# AMT 2.0: Qualitative and Quantitative Trace Analysis with Extended Signal Temporal Logic

## Abstract

We introduce in this paper \(\textsc {AMT~2.0}\), a tool for qualitative and quantitative analysis of hybrid continuous and Boolean signals that combine numerical values and discrete events. The evaluation of the signals is based on rich temporal specifications expressed in *extended Signal Temporal Logic* (xSTL), which integrates Timed Regular Expressions (TRE) within Signal Temporal Logic (STL). The tool features qualitative monitoring (property satisfaction checking), trace diagnostics for explaining and justifying property violations and specification-driven measurement of quantitative features of the signal.

## 1 Introduction

Cyber-physical systems, such as automotive embedded controllers, medical devices or autonomous vehicles, are often modeled and analyzed by simulation. Simulators generate traces admitting real values often interpreted as continuous-time signals. To evaluate the system under design, these traces are inspected for satisfying some correctness requirements and are often subject to quantitative analysis based on recording some values in certain segments of the signal and performing some computation (summation, minimum) on them.

Over the past decade an extensive framework has been developed whose goal was to bring automated support for this tedious and error-prone task, centered around Signal Temporal Logic (STL) [18, 19]. STL extends the classical LTL in two directions: it uses predicates over real-valued variables in addition to atomic propositions, and it is defined over dense continuous time accessed symbolically with timed modalities as in Metric Temporal Logic (MTL) [17]. This framework, which was initially accompanied by a rudimentary prototype tool [20], had a lot of reported applications in domains such as automotive, robotics, analog circuits, systems biology. It can be viewed as an extension of *runtime verification* toward cyber-physical hybrid systems. Interested readers may consult the survey in [7].

*declarations*and

*aliases*, improvement of the graphical editors, systematic software testing, etc. Furthermore, its functionality has been extended significantly by incorporating several new research results obtained over the last years:

- 1.
We combine STL with a fragment of Timed Regular Expressions (TRE) [4, 5], as a complementary formalism to express temporal patterns. The monitoring algorithm for our specification language xSTL thus obtained integrates the recent TRE pattern matching algorithm reported in [22].

- 2.
We use the TRE formalism to define segments of the signal to which quantitative measurements should be applied. Thus we obtain a declarative measurement language that does for the quantitative domain what formal specification languages do for correctness checking. The results, first reported in [14], are fully incorporated into the tool.

- 3.
We implement the error diagnostics algorithm of [13] which accompanies the report on a property violation with a justification: a small sub-signal (temporal implicant) which is sufficient to imply the property violation and to convince the user of this fact.

With all these features we progress in easing the task of designers who seek to analyze a complex system based on simulations, providing them with an alternative to manual inspection or explicit programming of observers.

The rest of the paper is organized as follows. In Sect. 2 we present the xSTL specification language. Section 3 gives an overview of the tool and its main features. We illustrate the usage of AMT 2.0 in Sect. 4 with two examples. We present the related work in Sect. 5 and give concluding remarks in Sect. 6.

## 2 Extended Signal Temporal Logic

Extended Signal Temporal Logix (xSTL) essentially combines STL with a variant of TRE. In this section, we provide the mathematical definitions of the specification language.

We denote by \(P\) and \(X\) finite sets of *propositional* and *data* variables, such that \(|P|=m\) and \(|X|=n\). Data variables are defined over an arbitrary domain \(\mathbb {D}\), typically the reals or the integers. We use the notation \(w~:~\mathbb {T} \rightarrow \mathbb {D}^n \times \mathbb {B}^m\) to represent a multi-dimensional *signal* with \(\mathbb {T}= [0,d) \subseteq \mathbb {R}\) and \(\mathbb {B} = \{ \textsf {true}, \textsf {false}\}\). We denote by \({w}_{p}\) the *projection* of \(w\) on its component *p*. We denote by \(\theta ~:~\mathbb {D}^{n} \rightarrow \mathbb {B}\) a *predicate* that maps valuations of variables in *X* into \(\{ \textsf {true}, \textsf {false}\}\).

