal \(\tilde{\varLambda }\), the \(\mathbb {U}_{1}\)-signal \(\varLambda \) refines \(\tilde{\varLambda }\), denoted by \(\varLambda \prec \tilde{\varLambda }\), if \(\tilde{\varLambda }(t) \ne {\dashv _{2}}\) implies \(\varLambda (t) = \tilde{\varLambda }(t)\) for all \(t \in \mathbb {R}_{\ge 0}\). We define the underapproximation \(\lfloor \tilde{\varLambda } \rfloor \) and the overapproximation \(\lceil \tilde{\varLambda } \rceil \) analogously to Sect. 4.2, i.e., by replacing \({\dashv _{2}}\) with \(\bot \) and \(\top \), respectively. Again, we have \(\lfloor \tilde{\varLambda } \rfloor \sqsubseteq _\texttt{t} \varLambda \sqsubseteq _\texttt{t} \lceil \tilde{\varLambda } \rceil \) if and only if \(\varLambda \prec \tilde{\varLambda }\). Moreover, we can reconstruct \(\tilde{\varLambda }(t)\) as \(\lfloor \tilde{\varLambda } \rfloor (t) \sqcup _{2} \lceil \tilde{\varLambda } \rceil (t)\). Here, \(v \sqcup _{2} v'\) with \(v, v' \in \mathbb {U}_{1}\) is v if and only if \(v = v'\) and \({\dashv _{2}}\) otherwise.

To define the operators for negation, conjunction, and until on \(\mathbb {U}_{2}\)-signals, we first show that the \(\mathbb {U}_{1}\)-operators are monotone or antitone.

Lemma 3

The operators \(\wedge \) and \({{\,\mathrm{\textbf{U}}\,}}_I\) on \(\mathbb {U}_{1}\)-signals are monotone; \(\lnot \) is antitone.

Proof

Using the direct semantics (2) of the operators shown in the proof of Theorem 1 and case distinction, the proof is straightforward. We exemplarily consider the case \((\varLambda _1 {{\,\mathrm{\textbf{U}}\,}}_{I} \varLambda _2)(t) = {\dashv _{1}}\), where we need to show \({\dashv _{1}} \sqsubseteq _\texttt{t} (\varLambda '_1 {{\,\mathrm{\textbf{U}}\,}}_{I} \varLambda '_2)(t)\) given \(\varLambda _i \sqsubseteq _\texttt{t} \varLambda '_i\) for \(i \in \{ 1, 2 \}\). From the direct semantics, we know

$$\begin{aligned} \exists t' \in t \oplus I : \varLambda _2(t') \ne \bot \text { and } \forall t'' \in (t, t') : \varLambda _1(t'') \ne \bot . \end{aligned}$$

Since \(\varLambda '_i\) can only be \(\bot \) where \(\varLambda _i\) is also \(\bot \), the same statement holds for \(\varLambda '_1\) and \(\varLambda '_2\). Thus, \((\varLambda '_1 {{\,\mathrm{\textbf{U}}\,}}_{I} \varLambda '_2)(t)\) cannot be \(\bot \). Consequently, it must be either \({\dashv _{1}}\) or \(\top \), and we know that \({\dashv _{1}} \sqsubseteq _\texttt{t} \top \).    \(\square \)

Due to Lemma 3, it is justified to define the operators \(\lnot \), \(\wedge \), and \({{\,\mathrm{\textbf{U}}\,}}_I\) on \(\mathbb {U}_{2}\)-signals like in Sect. 4.2 using \(\sqcup _{2}\) instead of \(\sqcup _{1}\). With these, we can define the satisfaction signal \(\llbracket \varphi \rrbracket _{\tilde{\mathcal {R}}} : \mathbb {R}_{\ge 0}\rightarrow \mathbb {U}_{2}\) of an STL formula \(\varphi \) with respect to a partial reachable set \(\tilde{\mathcal {R}} : \mathcal {T} \rightarrow 2^{\mathcal {X}}\), where \(\mathcal {T} \subseteq \mathbb {R}_{\ge 0}\). For atomic formulas \( true \) and \(a \in \mathcal{A}\mathcal{P}\), we define