*future*and

*past*temporal operators and interpreted over \(X\cup P\) is defined by the grammarwhere \(p\in P\), \(x_{1}, \ldots , x_{n} \in X\) and \(I \subseteq \mathbb {R}^+\) is an interval. We denote by Open image in new window the until operator that is decorated with an unbounded interval Open image in new window . We use the

*strict*semantics [2] for

*until*and

*since*temporal operators that allows us to define (continuous-time)

*next*Open image in new window and (continuous-time) previous Open image in new window . The instantaneous

*rise*and

*fall*events can be derived using the rules Open image in new window and Open image in new window . We derive other standard operators as follows: \(\textsf {true}\equiv p\vee \lnot p\), \(\textsf {false}\equiv \lnot \textsf {true}\), \(\varphi _1 \wedge \varphi _2 \equiv \lnot (\lnot \varphi _1 \vee \lnot \varphi _2)\), \(\varphi _1 \rightarrow \varphi _2 \equiv \lnot \varphi _1 \vee \varphi _2\), Open image in new window , Open image in new window , Open image in new window , and Open image in new window .

*w*is described via the satisfiability relation \((w,t) \models \varphi \), indicating that the signal

*w*satisfies \(\varphi \) at time point

*t*, according to the following definition.We now define a variant of TRE according to the following grammar:

*I*is an interval of \(\mathbb R_+\). The semantics of a timed regular expression

*r*with respect to a signal

*w*and times \(t \le t'\) in [0,

*d*] is given in terms of a

*match*relation Open image in new window , which indicates that the segment of

*w*between

*t*and \(t'\) matches the expression. This relation is defined inductively as follows:The last two operations associate a pre-condition (resp. post-condition) to the expression. We note that with the pre- and post-condition, we can also syntactically define rise and fall operators by using the rules \({{\mathrm{\uparrow }}}p \equiv \lnot p {{\mathrm{?}}}\epsilon {{\mathrm{!}}}p\) and \({{\mathrm{\downarrow }}}p \equiv p {{\mathrm{?}}}\epsilon {{\mathrm{!}}}\lnot p\). Extended STL specifications require regular expressions to be embedded into STL formulas. We define two operators,

*begin match*(@(

*r*)) and

*end match*((

*r*)@) that intuitively project any signal segment \((t,t')\) that matches the expression

*r*to its beginning

*t*and its end \(t'\), respectively. Thus, xSTL simply extends STL with these two operators:and with the following semantics

## 3 Tool Presentation

The tool can work either interactively via its graphical user interface (GUI) or, alternatively, in batch mode when we want to monitor against many signals or incorporate monitoring in a more sophisticated analysis procedure that may iterate over behavior-generating models and/or properties in an outer loop. Figure 1 shows the main evaluation window of the GUI which provides two main functionalities: (1) editing xSTL specifications; and (2) launching the monitoring procedure by selecting properties and signals and presenting the outcome graphically. The AMT 2.0 tool is entirely implemented in Java to facilitate its usage across different platforms and operating systems.

The tool supports three main functionalities: (1) qualitative offline monitoring of extended STL specifications; (2) localization and explanation of property violations; and (3) measurements of quantitative features of signals driven by temporal pattern expressed using TRE. In the remainder of the section we present these functionalities in more detail.

### 3.1 Specifications in AMT 2.0

### 3.2 Qualitative Monitoring of xSTL

The qualitative monitoring procedure for \(\textsc {STL}\) is an offline method that works directly on the input signals. The procedure is recursive on the structure of the specification – it propagates the truth values from input signals via sub-formulas up to the main formula. The algorithm uses the notion of a *satisfaction signal* – we assign to each sub-formula \(\psi \) of \(\varphi \) a Boolean signal \(w_{\psi }\) such that \(w_{\psi }[t] = \textsf {true}\) iff \((w,t) \models \psi \). For each \(\textsc {STL}\) operator, we define a method that computes its satisfaction signal from the satisfaction signals of its arguments. For some operators, this computation is trivial. For example, satisfaction signal \(w_{\lnot \varphi }\) is obtained by flipping the truth values of the satisfaction signal \(w_{\varphi }\). The computation of satisfaction signals for temporal operators is more involved. We give an intuition on the computation of \(w_{\psi }\) where Open image in new window and refer the reader to [19] for the technical description of the complete procedure. The computation is based on the following observation: whenever \(\varphi \) holds throughout an interval *J*, \(\psi \) holds throughout \((J \ominus I) \cap \mathbb {T}\), where \(J \ominus I = \{ t - t'~|~t\in J \; \text {and} \; t' \in I\}\) is the Minkowski difference. Hence, the essence of the procedure is to back-shift (Minkowski difference restricted to \(\mathbb {T}\)) all the positive intervals in \(w_{\varphi }\) and thus obtain the set of time points where Open image in new window holds. This method is illustrated in Fig. 3.

*match-set*\(\mathcal {M}(r,w)\) of a TRE over a signal \(w\) as the set of all segments of \(w\) that match

*r*, i.e. Open image in new window , and use the algorithm of [22] to compute the match-set. We then use the match begin (@(

*r*)) and match end ((

*r*)@) operators to project the match-sets to satisfaction signals that are then directly integrated into the STL monitoring procedure described above.

The algorithm proposed in [22] computes the set of segments of a signal *w* that match a TRE \(\varphi \). Since we are dealing with continuous-time signals, the number of segments is non-countable and so is potentially the number of matches. The algorithm is based on the observation that all those segments can be can be embedded in two-dimensional space, inside the triangle \(0\le t \le t'\le |w|\), where a point \((t,t')\) represents the segment starting at *t* and ending in \(t'\). The matching algorithm uses a symbolic representation of the matches as a finite union of two-dimensional *zones*. Zones are special class of convex polytopes which are defined as the conjunction of inequalities of the form \(x_i \prec b_i\) and \(x_i - x_j \prec c_{i,j}\), where \(\mathord \prec \in \{ <, \le \}\). For instance, the match set \(\mathcal {M}(\epsilon ,w)\) for the empty word \(\epsilon \) is the diagonal zone \(\{(t,t')\in \mathbb {T} \times \mathbb {T}~|~t=t'\}\), while the match for a literal *p* or \(\lnot p\) is a disjoint union of triangles touching the diagonal whose number depends on the number of switching points in \({w}_{p}\). The match set of the time restriction operator is obtained by intersecting the match set with the corresponding diagonal band, hence \(\mathcal {M}(\langle \varphi \rangle _I, w) = \mathcal {M}(\varphi ) \cap \{(t,t')~|~t' - t \in I\}\). The match sets for *p* and \(\langle p \rangle _{[1,2]}\) are depicted in Fig. 4. We point the reader to [22] for a complete description of the procedure. The satisfaction signals \(w_{@(r)}\) and \(w_{(r)@}\) for the match-begin and match-end operators are computed from the match set of *r* by projecting every \((t,t')\in \mathcal {M}(r)\) on *t* and \(t'\), respectively.

### 3.3 Trace Diagnostics for STL

The trace diagnostics procedure implements the algorithm presented in [13]. Given an STL formula \(\varphi \) and a trace \(w\) that violates \(\varphi \), the procedure gives an explanation of the fault in the form of a *temporal implicant*, which is a small sub-signal \(w'\) of \(w\) which is sufficient to imply violation. In other words, any possible completion of \(w'\) into a full signal will violate the property. The diagnostics procedure uses the satisfaction signals computed by the monitoring algorithm from Sect. 3.2 to explain the faults. The method uses the *satisfaction explanation* operator *E* (and its dual *violation explanation* operator *F*) that for a given formula \(\varphi \) returns an implicant of \(\varphi \) (respectively of \(\lnot \varphi \)) which is satisfied by \(w\). The explanation operators are defined inductively on the structure of the formula \(\varphi \) and on the times *t* at which explanation of its sub-formulas are required.

We illustrate the idea behind the procedure with the following example. Consider the \(\textsc {STL}\) specification Open image in new window , a signal \(w\) in which *p* does not hold during [0, 3) and then holds during [3, 5). It is clear, for instance, that \((w, 0) \not \models \varphi \) and \((w, 3) \models \varphi \). The violation of \(\varphi \) by \(w\) at time 0 can be explained by the fact that \(w\) is continuously false throughout the interval [0, 1]. In other words, we have that \(F(\varphi , w, 0) = \bigwedge _{t \in [0,1]} (w_{p}[t] = \textsf {false})\). In contrast, the value of \(w\) at *any* time \(t \in [3,4]\) is sufficient to explain the satisfaction of \(\varphi \) by \(w\) at time 3. Thus \(E(\varphi , w, 3)\) could be any \((w_{p}[t]= \textsf {true})\) such that \(t \in [3,4]\). We use the notion of a *selection function* to choose one explanation when there are many possible ones. The full algorithm is described in [13].