figure c

for all \(t \in \mathbb {R}_{\ge 0}\). The satisfaction signal for compound formulas is defined analogously to Sect. 4.2 using our operators. Finally, we state the equivalent of Theorem 1 to relate \(\mathbb {U}_{2}\)- and \(\mathbb {U}_{1}\)-satisfaction signals: We show that \(\llbracket \varphi \rrbracket _{\mathcal {R}}\) refines \(\llbracket \varphi \rrbracket _{\tilde{\mathcal {R}}}\), if \(\mathcal {R}\) is an extension of \(\tilde{\mathcal {R}}\). Given \(\tilde{\mathcal {R}} : \mathcal {T} \rightarrow 2^{\mathcal {X}}\) with \(\mathcal {T} \subseteq \mathbb {R}_{\ge 0}\), we say that the reachable set \(\mathcal {R}\) extends \(\tilde{\mathcal {R}}\), denoted as \(\mathcal {R} \prec \tilde{\mathcal {R}}\), if \(\mathcal {R}(t) = \tilde{\mathcal {R}}(t)\) for all \(t \in \mathcal {T}\).

Theorem 2

Suppose \(\tilde{\mathcal {R}}\) is a partial reachable set and \(\varphi \) an STL formula. For every reachable set \(\mathcal {R}\) that extends \(\tilde{\mathcal {R}}\), we have \(\llbracket \varphi \rrbracket _{\mathcal {R}} \prec \llbracket \varphi \rrbracket _{\tilde{\mathcal {R}}}\). In other words, if \(\llbracket \varphi \rrbracket _{\tilde{\mathcal {R}}}(t) = v\), we have \(\llbracket \varphi \rrbracket _{\mathcal {R}}(t) = v\) for all \(\mathcal {R} \prec \tilde{\mathcal {R}}\), \(v \in \mathbb {U}_{1}\), and \(t \in \mathbb {R}_{\ge 0}\).

Sketch of Proof

The proof proceeds by structural induction on \(\varphi \). For the most part, it is analogous to the proof of Theorem 1, except that we now have to consider an additional case for \(v = {\dashv _{1}}\). In the base case for \(\varphi = a\) with \(a \in \mathcal{A}\mathcal{P}\), we derive:

$$\begin{aligned} \llbracket a \rrbracket _{\tilde{\mathcal {R}}}(t) = {\dashv _{1}} \iff {} &t \in \mathcal {T} \text { and } \hat{a}(\tilde{\mathcal {R}}(t)) = {\dashv _{1}} \\ \implies {} &\forall \mathcal {R} \prec \tilde{\mathcal {R}} : \hat{a}(\mathcal {R}(t)) = {\dashv _{1}} \\ \iff {} &\forall \mathcal {R} \prec \tilde{\mathcal {R}} : \llbracket a \rrbracket _{\mathcal {R}}(t) = {\dashv _{1}}, \end{aligned}$$

where the partial reachable set \(\tilde{\mathcal {R}}\) is defined over \(\mathcal {T} \subseteq \mathbb {R}_{\ge 0}\). For \(\top \) and \(\bot \), we argue similarly. For the inductive cases with compound formulas, we can determine direct semantics for our operators on \(\mathbb {U}_{2}\)-signals similar to those in the proof of Theorem 1. Like (2), they follow the pattern of making the “otherwise” case of the \(\mathbb {U}_{1}\)-semantics explicit and introducing a new “otherwise” case to handle \({\dashv _{2}}\). As for Theorem 1, the crucial points in the proof are those where we need to use a statement about all refinements of a \(\mathbb {U}_{2}\)-signal \(\tilde{\varLambda }\) to infer something about \(\tilde{\varLambda }\) itself. In particular, we need variations of the following property

$$\begin{aligned} \forall \varLambda \prec \tilde{\varLambda } : \exists t \in \mathbb {R}_{\ge 0}: \varLambda (t) \in \mathcal {U} \iff \exists t \in \mathbb {R}_{\ge 0}: \tilde{\varLambda }(t) \in \mathcal {U}, \end{aligned}$$

where \(\mathcal {U} \subsetneq \mathbb {U}_{1}\). To prove the forward direction, we choose a value \(v \in \mathbb {U}_{1} \setminus \mathcal {U}\), which must exist since \(\mathcal {U}\) is a proper subset of \(\mathbb {U}_{1}\). We consider the refinement \(\varLambda _v \prec \tilde{\varLambda }\) in which all occurrences of \({\dashv _{2}}\) are replaced by v and find that \(\varLambda _v(t) \in \mathcal {U}\) if and only if \(\tilde{\varLambda }(t) \in \mathcal {U}\) to establish the forward direction. Using the direct semantics, we show the inductive cases analogously to the proof of Theorem 1.   \(\square \)

5 Incremental Verification of Hybrid Systems

Theorems 1 and 2 provide a sound, but incomplete, method of proving or disproving that a hybrid system \(\mathcal {H}\) satisfies an STL specification \(\varphi \). We note that incompleteness is unavoidable to some extent since the reachability problem for hybrid systems is undecidable in general [19, Sect. 4]. We summarize the verification method in the following corollary.