### 3.4 Specification-Driven Measurements

In this section, we present a simple declarative measurement specification language [14] built on top of TRE. The idea is to require the signal segments over which measurements should be taken to be those that match some pattern specified by an expression. An example of a measurement is the time elapsed between the beginning and end of some activity, or the total fuel consumption in a segment where the acceleration pedal is continuously on until the velocity crosses some threshold.

*event-bounded*TRE (e-tre) is an expression of the form

*p*a proposition, and \(\hat{r}_1, \hat{r}_2\) event-bounded TREs.

The *measure patterns* defining the segments to be measured are of the form \(\alpha {{\mathrm{?}}}\psi {{\mathrm{!}}}\beta \), where \(\psi \) is the *main* pattern, and \(\alpha \) and \(\beta \) are, respectively pre- and post-conditions. The main pattern \(\psi \) specifies the portion of the signal over which the measure is taken. To guarantee a finite number of matching segments, \(\psi \) is restricted to be an e-tre while \(\alpha \) and \(\beta \), which can be used to define additional constraints, are TREs.

Given a measure pattern \(\varphi \) and a signal *w*, we first compute all the segments of \(w\) that match \(\varphi \). We then apply a measuring operator that collects specific signal values over the matched segments. A measure is written with the syntax \(\mathrm {op}(\varphi )\) with \(\mathrm {op} \in \{ \textsf {time}, \textsf {value}_x, \textsf {duration}, \textsf {inf}_x, \textsf {sup}_x, \textsf {integral}_x, \textsf {average}_x \}\). We finally aggregate the specific measures and provide to the user the minimum, maximum and average measured value, as well as a histogram that summarizes the measurements.

We illustrate specification-driven measurement with an example from the DSI3 automotive communication protocol [16]. The micro-controller and the sensors that use the protocol, communicate by sending *analog pulses* during the protocol initialization phase. The standard describes the acceptable shapes and duration of such pulses. Figure 5 depicts the specification of a *discovery response pulse* from the DSI3 standard. In particular, the standard defines the relevant thresholds (2*IResp* and *IResp*) which are used to describe the shape, as well as the acceptable duration of the pulse’s ramp (\(t_{1}\)) and its total duration (\(t_{2}\)).

## 4 Examples

In this section, we introduce two running examples that we use to illustrate the features and the functionalities of AMT 2.0. The first example is concerned with a mixed-signal bounded stabilization property and is used to illustrate the qualitative monitoring and trace diagnostics functionalities. The second example demonstrates the measurement functionality as applied to jitter in a digital clock.

### 4.1 Mixed-Signal Bounded Stabilization

**Informal Requirements.**This requirement states that after every rising edge of the Boolean \(trigger \), the usually-stable analog signal \(var \) is allowed to oscillate under the following conditions:

- 1.
\(var \) must always remain below 5 V; and

- 2.
\(var \) must within 600 s go below 0.2 V, and continuously remain under that threshold for at least 600 s.

**Simulation Traces.**We evaluate this requirement on 5 different simulation traces. Figure 6 depicts the Boolean \(trigger \) signal, as well as the 5 traces named \(var0 \) to \(var4 \). We can already reason informally about the satisfaction of the bounded stabilization property by these traces:

- 1.
Trace \(var0 \)

**violates**the specification because the signal never stabilizes, i.e. it continues oscillating until the end of simulation; - 2.
Trace \(var1 \)

**satisfies**the specification - the signal always remains smaller then 5 V, and it goes below 0.2 V within 600 s, continuously remaining below that threshold until the end of the simulation; - 3.
Trace \(var2 \)

**violates**the specification because the signal exceeds 5 V; - 4.
Trace \(var3 \)

**violates**the specification because the signal does not stabilize below 0.2 V within the specified period; and - 5.
Trace \(var4 \)

**violates**the specification because of the 3 glitches that occur towards the end of the simulation.

**Formal Specification in xSTL.**To define the property we first declare the Boolean variable \(trigger \), as well as the real variables \(var0 \) to \(var4 \). We also declare two constants \(vh \) and \(vl \), representing the 5 V and 0.2 V thresholds, respectively. We note that we are evaluating the same formula over different signals. Hence, we define a generic property template \(stab \) for the bounded stabilization formula, which is the conjunction of conditions (1) and (2) of the informal requirements. The first conjunct says that the real-valued signal must be smaller than 5

*V*. The second conjunct is a conditional formula that uses logical implication. It says that whenever the \(trigger \) signal is on its rising edge, the

*x*signal must go below 0.2 V within 600 s and continuously remain below that threshold for at least 300 s. Then each assertion is an instantiation of the template with one of the signals \(var0 \) to \(var4 \).

**Qualitative Monitoring of the Specification.** We illustrate the qualitative monitoring of the property applied to the traces as done using the GUI of the tool. In the evaluation configuration window, we first specify the xSTL specification, the simulation traces and an optional alias file. In addition to setting up the inputs, we also select the Open image in new window representation of the real numbers, the Open image in new window interpolation and the Open image in new window feature of the diagnostics module.

After evaluating the specification on the traces, we can visually depict the results, as shown in Fig. 1. The nodes in the xSTL parse tree view are expandable via a double click. By expanding the Open image in new window node of the specification, we can see that assertion *two* is satisfied, while assertions *one*, *three*, *four* and *five* are violated. We note that we can visualize the satisfaction signals for any sub-property of the specification.

**Fault Explanation.**The fault explanation is given in the form of temporal implicants which are (small) sub-segments of the input signals which are sufficient to imply the property violation. Figure 7 illustrates the visual output of the diagnostics procedure in AMT 2.0 for the bounded stabilization specification. The first two figures show the trace diagnostics report for the third assertion. We can see that the

*trigger*signal does not contribute to the fault, but

*var3*does at a single point in time within the interval [100, 150]. At that time,

*var3*is greater than the invariant threshold 5 V which explains the property violation. The last two figures show that same report, but for the fifth assertion. In this case, the fault is explained by the fact that signal

*trigger*gets high at time 100 and by the values of signal

*var4*at times 350, 600 and 750. We can see that the last two times coincide with the glitches, thus witnessing that

*var4*never continuously holds below 0.2 V for at least 300 time units.

We note that the tool computes the fault explanations in a hierarchical manner, following the parse tree of the formula. This additional and complementary information can be quite useful in understanding the fault. We finally note that the trace diagnostics can be made hierarchic.

### 4.2 Digital Clock Jitter

**Informal Requirements.** Given a continuous-time Boolean-valued signal \(clock \), a clock period is defined as a segment that starts with the rising edge of the \(clock \) and ends with its consecutive rising edge. The measurement specification is to measure the duration of all the clock periods matched within the \(clock \) signal in order to assess the clock jitter.

**Formal Specification in xSTL.**We now formalize the measurement specification for the digital clock jitter analysis in xSTL. We first declare the Boolean variable \(clock \), as well as its negation \(nclock \). We then specify the pattern \(clock\_period \) that consists of concatenations that starts with the rising edge of \(clock \) (\(start{clock} \)), followed by an interval of positive duration where \(clock \) holds, followed by another interval of positive duration where \(nclock \) holds, and ending with the next rising edge of \(clock \). Finally, we declare the actual measurement to be taken as \(duration(clock\_period) \) which extracts the durations of all signal segments that match the \(clock\_pattern \) pattern.

**Pattern-Driven Measurements.**The visualization of the measurement specification consists of a histogram depicting the distribution of the measures taken over signal segments that match the pattern, the total number of matched segments, as well as the minimum, maximum and average value of the measures. The visual summary of the clock jitter measurement is shown in Fig. 9.