Corollary 1

Let \(\varphi \) be an STL formula and \(\tilde{\mathcal {R}}\) a partial reachable set. Let \(\mathcal {R}\) be an extension of \(\tilde{\mathcal {R}}\). If \(\llbracket \varphi \rrbracket _{\tilde{\mathcal {R}}}(0)\) is

  • \(\top \), we have \(\xi \models \varphi \) for all executions \(\xi \) covered by \(\mathcal {R}\).

  • \(\bot \), we have \(\xi \not \models \varphi \) for all executions \(\xi \) covered by \(\mathcal {R}\).

  • \({\dashv _{1}}\), the result is unknown. Based on the reachable set \(\mathcal {R}\), we cannot make a statement about all covered executions.

  • \({\dashv _{2}}\), the result is inconclusive. The partial reachable set \(\tilde{\mathcal {R}}\) does not contain enough information to support a claim about all its extensions.

If \(\tilde{\mathcal {R}}\) is a partial overapproximation of the reachable set of a hybrid system \(\mathcal {H}\), \(\llbracket \varphi \rrbracket _{\tilde{\mathcal {R}}}(0) = \top \) implies \(\mathcal {H} \models \varphi \), while \(\llbracket \varphi \rrbracket _{\tilde{\mathcal {R}}}(0) = \bot \) implies \(\mathcal {H} \not \models \varphi \).

The last claim above holds because there must exist some extension of \(\tilde{\mathcal {R}}\) covering all executions of the system by definition of the reachable set.

5.1 Incremental Verification Algorithm

Algorithm 1 implements the approach outlined in Corollary 1. It incrementally computes a \(\mathbb {U}_{2}\)-satisfaction signal of the specification \(\varphi \) as the reachability analysis of the hybrid system \(\mathcal {H}\) progresses. At its core, the algorithm alternates between computing the reachable states of the system, which allows it to observe the satisfaction or violation of predicates in new time intervals, and propagating these observations up the syntax tree of \(\varphi \) to update the satisfaction signal. The algorithm terminates as soon as the satisfaction signal provides a conclusive verdict. Below, we explain Algorithm 1 in more detail.

figure d

Before entering the main loop, we initialize the reachability analysis of \(\mathcal {H}\) and construct the syntax tree of \(\varphi \). We assume that \(\varphi \) is written without syntactic sugar. Each node n of the syntax tree stores the \(\mathbb {U}_{2}\)-satisfaction signal of the subformula of \(\varphi \) that its subtree represents. Initially, the satisfaction signal, which we refer to as \(n. signal \), is \({\dashv _{2}}\) on the entire time domain, except for nodes representing \( true \), where it is \(\top \) everywhere.

In the main loop, we first compute one step of the reachability analysis, which yields the set of states \(\mathcal {R}_I\) that the system can reach in the time interval I. For each node representing an atomic predicate \(a \in \mathcal{A}\mathcal{P}\), we determine \(\hat{a}(\mathcal {R}_I)\) based on the observed set (function Eval) and update its satisfaction signal during I accordingly. Afterward, we propagate the new observations up the syntax tree. Note that all occurring signals are guaranteed to be of finite variability as long as the computed sequence of reachable sets does not exhibit Zeno behavior. If we obtain a conclusive verdict on the satisfaction of the top-level formula \(\varphi \) at time 0, we return the verdict early. Otherwise, we continue until the reachable set is determined up to a given time horizon \(t_\texttt{h}\). After reaching \(t_\texttt{h}\), we return the current verdict, even if it is the inconclusive \({\dashv _{2}}\).

figure e

Algorithm 2 propagates new observations up the syntax tree. It closely follows the incremental marking procedure of Maler and Ničković [27, Algorithm 2]. The algorithm traverses the syntax tree in post-order and applies the operators developed in Sect. 4.3 to update the satisfaction signal of each node based on the satisfaction signals of its children (function Combine).