## 5 Related Work

Breach [11] is a MATLAB/Simulink toolbox that enables various types of STL specification analysis. In particular, Breach supports falsification-based testing, parameter synthesis and requirement mining of STL properties. S-TaLiRo [3] is another Simulink/MATLAB toolbox for different robustness analysis of MTL specifications. It provides support for falsification-based testing, parameter mining, runtime verification, conformance testing, computing the worst expected robustness for stochastic systems and debugging of formal requirements. The ViSpec [15] tool, associated with S-TaLiRo, allows visual specification of MTL requirements. BIOCHAM [10] is a tool for inferring unknown (biological) model parameters from temporal logic constraints. The authors in [9] extend STL with freeze quantifiers that allow them to express oscillatory properties. Similar oscillatory properties of the heart behavior are studied using quantitative regular expressions (QRE) in [1].

Montre [21] is a prototype tool for TRE pattern matching. It provides support for both offline and online matching. AMT 2.0 implements the offline matching algorithms used by Montre and adds a specification measurement language on top of it. Montre does not provide support for STL, monitoring and trace diagnostics.

The combination of STL and TRE was inspired by the Property Specification Language (PSL) [12] and SystemVerilog Assertions (SVA) [23] standards used in the digital hardware verification. Both PSL and SVA use the *suffix implication* operator to combine temporal logic with regular expressions. In contrast, we define *match begin* and *end* operators that give us more freedom to decide whether the begin or the end of an expression match is relevant for the property. The only other work that combines temporal logic and the regular expressions in the context of continuous-time applications is presented in [8], where the authors propose the *metric dynamic logic* as the specification language for reasoning about time-event sequences.

## 6 Conclusion

We introduced in this paper the AMT 2.0 tool for qualitative and quantitative analysis of traces coming from cyber-physical systems applications. The tool uses an expressive specification language based on a combination of STL and TRE and admits qualitative monitoring, trace diagnostics and property-driven measurements as its main functionalities. The development of the tool is a continuous work in progress and there is a number of features which are planned to be developed in the near future, in particular solving the inverse problem of finding parameters in a formula template the lead to satisfaction by a given signal or a set of signals [6].

## Notes

### Acknowledgments

This work was partially supported by project ANR-13-CESA-0008 CADMIDIA and the Productive 4.0 project (ECSEL 737459). The ECSEL Joint Undertaking receives support from the European Union’s Horizon 2020 research and innovation programme and Austria, Denmark, Germany, Finland, Czech Republic, Italy, Spain, Portugal, Poland, Ireland, Belgium, France, Netherlands, United Kingdom, Slovakia, Norway.