Since we only admit future connectives, the satisfaction of a formula at time t depends only on the truth values of its subformulas at times \(t' \ge t\) [27, Sect. 3.2]. To exploit this, every node n stores a time interval \(n. irr \) of the form [0, t) or [0, t], indicating the prefix of \(n. signal \) that is irrelevant for updates of the parent node. Initially, \(n. irr \) is empty. After updating the signal of n, we also need to revise the irrelevant prefixes of its children. To this end, we find the largest interval I containing 0 such that \(n. signal \) has a conclusive value, i.e., not \({\dashv _{2}}\), everywhere in \(I \setminus n. irr \); if \(n. signal (0) = {\dashv _{2}}\) and \(0 \notin n. irr \), we return an empty interval (function ConclusiveInterval). We exclude \(n. irr \) from consideration because \(n. signal \) itself is irrelevant at these times. Then, we can drop the irrelevant prefix from memory by overwriting it with \({\dashv _{2}}\).

Remark 1

(Propagation Frequency). If we conduct the reachability analysis with a small time step size, we obtain numerous observations. To reduce the overhead incurred by signal propagation, we can accumulate the observations of several reachability steps and then propagate them all at once. However, in doing so, we might compute more reachability steps than required to reach a conclusive verdict. Choosing a propagation frequency is thus a trade-off similar to the one mentioned in [27, Sect. 5.3]. In the extreme case, where we never propagate before reaching the time horizon, we obtain an offline method similar to [22, 35].

5.2 Refinement via Branching the Reachability Analysis

Since we use the reachable set as the basis for verification, our approach works best if all executions of the system under scrutiny behave roughly similarly. The intuition for this is given at the end of the proof of Theorem 1: To verify that \(\varphi _1 {{\,\mathrm{\textbf{U}}\,}}_I \varphi _2\) holds, we require that all executions covered by the reachable set satisfy the eventuality \(\varphi _2\) at the same time. However, hybrid systems can have executions with vastly different behavior, e.g., due to discrete transitions changing the continuous dynamics. Moreover, the system behavior might strongly depend on the initial state. For these systems, our algorithm would often return \({\dashv _{1}}\), as the executions covered by the reachable set do not synchronize as required.

The underlying problem is that we compute just one reachable set to cover all system executions. If these executions have significant differences, the reachable set also covers many additional spurious executions that are infeasible according to the system dynamics. To alleviate this issue, we can perform the reachability analysis in multiple branches so that each branch only covers similar executions. For example, we could start a new branch whenever a discrete transition occurs. In addition, we could partition the set of initial states so that we analyze initial states that lead to vastly different behavior in separate branches.

To adapt Algorithm 1 for several branches, we clone the syntax tree whenever a new branch starts. We then process each branch using its copy of the syntax tree and combine the verdicts. If the verdicts are conclusive for all branches, we merge them using \(\sqcup _{1}\), i.e., we return \(\top \) or \(\bot \) if all branches agree on the verdict, and \({\dashv _{1}}\) otherwise. If the analysis is inconclusive for at least one branch after reaching the time horizon \(t_\texttt{h}\), the combined verdict is also \({\dashv _{2}}\). In this case, we need to extend the time horizon only for the inconclusive branches.

6 Evaluation

We implemented our algorithm in MATLAB using CORAFootnote 2 [2] for reachability analysis. First, we demonstrate the capabilities and limitations of our method on a simple hybrid system. Then, we apply it to autonomous driving and systems biology. For all experiments, our algorithm is configured to accumulate 20 observations before propagation. Note that CORA continues the reachability analysis in a new branch (cf. Sect. 5.2) after the system takes a discrete transition.

6.1 Bouncing Ball

First, let us consider a bouncing ball, which is a classic example of a hybrid system. The bouncing ball has two state variables: height h and velocity v. It accelerates under the influence of gravity and bounces back up once it hits the ground (\(h = 0\)). Bouncing is modeled as a discrete transition that reduces the velocity and flips its sign (see, e.g., [33, Sect. 2.2.3] for a full derivation). Initially, we have \(h \in [0.95, 1.05]\) and \(v \in [-0.05, 0.05]\), which means that the first bounce happens after about 0.5 s. The time horizon for our verification algorithm is \(t_\texttt{h}:= {2.5}\,{s}\) and the reachability analysis uses a time step size of 0.01 s.

Table 1 summarizes the results of our experiments. The future reach of a formula is the amount of time it maximally looks into the future [21, Sect. 3]. Thus, approaches like [22, 35] need to perform reachability analysis up to the future reach of the specification. We can successfully verify the first two specifications and falsify the third while terminating the reachability analysis well before their future reach. Even though the fourth property also holds for the system (recall that the ball bounces after about 0.5 s), we cannot verify it since the reachable set is not sufficiently accurate. However, as \({\dashv _{1}}\) is already returned after 0.7 s, we know early that we need to refine the reachable set. After refining the reachability analysis by using a time step size of 0.002 s, we can also prove this specification. The final property demonstrates the drawbacks of accumulating observations: While we could reject it already after observing the initial set, our algorithm only returns \(\bot \) after 20 time steps.

Table 1. Application of our approach and the approach from [32] to the bouncing ball
Full size table

For the last column of Table 1, we applied the verification algorithm by Roehm et al. [32] to the bouncing ball. Since this algorithm requires the reachable set for the entire future reach of the specification in order to start the verification, it is not applicable to the first property. We cannot compute the reachable set for an infinite time horizon here, as no fixed point is detected. As shown by the fourth specification, [32] returns \(\bot \) whenever it fails to verify a property. Therefore, in contrast to our algorithm, it does not distinguish between insufficient accuracy of the reachable set and actual falsification of the property by the system. For the other properties, its verdict is the same as ours.

6.2 Autonomous Driving

Next, we examine an application for autonomous driving in the context of the CommonRoadFootnote 3 [5] framework. In our example scenario, an autonomous vehicle is driving in the middle lane of an interstate with another vehicle in front indicating to change from the left to the middle lane (see Fig. 5; CommonRoad scenario ID: ZAM_HW-1_1_S-1). Suppose the motion planner has determined two reference trajectories that the autonomous vehicle could follow for the next five seconds: one where it stays in its current lane and another where it changes to the right lane. We want to verify that the autonomous vehicle avoids collisions with other vehicles for the entire planned trajectory, even if it cannot precisely follow the trajectory due to disturbances. Moreover, it should eventually enter the right lane and stay there for at least 1 s. We formalize these requirements in STL as \(({{\,\mathrm{\textbf{G}}\,}}_{[0, 4]} (x, y) \notin \mathcal {O}) \wedge {{\,\mathrm{\textbf{F}}\,}}_{[0, 4]} {{\,\mathrm{\textbf{G}}\,}}_{[0, 1]} (x, y) \in \mathcal {L}\), where (xy) is the position of the autonomous vehicle, \(\mathcal {O}\) is the area occupied by other vehicles according to a set-based prediction, and \(\mathcal {L}\) is the right lane. Here, obtaining a verdict as soon as possible is particularly important since the autonomous vehicle has limited time to decide which trajectory to follow. With our algorithm, the vehicle can quickly reject the “stay” trajectory after computing the reachable set up to 1 s. Then, it can spend the remaining time on verifying the “change” trajectory, which yields the verdict \(\top \) after performing reachability analysis up to 4 s. For the reachability analysis, we adopted a kinematic single-track model [31, Sect. 2.2] of the vehicle and assumed it tracks the reference trajectory using a P controller.

Fig. 5.
figure 5

Reachable set projected to the position domain for two reference trajectories

Full size image

6.3 Genetic Oscillator

Finally, we consider the 9-dimensional genetic oscillator example (state variables \(x_1, \dots , x_9\)) from [35, Sect. 5]. In [35], the authors verified the specification \({{\,\mathrm{\textbf{G}}\,}}_{[0, 1]} (a_1 \vee {{\,\mathrm{\textbf{G}}\,}}_{[3, 3.5]} a_2)\), where \(a_1 := x_6 - 1 > 0\) and \(a_2 := 0.032 - 125^2(x_4 - 0.003)^2 - 3(x_6 - 0.5)^2 > 0\). We could not verify the original property since the reachable sets computed by CORA were not accurate enough, resulting in the verdict \({\dashv _{1}}\). After slightly relaxing the property by using \(a'_2 := 0.04 - 125^2(x_4 - 0.003)^2 - 3(x_6 - 0.5)^2 > 0\) instead of \(a_2\), verification succeeded. The reachability analysis was stopped after 4.5 s, matching the future reach of the formula. If we change the specification to \({{\,\mathrm{\textbf{G}}\,}}_{[0, 2]} (a_1 \vee {{\,\mathrm{\textbf{G}}\,}}_{[0, 0.5]} a'_2)\), we can reject it early after computing the reachable set for up to 1.3 s.

7 Conclusion

We proposed an incremental STL verification algorithm for hybrid systems based on reachability analysis and a four-valued semantics for STL. Due to its incremental nature, our algorithm can run alongside the reachability analysis and continuously update its verdict. Consequently, it can stop the computation of the reachable set as soon as the verdict becomes conclusive. This makes our approach particularly worthwhile for high-dimensional systems, for which reachability analysis is computationally expensive. The evaluation of our prototype showed promising results across several application domains.