## References

- 1.Abbas, H., Rodionova, A., Bartocci, E., Smolka, S.A., Grosu, R.: Quantitative regular expressions for arrhythmia detection algorithms. In: Feret, J., Koeppl, H. (eds.) CMSB 2017. LNCS, vol. 10545, pp. 23–39. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67471-1_2CrossRefGoogle Scholar
- 2.Alur, R., Feder, T., Henzinger, T.A.: The benefits of relaxing punctuality. J. ACM
**43**(1), 116–146 (1996)MathSciNetCrossRefGoogle Scholar - 3.Annpureddy, Y., Liu, C., Fainekos, G., Sankaranarayanan, S.: S-TaLiRo: a tool for temporal logic falsification for hybrid systems. In: Abdulla, P.A., Leino, K.R.M. (eds.) TACAS 2011. LNCS, vol. 6605, pp. 254–257. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19835-9_21CrossRefzbMATHGoogle Scholar
- 4.Asarin, E., Caspi, P., Maler, O.: A Kleene theorem for timed automata. In: Logic in Computer Science (LICS), pp. 160–171 (1997)Google Scholar
- 5.Asarin, E., Caspi, P., Maler, O.: Timed regular expressions. J. ACM
**49**(2), 172–206 (2002)MathSciNetCrossRefGoogle Scholar - 6.Asarin, E., Donzé, A., Maler, O., Nickovic, D.: Parametric identification of temporal properties. In: Khurshid, S., Sen, K. (eds.) RV 2011. LNCS, vol. 7186, pp. 147–160. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29860-8_12CrossRefGoogle Scholar
- 7.Bartocci, E., Deshmukh, J., Donzé, A., Fainekos, G., Maler, O., Nickovic, D., Sankaranarayanan, S.: Specification-based monitoring of cyber-physical systems: a survey on theory, tools and applications. In: The Handbook of Runtime Verification (2018)CrossRefGoogle Scholar
- 8.Basin, D., Krstić, S., Traytel, D.: Almost event-rate independent monitoring of metric dynamic logic. In: Lahiri, S., Reger, G. (eds.) RV 2017. LNCS, vol. 10548, pp. 85–102. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67531-2_6CrossRefGoogle Scholar
- 9.Brim, L., Dluhos, P., Safránek, D., Vejpustek, T.: STL\(^{*}\): Extending Signal Temporal Logic with signal-value freezing operator. Inf. Comput.
**236**, 52–67 (2014)Google Scholar - 10.Calzone, L., Fages, F., Soliman, S.: BIOCHAM: an environment for modeling biological systems and formalizing experimental knowledge. Bioinformatics
**22**(14), 1805–1807 (2006)CrossRefGoogle Scholar - 11.Donzé, A.: Breach, a toolbox for verification and parameter synthesis of hybrid systems. In: Touili, T., Cook, B., Jackson, P. (eds.) CAV 2010. LNCS, vol. 6174, pp. 167–170. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14295-6_17CrossRefGoogle Scholar
- 12.Eisner, C., Fisman, D.: A Practical Introduction to PSL. Springer, Boston (2006). https://doi.org/10.1007/978-0-387-36123-9
- 13.Ferrère, T., Maler, O., Ničković, D.: Trace diagnostics using temporal implicants. In: Finkbeiner, B., Pu, G., Zhang, L. (eds.) ATVA 2015. LNCS, vol. 9364, pp. 241–258. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24953-7_20CrossRefGoogle Scholar
- 14.Ferrère, T., Maler, O., Ničković, D., Ulus, D.: Measuring with timed patterns. In: Kroening, D., Păsăreanu, C.S. (eds.) CAV 2015, Part II. LNCS, vol. 9207, pp. 322–337. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21668-3_19CrossRefGoogle Scholar
- 15.Hoxha, B., Bach, H., Abbas, H., Dokhanci, A., Kobayashi, Y., Fainekos, G.: Towards formal specification visualization for testing and monitoring of cyber-physical systems. In: International Workshop on Design and Implementation of Formal Tools and Systems, DIFTS 2014 (2014)Google Scholar
- 16.Distributed System Interface. DSI3 Bus Standard. DSI ConsortiumGoogle Scholar
- 17.Koymans, R.: Specifying real-time properties with metric temporal logic. Real-Time Syst.
**2**(4), 255–299 (1990)CrossRefGoogle Scholar - 18.Maler, O., Nickovic, D.: Monitoring temporal properties of continuous signals. In: Lakhnech, Y., Yovine, S. (eds.) FORMATS/FTRTFT 2004. LNCS, vol. 3253, pp. 152–166. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30206-3_12CrossRefzbMATHGoogle Scholar
- 19.Maler, O., Nickovic, D.: Monitoring properties of analog and mixed-signal circuits. STTT
**15**(3), 247–268 (2013)CrossRefGoogle Scholar - 20.Nickovic, D., Maler, O.: AMT: a property-based monitoring tool for analog systems. In: Raskin, J.-F., Thiagarajan, P.S. (eds.) FORMATS 2007. LNCS, vol. 4763, pp. 304–319. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-75454-1_22CrossRefGoogle Scholar
- 21.Ulus, D.: Montre: a tool for monitoring timed regular expressions. In: Majumdar, R., Kunčak, V. (eds.) CAV 2017, Part I. LNCS, vol. 10426, pp. 329–335. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63387-9_16CrossRefGoogle Scholar
- 22.Ulus, D., Ferrère, T., Asarin, E., Maler, O.: Timed pattern matching. In: Legay, A., Bozga, M. (eds.) FORMATS 2014. LNCS, vol. 8711, pp. 222–236. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-10512-3_16CrossRefzbMATHGoogle Scholar
- 23.Vijayaraghavan, S., Ramanathan, M.: A Practical Guide for SystemVerilog Assertions. Springer, Boston (2006). https://doi.org/10.1007/b137011

## Copyright information

Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this book are included in the book's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the book's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.